lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue Jun 27 13:42:10 2006
From: pdp.gnucitizen at googlemail.com (pdp (architect))
Subject: UnAnonymizer

indeed it is fun, unfortunately not very neat :) IMHO... although I
quite like the idea, don't get me wrong. What would be nice is to
implement the same but with Flash. Flash is for sure enabled on most
browsers.

Also, it might be possible to unhide a tor user by starting an
application which will make a http request to your server regardless
where your browser proxy setting are pointing to. For example sending
back

Content-type: <some mime>

Content-type: application/pdf should start pdf reader on most
browsers. PDF documents are usually dynamic, so you can embed some
object into the pdf document that will point back to your webserver,
which as a result may unhide the current tor user. This might work on
platforms where the environment is not that much integrated
(Linux/Unix). On windows, however, setting the right proxy in internet
explorer should make most applications aware of it. :)

On 6/27/06, H D Moore <fdlist@...italoffense.net> wrote:
> A fun browser toy that depends on Java for complete results:
> - http://metasploit.com/research/misc/decloak/
>
> -HD
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


-- 
pdp (architect)
http://www.gnucitizen.org

Powered by blists - more mailing lists