Google's Chrome Web Browser and Tor

[Kyle Williams]

Hi all,

I've been playing around with Google's new web browser and Tor.  I thought
it might be good to share my findings with everyone.
After reading Google's privacy policy[1], I for one would not want to use
this on a regular basis, if at all.

The first bug I tried was an old one I found with Firefox; the NEWS:// URI
type.
Any link that has a NEWS:// URI will launch Outlook Express and attempt to
contact the server in the URL...without using Tor.

The second bug I found resulted in local file/folder disclosure.
This is very similar to the one I found in Internet Explorer.

The third bug I found was with MIME-TYPEs, specifically Windows Media Player
supported formats.
The BANNER tag can also leak your IP address when the playlist is loaded
*IF* WMP is not set to use a proxy.
Also, a playlist in WMP can specify protocols that use UDP, hence, no proxy
support...no Tor.

On the flip-side, it is very cool how each browser tab is it's own process,
making several types of attacks much more difficult.
However, with an invasive privacy policy, local proxy bypassing, and local
files/folders able to be read from your hard drive, I've decided not to use
this browser.

It just doesn't feel privacy/anonymity friendly to me.
Anyone else want to chime in on this?


- Kyle

[1] http://www.google.com/chrome/intl/en/privacy.html
(Basically states you have no privacy when using Chrome)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20080904/df518717/attachment-0001.htm>