[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Mike Cardwell
tor at lists.grepular.com
Tue Jan 21 14:24:17 UTC 2014
* on the Tue, Jan 21, 2014 at 11:56:42AM +0100, Olivier Cornu wrote:
> > There is some misunderstanding of cross-origin policy here. Cross-origin
> > policy does not prevent the cross-origin request from taking place. It
> > only prevents you from being able to read the response.
>
> Indeed. But being able to send requests to arbitrary *LAN* host:port and
> get back discriminating answers allows easy scanning. A JS script might
> scan the entire LAN, test firewall policies, and xhr the result back to
> the originating website.
>
> > There would be no point in preventing the request from taking place
> > as people can initiate them already, without even using JavaScript.
> > For example, the above request could have been made by just sticking
> > this in some HTML:
> >
> > <img src="http://127.0.0.1:1234/">
>
> Indeed, and detect timeouts/errors via javascript?
> The XHR method seems to provide more information and a more reliable
> interface for scanning/network fingerprinting though (you can even test
> LAN web servers CORS policy) -- I haven't looked into it deep enough to
> be sure.
I don't think the XHR method provides anything above what you can do
with timing load/error events on dynamically generated imgs.
> I'm not sure how this is all a good default for regular browsing
It is not a good default for regular browsing, but it is what we have
and it is how the web was designed, and there is no way back now without
replacing the web with something new. The web is too interconnected
to be safe, but that interconnectedness is also what has made it as
big as it is today.
I personally use RequestPolicy in Firefox to prevent *all* cross-origin
requests from any site to any other site, be they XHR, images or any
other type of content. It has a whitelist system built in which is
very similar to the way NoScript works. If I had to choose between
giving up RequestPolicy or NoScript, I would give up NoScript without a
second thought.
> , yet it
> is clearly unacceptable in a TBB context: it makes (FOXACID) LAN
> fingerprinting a breeze.
I don't use TBB myself, but it's my understanding that all TBB
traffic goes through Tor, and thus doesn't have access to localhost
or the LAN anyway, making this a non-issue... If connections are
being made from TBB without going via Tor, then there is a serious
leak in TBB. I'm not convinced this is happening though.
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140121/a91e7c06/attachment.sig>
More information about the tor-talk
mailing list