[guardian-dev] Possible Orbot/orweb deanonymization - verizon supercookie
Amogh Pradeep
amoghbl1 at gmail.com
Fri Feb 13 10:24:59 EST 2015
Hey PaulD,
If you're testing out Orweb, could you also take a look at Orfox, you
can get the apk here https://guardianproject.info/builds/Orfox/ . You
could also report issues over at
https://dev.guardianproject.info/projects/orfox-private-browser/issues?fixed_version_id=169&set_filter=1&status_id=*
.
On 27/01/15 00:21, PaulD wrote:
> I have reason to believe that it is possible to deanonymize an orbot
> user using the verizon supercookie. Possibly other "supercookies" as well.
>
> Provided that:
> (a) the phone is communicating on mobile data, not wifi
> (b) user visits an http page (not https)
> (c) no other anonymity tools such as vpns stand in the way.
>
> Unclear whether root permissions matter. My phone is NOT rooted.
>
> My sample size is really small. just my phone. With that said, it seems
> that it is possible to deanonymize a pretty big chunk of tor users,
> without serious effort.
>
> The bottom line is that I visited the "do you have the verizon
> Supercookie" website with orweb, and it appears that I do.
>
> http://lessonslearned.org/sniff
>
>
> _______________________________________________
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> To unsubscribe, email: guardian-dev-unsubscribe at lists.mayfirst.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20150213/3d10dc01/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20150213/3d10dc01/attachment-0001.sig>
More information about the guardian-dev
mailing list