Hi,
We received that email to tails-bugs.
Cheers.
From: Taylor Hornby <th@???>
Dear Tails Team:
I believe I have found a way for a malicious website in Tails to scan
the user's local network for running HTTP servers. This could be used to
fingerprint them (i.e. use the list as a sort of supercookie), or
possibly deanonymize them if they have a very unique configuration.
It works by using JavaScript to measure the amount of time it takes to
load the URL. This is done for every IP in the range 192.168.1.0/24.
Here's a proof of concept page that just prints out the load times in
milliseconds (warning: it starts running immediately when you open it):
https://defuse.ca/dev/tailssidechannel.html
(view source to see exactly how it works)
Here's a screenshot of what it produces on my network:
https://defuse.ca/dev/tailssidechannel.png
You can easily see from the output which IP addresses have a web server
running on port 80 (.11, .12, .25, .29, .30, ...).
Once an attacker knows an HTTP server exists at a given IP and port
number, they can start to profile what application is running on it. For
example, images could be loaded into HTML5 canvas and then returned to
the server. This way, if you had, say, a printer web administration
page, they could tell what make/model of printer you had by looking for
logo images. (I have not tried it; I'm not sure if same-origin-policy
would prevent it; but I don't think it would).
I wasn't able to test this with vanilla Tor Browser Bundle, since I
couldn't get it to run. I will do that as soon as I am home from
university.
An update: I tested with Tor Browser Bundle 4.0.6 (the latest), and it
does not have this problem. It looks like TBB blocks all requests to the
local network.
I also forgot to mention I was testing using Tails version 1.3.2 inside
a VirtualBox VM, in case that matters.
It would be really nice if Tails would block all non-Tor traffic from
kernel space when the "No" option is selected at startup. I'm sure this
has been discussed before, so there must be some reason it doesn't.
My PGP key for this email address is at:
https://defuse.ca/downloads/th.asc
The fingerprint is on my twitter:
https://twitter.com/DefuseSec/status/575767865552306176
-Taylor
,%20or%0A>%20possibly%20deanonymize%20them%20if%20they%20have%20a%20very%20unique%20configuration.%0A>%20%0A>%20It%20works%20by%20using%20JavaScript%20to%20measure%20the%20amount%20of%20time%20it%20takes%20to%0A>%20load%20the%20URL.%20This%20is%20done%20for%20every%20IP%20in%20the%20range%20192.168.1.0/24.%0A>%20%0A>%20Here's%20a%20proof%20of%20concept%20page%20that%20just%20prints%20out%20the%20load%20times%20in%0A>%20milliseconds%20(warning:%20it%20starts%20running%20immediately%20when%20you%20open%20it):%0A>%20%0A>%20https://defuse.ca/dev/tailssidechannel.html%0A>%20%0A>%20(view%20source%20to%20see%20exactly%20how%20it%20works)%0A>%20%0A>%20Here's%20a%20screenshot%20of%20what%20it%20produces%20on%20my%20network:%0A>%20%0A>%20https://defuse.ca/dev/tailssidechannel.png%0A>%20%0A>%20You%20can%20easily%20see%20from%20the%20output%20which%20IP%20addresses%20have%20a%20web%20server%0A>%20running%20on%20port%2080%20(.11,%20.12,%20.25,%20.29,%20.30,%20...).%0A>%20%0A>%20Once%20an%20attacker%20knows%20an%20HTTP%20server%20exists%20at%20a%20given%20IP%20and%20port%0A>%20number,%20they%20can%20start%20to%20profile%20what%20application%20is%20running%20on%20it.%20For%0A>%20example,%20images%20could%20be%20loaded%20into%20HTML5%20canvas%20and%20then%20returned%20to%0A>%20the%20server.%20This%20way,%20if%20you%20had,%20say,%20a%20printer%20web%20administration%0A>%20page,%20they%20could%20tell%20what%20make/model%20of%20printer%20you%20had%20by%20looking%20for%0A>%20logo%20images.%20(I%20have%20not%20tried%20it;%20I'm%20not%20sure%20if%20same-origin-policy%0A>%20would%20prevent%20it;%20but%20I%20don't%20think%20it%20would).%0A>%20%0A>%20I%20wasn't%20able%20to%20test%20this%20with%20vanilla%20Tor%20Browser%20Bundle,%20since%20I%0A>%20couldn't%20get%20it%20to%20run.%20I%20will%20do%20that%20as%20soon%20as%20I%20am%20home%20from%0A>%20university.%0A>%20%0A>%20An%20update:%20I%20tested%20with%20Tor%20Browser%20Bundle%204.0.6%20(the%20latest),%20and%20it%0A>%20does%20not%20have%20this%20problem.%20It%20looks%20like%20TBB%20blocks%20all%20requests%20to%20the%0A>%20local%20network.%0A>%20%0A>%20I%20also%20forgot%20to%20mention%20I%20was%20testing%20using%20Tails%20version%201.3.2%20inside%0A>%20a%20VirtualBox%20VM,%20in%20case%20that%20matters.%0A>%20%0A>%20It%20would%20be%20really%20nice%20if%20Tails%20would%20block%20all%20non-Tor%20traffic%20from%0A>%20kernel%20space%20when%20the%20%22No%22%20option%20is%20selected%20at%20startup.%20I'm%20sure%20this%0A>%20has%20been%20discussed%20before,%20so%20there%20must%20be%20some%20reason%20it%20doesn't.%0A>%20%0A>%20My%20PGP%20key%20for%20this%20email%20address%20is%20at:%0A>%20%0A>%20https://defuse.ca/downloads/th.asc%0A>%20%0A>%20The%20fingerprint%20is%20on%20my%20twitter:%0A>%20%0A>%20https://twitter.com/DefuseSec/status/575767865552306176%0A>%20%0A>%20-Taylor%0A>%20%20 "Reply to this message")
