|
[EDIT: edited typo, clarified what TAILS was] I had mentioned (split between a couple other posts) that even with JS enabled, Noscript will prevent many XSS/CSRF and clickjacking attempts, which has been explained to me as the reason for its inclusion. And That disabling Javascript actually makes you more fingerprintable because it's rare for browsers to do this. I am guessing that the payload that article mentions s/he does not have included a Windows (or Windows Firefox)-specific exploit which bypassed the tor tunnel so that they could then match the cookie in and out of Tor to identify the traffic origin. Otherwise, just having the cookie through Tor would be pretty worthless. Other people that could be dinged by this would be anybody usuing that specific version of Firefox, without Torbutton. Torbutton wipes cookies when you switch between Tor and not-Tor, but Torbutton as a separate tool has been discontinued and TBB promoted, because to be safe you really need to have a separate browser profile. On Linux (not targeted by this exploit, but maybe someday) you could avoid this using an Apparmor/SeLinux profile that prevented TBB Firefox from even making a network connection that's not to the Tor tunnel, or possibly even prevent Firefox from knowing it's own IP. Dunno if something like this is even possible on Windows. For traveling, I currently have been experimenting with a VM with TBB and an apparmor profile, and an iptables rule to prevent ANY outside traffic, except Tor. It works but it's a pain in the ass and nobody could be expected to install all that shit. That's what they made TAILS (A bootable disc image with only Tor, saves nothing to your machine, contains no known exploitable extraneous apps) for, people could check that out. Even running TAILS in a VM would have prevented this, though they recommend for maximum security you burn it and boot it. No sympathy for child pornographers, but obv. this could be used against anybody seeking anonymity. |
I don't currently use Tor, but I've thought about it and this is how I would do it. This can be done on windows using a virtual machine that disallows internet connections. Have the VM only able to network with the host OS, which is running the Tor app. That way the VM doesn't have an internet IP to leak, and if firefox itself is compromised there isn't anything on the VM that could give you away.