This *would* not work for Tor Browser users, because of NoScript's ABE
built-in LOCAL rule, which prevents cross-zone (WAN to LAN) HTTP
requests, if only ABE was enabled per NoScript's default configuration.
See
https://noscript.net/abe
Unfortunately, ABE seems to be turned off by Tor Browser's custom
configuration.
Like in other cases, there's surely a valid rationale behind this choice.
Mike, could you please explain it? Is there anything I can do to make
ABE better suited for the Tor Browser's specific needs?
- -- G
On 08/04/2015 14:51, tails-bugs@??? wrote:
>
> Hi,
>
> We received that email to tails-bugs.
>
> Cheers.
>
> From: Taylor Hornby <th@???>
>
> Dear Tails Team:
>
> I believe I have found a way for a malicious website in Tails to scan
> the user's local network for running HTTP servers. This could be used to
> fingerprint them (i.e. use the list as a sort of supercookie), or
> possibly deanonymize them if they have a very unique configuration.
>
> It works by using JavaScript to measure the amount of time it takes to
> load the URL. This is done for every IP in the range 192.168.1.0/24.
>
> Here's a proof of concept page that just prints out the load times in
> milliseconds (warning: it starts running immediately when you open it):
>
> https://defuse.ca/dev/tailssidechannel.html
>
> (view source to see exactly how it works)
>
> Here's a screenshot of what it produces on my network:
>
> https://defuse.ca/dev/tailssidechannel.png
>
> You can easily see from the output which IP addresses have a web server
> running on port 80 (.11, .12, .25, .29, .30, ...).
>
> Once an attacker knows an HTTP server exists at a given IP and port
> number, they can start to profile what application is running on it. For
> example, images could be loaded into HTML5 canvas and then returned to
> the server. This way, if you had, say, a printer web administration
> page, they could tell what make/model of printer you had by looking for
> logo images. (I have not tried it; I'm not sure if same-origin-policy
> would prevent it; but I don't think it would).
>
> I wasn't able to test this with vanilla Tor Browser Bundle, since I
> couldn't get it to run. I will do that as soon as I am home from
> university.
>
> An update: I tested with Tor Browser Bundle 4.0.6 (the latest), and it
> does not have this problem. It looks like TBB blocks all requests to the
> local network.
>
> I also forgot to mention I was testing using Tails version 1.3.2 inside
> a VirtualBox VM, in case that matters.
>
> It would be really nice if Tails would block all non-Tor traffic from
> kernel space when the "No" option is selected at startup. I'm sure this
> has been discussed before, so there must be some reason it doesn't.
>
> My PGP key for this email address is at:
>
> https://defuse.ca/downloads/th.asc
>
> The fingerprint is on my twitter:
>
> https://twitter.com/DefuseSec/status/575767865552306176
>
> -Taylor
>
>
>
> _______________________________________________
> Tails-dev mailing list
> Tails-dev@???
> https://mailman.boum.org/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to
Tails-dev-unsubscribe@???.
- --
Giorgio Maone
https://maone.net
%20HTTP%0A>%20requests,%20if%20only%20ABE%20was%20enabled%20per%20NoScript's%20default%20configuration.%0A>%20%0A>%20See%20https://noscript.net/abe%0A>%20%0A>%20Unfortunately,%20ABE%20seems%20to%20be%20turned%20off%20by%20Tor%20Browser's%20custom%0A>%20configuration.%0A>%20Like%20in%20other%20cases,%20there's%20surely%20a%20valid%20rationale%20behind%20this%20choice.%0A>%20Mike,%20could%20you%20please%20explain%20it?%20Is%20there%20anything%20I%20can%20do%20to%20make%0A>%20ABE%20better%20suited%20for%20the%20Tor%20Browser's%20specific%20needs?%0A>%20%0A>%20-%20--%20G%0A>%20%0A>%20On%2008/04/2015%2014:51,%20tails-bugs@???%20wrote:%0A>%20>%0A>%20>%20Hi,%0A>%20>%0A>%20>%20We%20received%20that%20email%20to%20tails-bugs.%0A>%20>%0A>%20>%20Cheers.%0A>%20>%0A>%20>%20From:%20Taylor%20Hornby%20<th@???>%0A>%20>%0A>%20>%20Dear%20Tails%20Team:%0A>%20>%0A>%20>%20I%20believe%20I%20have%20found%20a%20way%20for%20a%20malicious%20website%20in%20Tails%20to%20scan%0A>%20>%20the%20user's%20local%20network%20for%20running%20HTTP%20servers.%20This%20could%20be%20used%20to%0A>%20>%20fingerprint%20them%20(i.e.%20use%20the%20list%20as%20a%20sort%20of%20supercookie),%20or%0A>%20>%20possibly%20deanonymize%20them%20if%20they%20have%20a%20very%20unique%20configuration.%0A>%20>%0A>%20>%20It%20works%20by%20using%20JavaScript%20to%20measure%20the%20amount%20of%20time%20it%20takes%20to%0A>%20>%20load%20the%20URL.%20This%20is%20done%20for%20every%20IP%20in%20the%20range%20192.168.1.0/24.%0A>%20>%0A>%20>%20Here's%20a%20proof%20of%20concept%20page%20that%20just%20prints%20out%20the%20load%20times%20in%0A>%20>%20milliseconds%20(warning:%20it%20starts%20running%20immediately%20when%20you%20open%20it):%0A>%20>%0A>%20>%20https://defuse.ca/dev/tailssidechannel.html%0A>%20>%0A>%20>%20(view%20source%20to%20see%20exactly%20how%20it%20works)%0A>%20>%0A>%20>%20Here's%20a%20screenshot%20of%20what%20it%20produces%20on%20my%20network:%0A>%20>%0A>%20>%20https://defuse.ca/dev/tailssidechannel.png%0A>%20>%0A>%20>%20You%20can%20easily%20see%20from%20the%20output%20which%20IP%20addresses%20have%20a%20web%20server%0A>%20>%20running%20on%20port%2080%20(.11,%20.12,%20.25,%20.29,%20.30,%20...).%0A>%20>%0A>%20>%20Once%20an%20attacker%20knows%20an%20HTTP%20server%20exists%20at%20a%20given%20IP%20and%20port%0A>%20>%20number,%20they%20can%20start%20to%20profile%20what%20application%20is%20running%20on%20it.%20For%0A>%20>%20example,%20images%20could%20be%20loaded%20into%20HTML5%20canvas%20and%20then%20returned%20to%0A>%20>%20the%20server.%20This%20way,%20if%20you%20had,%20say,%20a%20printer%20web%20administration%0A>%20>%20page,%20they%20could%20tell%20what%20make/model%20of%20printer%20you%20had%20by%20looking%20for%0A>%20>%20logo%20images.%20(I%20have%20not%20tried%20it;%20I'm%20not%20sure%20if%20same-origin-policy%0A>%20>%20would%20prevent%20it;%20but%20I%20don't%20think%20it%20would).%0A>%20>%0A>%20>%20I%20wasn't%20able%20to%20test%20this%20with%20vanilla%20Tor%20Browser%20Bundle,%20since%20I%0A>%20>%20couldn't%20get%20it%20to%20run.%20I%20will%20do%20that%20as%20soon%20as%20I%20am%20home%20from%0A>%20>%20university.%0A>%20>%0A>%20>%20An%20update:%20I%20tested%20with%20Tor%20Browser%20Bundle%204.0.6%20(the%20latest),%20and%20it%0A>%20>%20does%20not%20have%20this%20problem.%20It%20looks%20like%20TBB%20blocks%20all%20requests%20to%20the%0A>%20>%20local%20network.%0A>%20>%0A>%20>%20I%20also%20forgot%20to%20mention%20I%20was%20testing%20using%20Tails%20version%201.3.2%20inside%0A>%20>%20a%20VirtualBox%20VM,%20in%20case%20that%20matters.%0A>%20>%0A>%20>%20It%20would%20be%20really%20nice%20if%20Tails%20would%20block%20all%20non-Tor%20traffic%20from%0A>%20>%20kernel%20space%20when%20the%20%22No%22%20option%20is%20selected%20at%20startup.%20I'm%20sure%20this%0A>%20>%20has%20been%20discussed%20before,%20so%20there%20must%20be%20some%20reason%20it%20doesn't.%0A>%20>%0A>%20>%20My%20PGP%20key%20for%20this%20email%20address%20is%20at:%0A>%20>%0A>%20>%20https://defuse.ca/downloads/th.asc%0A>%20>%0A>%20>%20The%20fingerprint%20is%20on%20my%20twitter:%0A>%20>%0A>%20>%20https://twitter.com/DefuseSec/status/575767865552306176%0A>%20>%0A>%20>%20-Taylor%0A>%20>%20%0A>%20>%0A>%20>%0A>%20>%20_______________________________________________%0A>%20>%20Tails-dev%20mailing%20list%0A>%20>%20Tails-dev@???%0A>%20>%20https://mailman.boum.org/listinfo/tails-dev%0A>%20>%20To%20unsubscribe%20from%20this%20list,%20send%20an%20empty%20email%20to%0A>%20Tails-dev-unsubscribe@???.%0A>%20%0A>%20%0A>%20-%20--%20%0A>%20Giorgio%20Maone%0A>%20https://maone.net%0A>%20%0A>%20 "Reply to this message")
