-------- Original Message -------- Subject: [guardian-dev] Replicating TorBB/Firefox exploit in Orweb/Webkit? Date: Mon, 05 Aug 2013 12:33:33 -0400 From: Nathan of Guardian <[email protected]> To: Guardian Dev <[email protected]> Regarding the Tor security advisory (https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html), I've been considering whether this exploit or a similar one could be used against Orweb, and the underlying Android WebView/Webkit component. Orweb has Javascript and Cookie support off by default for all sites, so I expect a Javascript exploit would not work at all. However, if we enable both (which many users do in order to login to sites with captchas), could that open Orweb users up to this deanonymization attack? I hope to replicate this in a test environment shortly, but if anyone has insight related to Webkit vs Firefox/Gecko in terms of this exploit, please share. In addition, if anyone is motivated to do their own independent auditing of Orweb along these lines, would love to have your help. Thanks! +n _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/nathan%40guardianproject.info You are subscribed as: [email protected] -- tor-talk mailing list - [email protected] To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
