On Wed, 17 Feb 2010 11:18:03 -0800 (PST), Martin Fick <[email protected]> wrote: > --- On Wed, 2/17/10, Jon Cosby <[email protected]> wrote: >> >> I'm referring to links from file:// urls. By default, >> Torbutton blocks this, and has it "recommended." > > Ah, you mean the file protocol. Firefox itself tends to have this > disabled by default also. One of the reasons is to prevent malicious users > from including file:// urls in an external webpage. With file:// urls, a > webpage could be designed to test for the existence of local files on your > computer. From an anonymity standpoint, if I can run a test that verifies > the existence of a specific file on your computer, one that I can prove > only you would have on your computer, then I might be able to prove that > you loaded my webpage. > > I suspect there are also ways potentially execute some local code on your > computer by accessing local files (depending on the OS, this might be > harder or easier to achieve). If that's the case, perhaps depending on the > program, by executing it locally, I might be able to detect this remotely. > Maybe the program does something as simple as a DNS lookup that I can sniff > and then correlate to you... > > And, finally, just because a file is accessed via a file:// url does not > mean it is actually accessing a file locally. It is accessing a file via > your local file system namespace, but this might be on a remotely mounted > drive/share making the remote server able to detect/prove this access, once > again, exposing your access of a webpage by at least the owner of the > remote server/share. > > I suspect that there are many more attacks based on this, that I have only > touched the tip of the iceberg... Hope that helps, >
The only time I can ever recall coming across the protocol is in opening files on my computer, and this has never been disabled. To fool somebody into opening this file on a remote server, the cracker would need a copy of the file, which would essentially require prior access to the computer. Or am I missing something here? Jon *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
