Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
Trac
Trac
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Create a new issue
  • Issue Boards

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • Legacy
  • TracTrac
  • Issues
  • #8558

Closed (moved)
Open
Opened Mar 21, 2013 by Mike Perry@mikeperry

Re-verify app-launching defenses on Windows

Rsnake claims that some stuff he did 3 years ago still works on TBB. We certainly fixed the two vectors he mentioned (itms and smb) with Torbutton, but it is possible that one or more random things have been broken/undone by FF17. We should retest as many of them as we can, especially on Windows. Especially since Rsnake seems insistent on being as unhelpful as possible :/. Gotta love timewasters....

Most decloaking attacks are based on plugins, which are disabled by a Firefox patch and also by Firefox settings, but the following two decloak.net attacks should be retested:

  1. "When the iTunes is installed, it registers the itms:// protocol handler. This protocol handler will open iTunes and do a direct connection to the specified URL. There are some restrictions on the URL you can pass, but we found a nice way around them :-)"

  2. "When Microsoft Office is installed and configured to automatically open documents, a file can be returned which automatically downloads an image from the internet. This can bypass proxy settings and expose the real DNS servers of the user."

Unfortunately, decloak.net is now down, so the exact itms url it used is unavailable (unless the source is still around somewhere).

Also, this test should be verified on Windows: http://pseudo-flaw.net/tor/torbutton/ipleak-dotnet-assistant.html

I think the .NET assistant addon might need to be explicitly installed these days. It used to auto-install with some piece of .NET but then Mozilla blacklisted it. They may have removed the blacklist, though...

Also, we should try some SMB urls on windows. Native Firefox SMB handling appears to be unimplemented still, but it may be possible to shove something in the registry that enables an external handler: http://kb.mozillazine.org/Register_protocol#Windows http://msdn.microsoft.com/en-us/library/aa767914.aspx

Such external handlers should still be blocked by Torbutton, though. They certainly are on MacOS and Linux...

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: legacy/trac#8558