Opened 9 years ago

Closed 8 years ago

Last modified 18 months ago

#1999 closed defect (fixed)

1.3.x: tor:// URL support may allow attacks on Torbutton

Reported by: rransom Owned by: mikeperry
Priority: Immediate Milestone: Torbutton: 1.3
Component: Applications/Torbutton Version: Torbutton: 1.3.0-alpha
Severity: Normal Keywords: TorbuttonIteration20110305 MikePerryIteration20110305
Cc: Actual Points: 2
Parent ID: Points: 2
Reviewer: Sponsor:

Description

https://twitter.com/egyp7/status/26023995288

Mike Perry thinks this tweet is about the possibility that a web site could detect the presence of Torbutton by putting a tor: URL in an IFRAME and measuring how long Firefox takes to report a page-not-found error -- if Torbutton is not installed, it fails immediately; if Torbutton is installed, it waits until the user responds to a pop-up dialog, and then either fails the load attempt or switches into Tor mode and loads the URL.

The warning dialogs might also allow a DoS attack on Torbutton users -- JavaScript can repeatedly add IMG tags to a page with tor: source URLs, and the repeated popups will make a user's browser unusable.

Child Tickets

Change History (10)

comment:1 Changed 8 years ago by mikeperry

Owner: changed from mikeperry to koryk
Status: newassigned
Summary: tor: URL support may allow attacks on Torbutton1.3.x: Tor URL support may allow attacks on Torbutton

comment:2 Changed 8 years ago by mikeperry

Priority: normalmajor

I'm not sure if we can possibly actually fix this attack and others easily. Kory spent a lot of time trying to see if he could observe the URL bar's contents upon receipt of a tor:// protocol request. IIRC, Race conditions in the Firefox APIs prevented him from doing this.

This makes me think this feature should be relegated to off-by-default status, and that this should be considered the 'fix' for this ticket. We should then create an enhancement ticket for "Make tor:// urls safe", assign it a Points value of 'Infinite', and cross our fingers waiting for a magical API update that will never come.

comment:3 Changed 8 years ago by mikeperry

Points: 2
Priority: majorcritical

Make tor urls off by default: 2 Points

comment:4 Changed 8 years ago by arma

Summary: 1.3.x: Tor URL support may allow attacks on Torbutton1.3.x: tor:// URL support may allow attacks on Torbutton

comment:5 Changed 8 years ago by mikeperry

Keywords: TorbuttonIteration20110305 added
Priority: criticalblocker

comment:6 Changed 8 years ago by mikeperry

Owner: changed from koryk to mikeperry

comment:7 Changed 8 years ago by mikeperry

Keywords: MikePerryIteration20110305 added

comment:8 Changed 8 years ago by mikeperry

Keywords: TorbuttonIteration20110305,MikePerryIteration20110305TorbuttonIteration20110305 MikePerryIteration20110305

comment:9 Changed 8 years ago by mikeperry

Actual Points: 2
Resolution: fixed
Status: assignedclosed

This is fixed in origin/master.

comment:10 Changed 18 months ago by teor

Severity: Normal

Set all tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.