Re: [Tails-dev] Possible Security Problem

Delete this message

Reply to this message
Author: Giorgio Maone
Date:  
To: The Tails public development discussion list
CC: Mike Perry
Subject: Re: [Tails-dev] Possible Security Problem

This *would* not work for Tor Browser users, because of NoScript's ABE
built-in LOCAL rule, which prevents cross-zone (WAN to LAN) HTTP
requests, if only ABE was enabled per NoScript's default configuration.

See https://noscript.net/abe

Unfortunately, ABE seems to be turned off by Tor Browser's custom
configuration.
Like in other cases, there's surely a valid rationale behind this choice.
Mike, could you please explain it? Is there anything I can do to make
ABE better suited for the Tor Browser's specific needs?

- -- G

On 08/04/2015 14:51, tails-bugs@??? wrote:
>
> Hi,
>
> We received that email to tails-bugs.
>
> Cheers.
>
> From: Taylor Hornby <th@???>
>
> Dear Tails Team:
>
> I believe I have found a way for a malicious website in Tails to scan
> the user's local network for running HTTP servers. This could be used to
> fingerprint them (i.e. use the list as a sort of supercookie), or
> possibly deanonymize them if they have a very unique configuration.
>
> It works by using JavaScript to measure the amount of time it takes to
> load the URL. This is done for every IP in the range 192.168.1.0/24.
>
> Here's a proof of concept page that just prints out the load times in
> milliseconds (warning: it starts running immediately when you open it):
>
> https://defuse.ca/dev/tailssidechannel.html
>
> (view source to see exactly how it works)
>
> Here's a screenshot of what it produces on my network:
>
> https://defuse.ca/dev/tailssidechannel.png
>
> You can easily see from the output which IP addresses have a web server
> running on port 80 (.11, .12, .25, .29, .30, ...).
>
> Once an attacker knows an HTTP server exists at a given IP and port
> number, they can start to profile what application is running on it. For
> example, images could be loaded into HTML5 canvas and then returned to
> the server. This way, if you had, say, a printer web administration
> page, they could tell what make/model of printer you had by looking for
> logo images. (I have not tried it; I'm not sure if same-origin-policy
> would prevent it; but I don't think it would).
>
> I wasn't able to test this with vanilla Tor Browser Bundle, since I
> couldn't get it to run. I will do that as soon as I am home from
> university.
>
> An update: I tested with Tor Browser Bundle 4.0.6 (the latest), and it
> does not have this problem. It looks like TBB blocks all requests to the
> local network.
>
> I also forgot to mention I was testing using Tails version 1.3.2 inside
> a VirtualBox VM, in case that matters.
>
> It would be really nice if Tails would block all non-Tor traffic from
> kernel space when the "No" option is selected at startup. I'm sure this
> has been discussed before, so there must be some reason it doesn't.
>
> My PGP key for this email address is at:
>
> https://defuse.ca/downloads/th.asc
>
> The fingerprint is on my twitter:
>
> https://twitter.com/DefuseSec/status/575767865552306176
>
> -Taylor
>
>
>
> _______________________________________________
> Tails-dev mailing list
> Tails-dev@???
> https://mailman.boum.org/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to

Tails-dev-unsubscribe@???.


- --
Giorgio Maone
https://maone.net