[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Mail service requires "java script enabled"



Ok....that's gives me some confidence.

Thanks for the help.


On Tue, Jan 15, 2013, at 10:37 PM, Micah Lee wrote:
> On 01/15/2013 12:14 AM, Joe Btfsplk wrote:
> > Never say never - but I don't know that the real risk of js is leaking
> > identity so much as someone running malicious code on sites you don't
> > know or shouldn't trust.
> 
> There isn't much risk of identity leaking by enabling javascript in your
> browser. The most javascript should be able to do is fingerprint your
> browser profile to detect plugins, fonts, etc. By using the Tor Browser
> Bundle rather than just a normal web browser proxied through Tor, most
> (with the goal of all) of these fingerprinting attempts are mitigated.
> 
> So I think it's perfectly fine to enable javascript for Yahoo mail. If
> you're going to be using Yahoo mail, make sure you turn on SSL:
> https://www.eff.org/deeplinks/2013/01/yahoo-mail-makes-https-available
> 
> There are definitely security concerns though, the biggest being using
> javascript on a website that someone else has discovered an XSS bug on.
> And browser zero days are much more likely to be exploited through the
> use of javascript, etc.
> 
> That said, these days there are serious usability advantages that
> javascript provides, especially for sites like Google Maps. If done
> correctly, it can be used to *increase* security in some cases (such as
> the payment processor Stripe's use of ajax), and it can be used to make
> content load faster and use less bandwidth, such as Twitter letting you
> load only recent tweets without refreshing the entire page. And many web
> developers build javascript functionality and don't bother to make it
> work for NosScripters, which is annoying, but sometimes the
> functionality they're going for is impossible without javascript.
> 
> Javascript is kind of the future of the web, and it's only going to be
> more prevalent as time goes on. And unlike in the 90s, it's genuinely
> useful now, not just for adding bling to your site. Rather than be down
> on javascript, I think it's more production to figure out ways to make
> javascript more secure, like:
> https://developer.mozilla.org/en-US/docs/Security/CSP/Introducing_Content_Security_Policy
> 
> -- 
> Micah Lee
> https://twitter.com/micahflee
> 
> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> Email had 1 attachment:
> + signature.asc
>   1k (application/pgp-signature)

-- 
http://www.fastmail.fm - Or how I learned to stop worrying and
                          love email again

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk