[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Javascript vs privacy?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Javascript vs privacy?
From: scarp <scarp@xxxxxxxxxx>
Date: Wed, 07 Aug 2013 11:11:16 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 07 Aug 2013 07:11:51 -0400
In-reply-to: <CAPkfgVb3fR5TnKUa1p0xD=A5QTCw9GNs7cMYdzntCADf=2cy2g@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CAPkfgVY-xrk=am4PxAmyqv7TU6HbQ4hNG7Y5HXNUUbtOcSyVLw@xxxxxxxxxxxxxx> <20130806143144.GA26029@loar> <CAPkfgVaou9iZDNpF8kEn_HJHpLy9quEvMWrBjiZJCuCsJo_q3Q@xxxxxxxxxxxxxx> <20130807074606.GY31806@xxxxxxxxxxxxxx> <CAPkfgVb3fR5TnKUa1p0xD=A5QTCw9GNs7cMYdzntCADf=2cy2g@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I understand that JavaScript was enabled globally in the Tor Browser
Bundle for usability reasons as well as to prevent browser
fingerprinting. I believe this is the correct decision.

If the torproject were to disable it by default, that would not ensure
that users are protected in the future by similar methods. Sites can
be written in a way that if you do not allow JavaScript they simply
won't work at all. If I was writing an exploit I'd do this to
frustrate users so hopefully they enable JavaScript and accept my
exploit. Also future exploits may not use JavaScript, but may somehow
socially engineer the user into installing a browser extension or
something like that.


This brings us to another issue. This exploit wasn't new. It
had been on the Mozilla bug tracker for a while. Users running the
latest Tor Browser Bundle (17.0.7) didn't have any issues as their
browsers had been patched.

It is inappropriate for a web browser to not be automatically updated.
In this day and age where we have full disclosures about critical
bugs, we must also have a way for users to get patches easily and
effortlessly, let's please keep vulnerabilities to be 0day rather than
0month, or 0year.

Had the Tor Browser's update mechanism been working like the official
Mozilla Firefox browser and Google Chrome, this would not have been
nearly as serious.

Whonix users of course were protected in 3 ways, firstly whonixcheck
would have warned them about an outdated browser, secondly hardware
addresses would have been masked by virtual network interfaces and
thirdly the network isolation it provides would have made this kind of
exploit not possible in the first place.

TAILS users would have been protected similarly, from the first and
third issue.

I'd like to see torproject make a push for isolated network setups,
because the cold hard truth is running the Tor Browser Bundle on
windows while easy for the users is a nightmare for the developers,
and keeping it secure is a big, big task. Maybe even an officially
supported Tor distribution.

The Tor Browser Bundle has to work with the network configuration the
user has given it, which most certainly is not going to prevent
arbitrary code from directly contacting remote servers and
circumventing the Tor service.

Given the successfulness of this of this vector you can bet this will
become something governments will look to investing in, in the future.

- -- 
scarp | A4F7 25DB 2529 CB1A 605B  3CB4 5DA0 4859 0FD4 B313
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSAitRAAoJEF2gSFkP1LMTJKIP/1im2epJBhTqQDExpwh5zOrr
A/CYyM18hM0cmXBNihflcv7Aerp1Ry5lL5x0b/zvPxzSmcuwxGwUWR3nsJoqGHBp
T48OiCP2ZcZmugas8BZ5gJ1ME6fRocqmpecXqxhpo5c0avK/bTR7sJhH2MIIyWwe
MPQKrgX/AjOQcY1qJJxxO0fxPeGorifVzvlyFfW7lyVFeSGunvZFV41gYXt7gbcn
Jq0mCxWWcUgkCYEvE1ZvxyDyCZS+WUoUqp9HTRDYL372c3tLqVVaC6uf0zJfcDt4
yRFjLPtc5uUI9Or1dYapPzCL57xvOs+HKFfYP0KeU2/6bEF9HynS6wRe7p+GeSIp
fSpBoHNn4XoHreRNLAJXqInvpHzVf2w1olVC6fZ3KnlqvX5RpW4hxfXREFj9qsHr
S0iPQaiawHHYrlGzwehmHGMLUep4Gr7GxC1i3dOwcaPMqxKB6yIoOB8ZbmRY5xux
2mjcj+mvouKYCSYpd+Azw0nzgGCYbWbOGujCEQKiUcQrlgJDl6i7+z8quGDwtZac
MNRUdSP2yCipdmbMdCwdeSyC8UlWtGh9rmStUnycCUDdgmZcD+dAbzcJAd+lDR9/
TsHgmINZWlsdEPCwBiOqQj11mJYltoh4XZFkl4TR2J9sElqjXoLzfXkNxOLdW9A5
X9eO8WRj99Php7JEde9l
=hjPe
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Javascript vs privacy?
  - From: adrelanos

References:
- [tor-talk] Javascript vs privacy?
  - From: Jon Tullett
- Re: [tor-talk] Javascript vs privacy?
  - From: Lunar
- Re: [tor-talk] Javascript vs privacy?
  - From: Jon Tullett
- Re: [tor-talk] Javascript vs privacy?
  - From: Roger Dingledine
- Re: [tor-talk] Javascript vs privacy?
  - From: Jon Tullett

Prev by Author: [tor-talk] block Skype in torrc
Next by Author: Re: [tor-talk] Tor security advisory: Old Tor Browser Bundles vulnerable
Previous by thread: Re: [tor-talk] Javascript vs privacy?
Next by thread: Re: [tor-talk] Javascript vs privacy?
Index(es):
- Author
- Thread