Thus spake [email protected] ([email protected]): > > For the general TBB solution, see: > > https://trac.torproject.org/projects/tor/ticket/3508 > > > > It is in 1.4.0. > > Neat. I was unaware of the SafeCache addon. > > > As I said in the blog posts, I intend to isolate all browser state to > > urlbar domain, and/or disable whatever features aren't amenable to > > this. So far this means that 3rd party cookies must be disabled and DOM > > storage must be disabled. > > > > HTTP auth can be isolated similarly to cache. See: > > https://trac.torproject.org/projects/tor/ticket/3748 > > Would be great if you achieved that.
Depending on how things go, we may or may not isolate HTTP auth to a
urlbar domain in Torbutton 1.4.1, but it is also on the roadmap for
TBB 2.2.x-stable:
https://trac.torproject.org/projects/tor/ticket/3748
> > SSL certificates are not isolated. They might never be. The SSL stack
> > is a nightmare.
>
> That's a shame. I'm seeing more and more sites enabling https.
Yes, but I don't think the tracking potential is as high there as it
is for explicit identifiers, except where they can trick the user into
installing a client certificate.
If the adversary does trick the user to install weird certificates,
these are only stored in memory in TBB, and will be gone after a
browser restart.
So it is not as bad as cache, cookies, DOM storage, and auth.
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs
pgpBUwy8j5XlX.pgp
Description: PGP signature
_______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
