On Tue, Jul 02, 2013 at 06:45:24PM -0700, Mark Yaler wrote: > Let's say you open webpage X, which automatically refreshes every >minute. But the user doesn't immediately realize this problem.
Variations of this attack are in various research papers, e.g. http://freehaven.net/anonbib/#tissec-latency-leak See also http://freehaven.net/anonbib/#abbott-pet2007 > The user also wishes to read webpage Y. However, this user realizes >that opening both X and Y would allow his identity to be compromised, >or at least significantly narrowed in probability. So the user realizes >that he needs to refresh his Tor identity between accessing pages X and >Y. So he does this. Assuming he clicks 'new identity' in Torbutton, it will flush all his browser state. There will be no more page X open. > Then he accesses webpage Y. Unfortunately, due to the autorefresh >HTML code on webpage X, which suddenly occurs, there is now evidence >(in the clear) of the same IP address accessing both X and Y within a >short time window, thereby weakening his anonymity. Yep. That's why the Tor Browser doesn't allow this. https://www.torproject.org/projects/torbrowser/design/#new-identity > My point is, why not do that by default? It's a tradeoff between usability and security. I think we'd end up breaking a lot of pages if we disabled all refreshes. --Roger _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk