[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor security advisory: Old Tor Browser Bundles vulnerable



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Bry8 Star:
> In my opinion,
> 
> After installing TBB (Tor Browser Bundle), users should disable JS 
> (JavaScript) by default, and enable JS, ONLY when visiting a
> website and if the user must have to, to view a very specific
> portion.
> 
> TBB by default keeps "Script Globally Allowed" option ENABLED or 
> selected, inside "NoScript" extension/plugin. It should be set to 
> Disabled or keep unselected.  If your "NoScript" plugin/extension 
> shows the option "Forbid Scripts Globally", (inside "General" tab 
> window), then select/enable it.
> 
> It is more important that Privacy remains intact, then a website 
> appearing nice on 1st visit.
> 
> User can enable JS for certain set of URL for a website, if they 
> NEED to, by themselves.

You're forgetting an exploiter can use AngularJS or something similar
that uses MVC strategies to make the website non-functional until you
enable JavaScript on that page. Doing so, many users unaware of their
favorite website has been compromised would do so just thinking that
the site was updated to require JavaScript.

Unless you audit the JavaScript code "using noscript" isn't the
be-all-end-all protection. I believe the torproject provides that to
prevent some XSS attacks.

I believe the bigger problem here is that the Tor Browser needs to
automatically update itself. Users of 17.0.7 (june's release) were
unaffected. The idea that a web browser doesn't automatically accept
security patches is a joke in this day and age. That issue needs to be
expedited.

Further I think more emphasis needs to be there to get users to use
isolated network setups like Whonix or TAILS, or some other officially
supported method that accomplishes the same outcomes. JavaScript will
be irrelevant if users are socially engineered to run some other
arbitrary code, possibly posing as a browser extension or email
attachment, ie a PDF.

- -- 
scarp | A4F7 25DB 2529 CB1A 605B  3CB4 5DA0 4859 0FD4 B313
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSAjMeAAoJEF2gSFkP1LMTQYgQAJIrEP8FebJjZAWGrfhmpGMd
smw0i09LlzOwNYZe6C6qymzwDjvNwFdSGucAho83EawyjWCk33jO2vzS88lYhtts
rW9OWAV5eF1qpPezcFGHTlqMNYt2T/NYC8KLssGGfoIt7CSoVbZ7ByNFgT5YC9ZE
Begk+WWFKdifj711R1hdQQ2+fyqQOtemftREWjmeeTBgBcVgRDmyz+bWb+gyjJag
KdM51S8Epk0C+BQy+7KH3B2BD9bartEVAjqoMsrI10lO1P5uLhcTG3LoboZg2l+e
wLlOa9K7KKcAwz2khSvZW6oojjbCFud4/5yTZ2SAGtzaEpGPmQ7iW8YfynBdnMvE
/ikUOmP1v0HMvWahpZ+TPv8HEmpQjLebX5XI4PGzGhlmRXEE4mQ3ziOVnvwEPqYa
NhMnNvjFDmOa+qlSBD+z2sTDFGU2+ll2JvnlcjD7WzPUYBJbdLhUfV5lHxN1Ov9D
LXTADiYuZZqqXlJEF60710SJvNPb/3+5P8MnUbOHcpxeuDh7XbbXMXnJ7JQcYlL1
ZNUqlYOEKzL6eN43U51Qmd+15SglNMOoyOSq3zcbdZLhD5hqGqrZ3ZCnjIasigyY
6v1x9Pwyp9oTgBB2IWxz1AOen37wZIvq1XUzg5BWRmJJ+ZkdHa3i1p6A+wdOm/Wu
7RMwSvtz6Staukjr7LGC
=NNp0
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk