Re: Confusion about TorButton, Noscript, etc.

[Marco Bonetti <marco.bonetti@xxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ringo Kamens wrote:
> So just to confirm, if I install TorButton, that's all the protection I
> need and I don't need to worry about NoScript?
define "protection that you need" :)
if you "just" want to browse the tor network leaving less traces behind
you, yes, TorButton is enough.
NoScript offer extra services, which are useful during *BOTH* in- and
off- tor browsing session like XSS and CSRF protection, chrome
information leakage and some DOS using external protocols.
Unfortunately, this protection comes at a price: the main NoScript
feature is the whitelisting of trusted sites and this can be exploited
by rogue exit nodes which will inject javascript into clear text page
they'll send you back.

Note that this behaviour is not tor dependant: an ISP can always inject
javascript in clear text pages it will route to you. It's just more
useful *WHEN* running a tor exit node as it could reveal the identity of
users.

A good workaround is, for now, manually whitelisting only trusted ssl
pages (for which content injection is quite hard) or having this option
incorporated inside NoScript as mentioned in my previous mail regarding
this thread.

ciao

- --
Marco Bonetti
Slackintosh Linux Project Developer: http://workaround.ch/
Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/
My webstuff: http://sidbox.homelinux.org/

My GnuPG key id: 0x86A91047
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIqdiVyPKw+YapEEcRArjzAJ9vi7FKluQUQNg2ZjW165RQdZMzowCdHKAM
q27vKkn8w7o0P4WfY41OPFE=
=xBO2
-----END PGP SIGNATURE-----