Bug #8254
Do not reuse circuits for cross origin requests
| Status: | New | Start date: | 04/20/2017 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | - | |||
| Target version: | Orfox RC | |||
| Component: |
Description
The Tor Browser draft includes defenses against cross origin linkability
I have not tested the other types in Orfox, but Orfox does not make new circuits for cross origin requests, making it possible for an attacker to use JavaScript to check if a user has visited another site recently (if they have a circuit built, the site will resolve much faster than if a circuit is not built yet).
I have tested this with Facebook's mobile onion site (https://m.facebookcorewwwi.onion/)
In my tests, having a circuit built already will resolve on average 3 seconds faster in XHR requests. I tried 10 requests with a circuit built to facebook already and 10 requests without.
Orbot Version Tested: 15.2.0-RC-8-multi(Tor 0.2.8.9armx86-openssl1.0.2j)
Orfox Version Tested: Fennec-45.5.1esr/TorBrowser-6.5-1/Orfox-1.2.1