Opened 7 years ago

Last modified 4 days ago

#2640 new enhancement

Make tor:// urls safe (and enable them by default)

Reported by: mikeperry Owned by:
Priority: High Milestone:
Component: Applications/Torbutton Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points: Infinite
Reviewer: Sponsor:

Description

tor:// urls are not safe. It is currently possible to cause Torbutton to recognize any arbitrary content element with tor:// url and ask the user if they want to toggle into tor. There appears to be no way to use the Firefox APIs to determine if such a load was actually due to the url bar. The Protocol handlers that listen for tor:// are actually called before any listeners involving the url bar are called, and accessing the url bar itself appears to return the previous URL, at least in FF 3.x.

By default, Torbutton still asks the user if they want to toggle, but even this question can be used as a timing attack to determine that Torbutton is installed, which violates our security requirements:
https://www.torproject.org/torbutton/en/design/#requirements

Credit to discovering this goes to "egypt" of the metasploit team:
https://twitter.com/egyp7/status/26023995288

Until either the APIs improve, or we find a side channel inside Firefox that allows us to fix this and observe the URL bar contents and block non-urlbar requests automatically, we need to leave tor:// urls off by default.

Child Tickets

Change History (5)

comment:1 Changed 7 years ago by mikeperry

Summary: Make tor:// urls safeMake tor:// urls safe (and enable them by default)

comment:2 Changed 7 years ago by mikeperry

Turns out this technique also works to fingerprint Torbutton users who have tor:// url support:
http://pseudo-flaw.net/tor/torbutton/scan-protocol-handlers.html

comment:3 Changed 6 years ago by mikeperry

Owner: mikeperry deleted
Status: newassigned

comment:4 Changed 10 days ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:5 Changed 4 days ago by teor

Status: assignednew

Mark all tickets that are assigned to nobody as "new".

Note: See TracTickets for help on using tickets.