Opened 7 years ago

Last modified 7 months ago

#1623 new enhancement

Block protocol handler enumeration

Reported by: mikeperry Owned by: tbb-team
Priority: High Milestone: TorBrowserBundle 2.3.x-stable
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting, tbb-torbutton
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Torbutton should block remote protocol handler enumeration. We currently wrap the external protocol handler launching components, and install custom protocol handlers to handle tor:// urls. We should see if we can perform any tricks in these components to defeat http://pseudo-flaw.net/tor/torbutton/scan-protocol-handlers.html.

Child Tickets

Change History (8)

comment:1 Changed 7 years ago by mikeperry

Component: TorbuttonTorBrowserButton

comment:2 Changed 6 years ago by mikeperry

Milestone: TorBrowserBundle 2.3.x-stable

comment:3 Changed 6 years ago by mikeperry

Keywords: tbb-fingerprinting added

comment:4 Changed 6 years ago by mikeperry

Keywords: MikePerry201206 added

comment:5 Changed 5 years ago by mikeperry

Keywords: MikePerry201206 removed

comment:6 Changed 3 years ago by erinn

Component: TorBrowserButtonTor Browser
Keywords: tbb-torbutton added
Owner: changed from mikeperry to tbb-team

comment:7 Changed 7 months ago by tom

Severity: Blocker

We ran across this in the mozilla bugtracker, and Jonathan updated the POC to work again: https://bugzilla.mozilla.org/show_bug.cgi?id=680300#c5

comment:8 Changed 7 months ago by tom

Severity: BlockerNormal
Note: See TracTickets for help on using tickets.