Opened 3 years ago

Last modified 3 years ago

#20019 needs_information enhancement

Proposal for TOR Browser extension

Reported by: SECUSO_Kristoffer Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

At TU Darmstadt, we developed a Firefox Add-On PassSec+: https://www.secuso.informatik.tu-darmstadt.de/en/secuso-home/research/results/passsec/

PassSec+ has two key functions:

  • Protection of passwords, bank details and other sensitive data when https is not used
  • Changing cookie settings for more privacy

We are wondering whether the TOR community is interested in integrating it in the TOR browser.

Kind regards,
Kristoffer

Child Tickets

Change History (5)

comment:1 Changed 3 years ago by gk

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team

comment:2 Changed 3 years ago by teor

Status: newneeds_information

This extension requires extended validation SSL certificates to show the green status.
Otherwise it shows a yellow status. For HTTP, it shows a red status. This is not an accurate representation of the security of Tor onion sites (hidden services) - even if they use HTTP, they're secure (as long as the address is correct).

SECUSO_Kristoffer, do you have plans to add a check for onion sites to your extension?

Also, it chooses one of ten random images per-user. This could be a fingerprinting vector:

  • is it loaded from a remote site?
  • what happens when a Tor Browser user selects "new identity" (or quits and reopens the browser)?
    • do we choose a new image at random, destroying the utility of this feature?
    • or do we preserve the image, providing a fingerprinting vector?
    • or do we just use one symbol for Tor Browser users? Then it would be easy to fake based on the user agent.

What would you do about this issue?

comment:3 Changed 3 years ago by SECUSO_Kristoffer

Thanks for your comment!

Currently, like you said, PassSec shows a wrong indicator on onion sites. We plan to add an additional case to mark these sites as safe.

Regarding your second question on the icons: No third party content is loaded. All icons/images are included within this add-on. The user's choice of any specific icon is therefore not leaked. All computations are local, like the different indicators. PassSec checks if there https is available on a specific website by sending a request to the site the user currently visits. PassSec injects the icons locally based on the analysis of the website and the request.

If you have any further questions please comment again. Thanks.

comment:4 in reply to:  3 ; Changed 3 years ago by teor

Replying to SECUSO_Kristoffer:

Thanks for your comment!

Currently, like you said, PassSec shows a wrong indicator on onion sites. We plan to add an additional case to mark these sites as safe.

Thanks!

Regarding your second question on the icons: No third party content is loaded. All icons/images are included within this add-on. The user's choice of any specific icon is therefore not leaked. All computations are local, like the different indicators. PassSec checks if there https is available on a specific website by sending a request to the site the user currently visits. PassSec injects the icons locally based on the analysis of the website and the request.

The random, persistent choice of icon is vulnerable to server probing via HTML Canvas, and perhaps other mechanisms.

If it's made persistent on disk, it's also vulnerable to file fingerprinting, allowing forensic analysis to discover the choice of icon even if Tor is restarted or "new identity" is chosen.

comment:5 in reply to:  4 Changed 3 years ago by SECUSO_Kris

Replying to teor:

The random, persistent choice of icon is vulnerable to server probing via HTML Canvas, and perhaps other mechanisms.

If it's made persistent on disk, it's also vulnerable to file fingerprinting, allowing forensic analysis to discover the choice of icon even if Tor is restarted or "new identity" is chosen.

Thanks for answer. What do you think of the following idea: We keep the highlighted password and form fields but we remove the yellow/green icons. The warning dialogs should be fine as well because they are the same for every user.

(Sorry for replying with a new account but I wasn't able to reset my password)

Note: See TracTickets for help on using tickets.