[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Javascript security question



Thanks everybody for the explanation.

So the exit node I'm using can be Evil and there is no way I can know this. If so, is it wise to use the Tor network even with javascript disabled?

--- On Fri, 21/8/09, Freemor <freemor@xxxxxxxxx> wrote:

> From: Freemor <freemor@xxxxxxxxx>
> Subject: Re: Javascript security question
> To: or-talk@xxxxxxxxxxxxx
> Date: Friday, 21 August, 2009, 1:26 PM
> On Fri, 21 Aug 2009 09:25:15 +0000
> (GMT)
> Sadece Gercekler <inanma@xxxxxxxxx>
> wrote:
> 
> > I know that enabling javascript is insecure. But my
> question is
> > specific to gmail, google reader, yahoo mail, and
> blogger.com. These
> > are the sites I'm mainly accessing.
> > 
> > Do you think enabling javascript for these sites can
> be OK?
> > 
> > Thanks
> > 
> > 
> >       
> It's not safe.. The problem isn't the sites you are
> visiting.. The
> problem is that an Evil exit node can inject javascript
> into any
> (non https) page you are viewing. yahoo mail falls into
> this category,
> as could google reader and blogger.com (you can force
> google reader to
> https but it is easy to forget). The clever use of
> javascript can pose
> many security risks other then simply unmasking your IP
> address. I
> would STRONGLY advise against using TOR with javascript
> enabled.
> (unless you explicitly trust (own/administer) the exit
> node.. but this
> presents problems of it's own ;)  ).
> 
> Regards,
> Freemor
> 
> -- 
> freemor@xxxxxxxxxxx
> freemor@xxxxxxxxx
> 
> This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )
>