On Saturday 24 January 2009 17:41, Dennis Nezic wrote:
> On Sat, 24 Jan 2009 13:05:41 +0000, Matthew Toseland wrote:
> > There have been some question marks over whether it is possible to
> > load an image from an external domain and get a callback when it is
> > loaded - if so, it may be possible to time fetches of specific sites
> > from javascript on an unrelated site. Meaning running a web browser
> > on a system with access to fproxy is dangerous. I haven't tested
> > this, maybe you'd like to?
> It's a well known attack--"cache timing attacks". Pretty similar to
> css-history attacks. And it's also not hard to prevent. (For history
> attacks, simply disable history in your freenet profile.) For cache
> attacks, simply restrict access to fproxy to a separate freenet user on
> your system. (And, of course, do not use that user to surf the
> dangerous web--unless, of course, you use a safe browser, like one with
> javascript disabled. Javascript is, after all, the root of all
> (website) evil.)

The cross-domain rules don't prevent it then?
> Fproxy access can be restricted on a per-user basis very simply with
> iptables:
> iptables -A OUTPUT -p tcp --dport 8888 -m owner ! --uid-owner

We have different definitions of easy! This is a good reason IMHO to not 
include fproxy by default once we have a dedicated browser. And even if we do 
that, fproxy can still be probed for, just not individual sites... We should 
also warn about it in the README...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available

Reply via email to