Hash: SHA1
As Matt reported in his/her/their blog there are interesting privacy-implications for torbutton-users with the way firefox loads favicons.
Usually I would link but because the article is in torland I repost it here:
Potential Firefox Leak (18 November 2007)
I have discovered a potential leak with any version of firefox (current version as of writing is 2.0.0.9).
The Problem:
Every time you switch tabs, firefox will automatically load the favicon.ico for web sites that did not have one the first time it tried retrieving it (if it's not there the first time, why would it be there later?). If you have multiple tabs open -- some initially loaded with tor enabled (torbutton) and some loaded with tor disabled -- every time you alt+tab or click on a different tab with Tor disabled, firefox is automatically (and without your knowledge) connecting to each site that did NOT have an icon on its initial load. This means that you are revealing your IP address to anyone when you have tor disabled, even when you don't reload any tabs or visit any web sites. Additionally, if you do the inverse (tor enabled with a few non-tor tabs open) you will be revealing that you use tor to any web sites you normally have tor off for.
This problem is not a bug in torbutton, but a bug in firefox that was probably there at one point as a "feature," but is effectively useless.
Workaround:
Close all tabs before toggling torbutton!
Mozilla developers: You can remove that stupid and pointless repeated favicon.ico loading. If it wasn't there 30 seconds ago, why the hell would it be there now? Load it only when the web site is initially loaded and when the tab is refreshed.
- --Matt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: http://firegpg.tuxfamily.org
iD4DBQFHZ6cSLAZ+Vq4hPgARAoRRAKDc9YKJntY2doXyAoMM3O1nmLIpBACVFxXf
OHgxnM3ja9bGS1R0RD5bGg==
=9L31
-----END PGP SIGNATURE-----
No comments:
Post a Comment