Author: Georg Koppen Date: To: The Tails public development discussion list CC: Mike Perry Subject: Re: [Tails-dev] Possible Security Problem
Hi,
Giorgio Maone: >
> This *would* not work for Tor Browser users, because of NoScript's ABE
> built-in LOCAL rule, which prevents cross-zone (WAN to LAN) HTTP
> requests, if only ABE was enabled per NoScript's default configuration.
>
> See https://noscript.net/abe >
> Unfortunately, ABE seems to be turned off by Tor Browser's custom
> configuration.
> Like in other cases, there's surely a valid rationale behind this choice.
> Mike, could you please explain it? Is there anything I can do to make
> ABE better suited for the Tor Browser's specific needs?
https://bugs.torproject.org/10419 is the one discussing how to defend
against the fingerprinting vector. We decided that ABE is not necessary
(avoiding its complexity) back then.
Georg
> -- G
>
> On 08/04/2015 14:51, tails-bugs@??? wrote:
>
>> Hi,
>
>> We received that email to tails-bugs.
>
>> Cheers.
>
>> From: Taylor Hornby <th@???>
>
>> Dear Tails Team:
>
>> I believe I have found a way for a malicious website in Tails to scan
>> the user's local network for running HTTP servers. This could be used to
>> fingerprint them (i.e. use the list as a sort of supercookie), or
>> possibly deanonymize them if they have a very unique configuration.
>
>> It works by using JavaScript to measure the amount of time it takes to
>> load the URL. This is done for every IP in the range 192.168.1.0/24.
>
>> Here's a proof of concept page that just prints out the load times in
>> milliseconds (warning: it starts running immediately when you open it):
>
>> https://defuse.ca/dev/tailssidechannel.html >
>> (view source to see exactly how it works)
>
>> Here's a screenshot of what it produces on my network:
>
>> https://defuse.ca/dev/tailssidechannel.png >
>> You can easily see from the output which IP addresses have a web server
>> running on port 80 (.11, .12, .25, .29, .30, ...).
>
>> Once an attacker knows an HTTP server exists at a given IP and port
>> number, they can start to profile what application is running on it. For
>> example, images could be loaded into HTML5 canvas and then returned to
>> the server. This way, if you had, say, a printer web administration
>> page, they could tell what make/model of printer you had by looking for
>> logo images. (I have not tried it; I'm not sure if same-origin-policy
>> would prevent it; but I don't think it would).
>
>> I wasn't able to test this with vanilla Tor Browser Bundle, since I
>> couldn't get it to run. I will do that as soon as I am home from
>> university.
>
>> An update: I tested with Tor Browser Bundle 4.0.6 (the latest), and it
>> does not have this problem. It looks like TBB blocks all requests to the
>> local network.
>
>> I also forgot to mention I was testing using Tails version 1.3.2 inside
>> a VirtualBox VM, in case that matters.
>
>> It would be really nice if Tails would block all non-Tor traffic from
>> kernel space when the "No" option is selected at startup. I'm sure this
>> has been discussed before, so there must be some reason it doesn't.
>
>> My PGP key for this email address is at:
>
>> https://defuse.ca/downloads/th.asc >
>> The fingerprint is on my twitter:
>
>> https://twitter.com/DefuseSec/status/575767865552306176 >
>> -Taylor
>
>
>
>> _______________________________________________
>> Tails-dev mailing list
>> Tails-dev@???
>> https://mailman.boum.org/listinfo/tails-dev >> To unsubscribe from this list, send an empty email to
> Tails-dev-unsubscribe@???.
>
>
>
>
>
>
> _______________________________________________
> Tails-dev mailing list
> Tails-dev@???
> https://mailman.boum.org/listinfo/tails-dev > To unsubscribe from this list, send an empty email to Tails-dev-unsubscribe@???.
>
%20HTTP%0A>%20>%20requests,%20if%20only%20ABE%20was%20enabled%20per%20NoScript's%20default%20configuration.%0A>%20>%20%0A>%20>%20See%20https://noscript.net/abe%0A>%20>%20%0A>%20>%20Unfortunately,%20ABE%20seems%20to%20be%20turned%20off%20by%20Tor%20Browser's%20custom%0A>%20>%20configuration.%0A>%20>%20Like%20in%20other%20cases,%20there's%20surely%20a%20valid%20rationale%20behind%20this%20choice.%0A>%20>%20Mike,%20could%20you%20please%20explain%20it?%20Is%20there%20anything%20I%20can%20do%20to%20make%0A>%20>%20ABE%20better%20suited%20for%20the%20Tor%20Browser's%20specific%20needs?%0A>%20%0A>%20https://bugs.torproject.org/10419%20is%20the%20one%20discussing%20how%20to%20defend%0A>%20against%20the%20fingerprinting%20vector.%20We%20decided%20that%20ABE%20is%20not%20necessary%0A>%20(avoiding%20its%20complexity)%20back%20then.%0A>%20%0A>%20Georg%0A>%20%0A>%20>%20--%20G%0A>%20>%20%0A>%20>%20On%2008/04/2015%2014:51,%20tails-bugs@???%20wrote:%0A>%20>%20%0A>%20>>%20Hi,%0A>%20>%20%0A>%20>>%20We%20received%20that%20email%20to%20tails-bugs.%0A>%20>%20%0A>%20>>%20Cheers.%0A>%20>%20%0A>%20>>%20From:%20Taylor%20Hornby%20<th@???>%0A>%20>%20%0A>%20>>%20Dear%20Tails%20Team:%0A>%20>%20%0A>%20>>%20I%20believe%20I%20have%20found%20a%20way%20for%20a%20malicious%20website%20in%20Tails%20to%20scan%0A>%20>>%20the%20user's%20local%20network%20for%20running%20HTTP%20servers.%20This%20could%20be%20used%20to%0A>%20>>%20fingerprint%20them%20(i.e.%20use%20the%20list%20as%20a%20sort%20of%20supercookie),%20or%0A>%20>>%20possibly%20deanonymize%20them%20if%20they%20have%20a%20very%20unique%20configuration.%0A>%20>%20%0A>%20>>%20It%20works%20by%20using%20JavaScript%20to%20measure%20the%20amount%20of%20time%20it%20takes%20to%0A>%20>>%20load%20the%20URL.%20This%20is%20done%20for%20every%20IP%20in%20the%20range%20192.168.1.0/24.%0A>%20>%20%0A>%20>>%20Here's%20a%20proof%20of%20concept%20page%20that%20just%20prints%20out%20the%20load%20times%20in%0A>%20>>%20milliseconds%20(warning:%20it%20starts%20running%20immediately%20when%20you%20open%20it):%0A>%20>%20%0A>%20>>%20https://defuse.ca/dev/tailssidechannel.html%0A>%20>%20%0A>%20>>%20(view%20source%20to%20see%20exactly%20how%20it%20works)%0A>%20>%20%0A>%20>>%20Here's%20a%20screenshot%20of%20what%20it%20produces%20on%20my%20network:%0A>%20>%20%0A>%20>>%20https://defuse.ca/dev/tailssidechannel.png%0A>%20>%20%0A>%20>>%20You%20can%20easily%20see%20from%20the%20output%20which%20IP%20addresses%20have%20a%20web%20server%0A>%20>>%20running%20on%20port%2080%20(.11,%20.12,%20.25,%20.29,%20.30,%20...).%0A>%20>%20%0A>%20>>%20Once%20an%20attacker%20knows%20an%20HTTP%20server%20exists%20at%20a%20given%20IP%20and%20port%0A>%20>>%20number,%20they%20can%20start%20to%20profile%20what%20application%20is%20running%20on%20it.%20For%0A>%20>>%20example,%20images%20could%20be%20loaded%20into%20HTML5%20canvas%20and%20then%20returned%20to%0A>%20>>%20the%20server.%20This%20way,%20if%20you%20had,%20say,%20a%20printer%20web%20administration%0A>%20>>%20page,%20they%20could%20tell%20what%20make/model%20of%20printer%20you%20had%20by%20looking%20for%0A>%20>>%20logo%20images.%20(I%20have%20not%20tried%20it;%20I'm%20not%20sure%20if%20same-origin-policy%0A>%20>>%20would%20prevent%20it;%20but%20I%20don't%20think%20it%20would).%0A>%20>%20%0A>%20>>%20I%20wasn't%20able%20to%20test%20this%20with%20vanilla%20Tor%20Browser%20Bundle,%20since%20I%0A>%20>>%20couldn't%20get%20it%20to%20run.%20I%20will%20do%20that%20as%20soon%20as%20I%20am%20home%20from%0A>%20>>%20university.%0A>%20>%20%0A>%20>>%20An%20update:%20I%20tested%20with%20Tor%20Browser%20Bundle%204.0.6%20(the%20latest),%20and%20it%0A>%20>>%20does%20not%20have%20this%20problem.%20It%20looks%20like%20TBB%20blocks%20all%20requests%20to%20the%0A>%20>>%20local%20network.%0A>%20>%20%0A>%20>>%20I%20also%20forgot%20to%20mention%20I%20was%20testing%20using%20Tails%20version%201.3.2%20inside%0A>%20>>%20a%20VirtualBox%20VM,%20in%20case%20that%20matters.%0A>%20>%20%0A>%20>>%20It%20would%20be%20really%20nice%20if%20Tails%20would%20block%20all%20non-Tor%20traffic%20from%0A>%20>>%20kernel%20space%20when%20the%20%22No%22%20option%20is%20selected%20at%20startup.%20I'm%20sure%20this%0A>%20>>%20has%20been%20discussed%20before,%20so%20there%20must%20be%20some%20reason%20it%20doesn't.%0A>%20>%20%0A>%20>>%20My%20PGP%20key%20for%20this%20email%20address%20is%20at:%0A>%20>%20%0A>%20>>%20https://defuse.ca/downloads/th.asc%0A>%20>%20%0A>%20>>%20The%20fingerprint%20is%20on%20my%20twitter:%0A>%20>%20%0A>%20>>%20https://twitter.com/DefuseSec/status/575767865552306176%0A>%20>%20%0A>%20>>%20-Taylor%0A>%20>%20%0A>%20>%20%0A>%20>%20%0A>%20>>%20_______________________________________________%0A>%20>>%20Tails-dev%20mailing%20list%0A>%20>>%20Tails-dev@???%0A>%20>>%20https://mailman.boum.org/listinfo/tails-dev%0A>%20>>%20To%20unsubscribe%20from%20this%20list,%20send%20an%20empty%20email%20to%0A>%20>%20Tails-dev-unsubscribe@???.%0A>%20>%20%0A>%20>%20%0A>%20>%20%0A>%20>%20%0A>%20>%20%0A>%20>%20%0A>%20>%20_______________________________________________%0A>%20>%20Tails-dev%20mailing%20list%0A>%20>%20Tails-dev@???%0A>%20>%20https://mailman.boum.org/listinfo/tails-dev%0A>%20>%20To%20unsubscribe%20from%20this%20list,%20send%20an%20empty%20email%20to%20Tails-dev-unsubscribe@???.%0A>%20>%20%0A>%20%0A>%20%0A>%20 "Reply to this message")
