Congratulations to David Baron and the others involved for this well thought out fix :)
Archive for the Anonymity CategoryCongratulations to David Baron and the others involved for this well thought out fix :)
Mozilla is already working on this, but please do not comment on the bug report, already too much noise there...
Does anybody know what this XeroBank guy is talking about? SPP can't obviously stand for Site Pecurity Policy. It wouldn't make sense (spelling and grammar aside) because SSP is not meant and not going to replace NoScript anytime soon. The SSP we know does not allow "users to protect against" anything, it just allows compliant web sites to protect their own users (which is great, anyway). So, any hint about this SPP supposed NoScript killer? As I can easily tell by looking at flashgot.net and noscript.net Apache logs, every day the blogosphere gets flooded by copycat articles about "Top 5 Firefox Extensions" or "Best 10 Add-ons".
Thanks to Dave Drager for the useful reminder.
26
09
2007
Cross-Browser Proxy UnmaskingPosted by: Giorgio in IE, Anonymity, Flash, Java, Security, NoScriptIt's really time to sleep in my timezone, but I just couldn't resist when I read latest RSnake's post about Deanonymizing Tor and Detecting Proxies. The basic concept, not terribly new by the way, is that browser proxy settings cannot be enforced on browser plugins, which happily ignore them in some circumstances, e.g. when establishing a direct TCP socket connection. This caveat has been preached even on the Tor download page itself, but nothing better than some scary demos to convert the non believers. RSnake's interesting proof of concept exploits JavaScript + LiveConnect , and it apparently works on Gecko-based browser with Java™ installed only. I didn't manage to make it work on Opera, even though it does support LiveConnect. So I decided to defer bedtime a bit and I put together my own quick deanonymizing proof of concept, which relies on the almost ubiquitous Macromedia® Flash® and works in any web browser, like Internet Explorer, supporting the Flash player (no need for JavaScript, either). XMLSocket
ActionScript object is used to bypass browser's proxy setting and connect to a tiny server written in Perl, listening on port 9999 and echoing client's IP. Here's the ActionScript code:
Download this code: pbp.as
And here's the Perl server:
Download this code: pbp.pl
Today's lesson is: if you want to stay anonymous, you'd better turn off Java, Flash and any other plugin! Update OCT-27I've just learned that some months ago a guy called yawnmoth demonstrated an Unmasking Java Applet. Just like my Flash-based one, this works also in browsers, like IE, not supporting LiveConnect. Demos |
Bad Behavior has blocked 931 access attempts in the last 7 days.