[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Javascript security question

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Javascript security question
From: Andrew Lewman <andrew@xxxxxxxxxxxxxx>
Date: Fri, 21 Aug 2009 10:24:45 -0400
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Fri, 21 Aug 2009 10:24:47 -0400
In-reply-to: <236316.99637.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Organization: The Tor Project, Inc.
References: <236316.99637.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090707)

On 08/21/2009 05:25 AM, Sadece Gercekler wrote:
> I know that enabling javascript is insecure. But my question is
> specific to gmail, google reader, yahoo mail, and blogger.com. These
> are the sites I'm mainly accessing.

I leave javascript enabled with torbutton enabled.  While everyone will
focus on the possibility of an evil exit node, the reality is far more
mundane.  If you're following safe anonymity and browsing practices, you
have a better chance of mitigating any attacks from the rare evil exit node.

Mike Perry's Snakes on a Tor tool has done hundreds, if not thousands,
of hours of exit node scanning.  It finds very few evil exit nodes.  And
in follow-up with these operators, most are a misconfiguration of some
device outside their tor node.

-- 
Andrew Lewman
The Tor Project
pgp 0x31B0974B

Website: https://torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject

References:
- Javascript security question
  - From: Sadece Gercekler

Prev by Author: Re: Javascript security question
Next by Author: Re: [Fwd: Re: BetterPrivacy does not allow remote code execution]
Previous by thread: Re: Javascript security question
Next by thread: Tor-ramdisk 20090821 released
Index(es):
- Author
- Thread