[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Confusion about TorButton, Noscript, etc.
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: Confusion about TorButton, Noscript, etc.
- From: Ringo Kamens <2600denver@xxxxxxxxx>
- Date: Mon, 18 Aug 2008 17:13:28 -0400
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Mon, 18 Aug 2008 17:13:41 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=2I2XjoC5qZSQGzhZibrk1cexyX857UjGcwr/sQtgX3s=; b=pItWl9ATq+RyJe5X2EQAbFRMTIX43cHb+5ijVQo6wohJQzgByLqa5GVJmWHFXxddAq VVFW8yCtK3CCs0MBspVZNkM7vcjgc+t5Oyi15ZgLRQHxLBHOB6z8+jEMu6yPs7ak3z+d ksiQOTx6BdMHXHfkvOvuPXdnwrZl5+wZVmAF8=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=iLqL6DWDvongSTJyT8QlJbjEGmkJuqVT5G62swiwIQ6z3cQ1PBTipJtthx8z8lW6Is S6VZV9mCXAZj6ofEZGpAsqKYYAUTx5xeiF99Va04e0AA2QkifyZnjV7ZmWEtjIw4NMgl 0C2byhJyjQhuZl32dmuqDCTpmcJFXc9U8M8Io=
- In-reply-to: <48A9D895.6080405@xxxxxxxxxxxx>
- References: <200808181325.m7IDPrEM010497@xxxxxxxxxxxxx> <48A9D0F9.3090302@xxxxxxxxx> <48A9D895.6080405@xxxxxxxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
- User-agent: Thunderbird 2.0.0.16 (X11/20080724)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marco Bonetti wrote:
> Ringo Kamens wrote:
>> So just to confirm, if I install TorButton, that's all the protection I
>> need and I don't need to worry about NoScript?
> define "protection that you need" :)
> if you "just" want to browse the tor network leaving less traces behind
> you, yes, TorButton is enough.
> NoScript offer extra services, which are useful during *BOTH* in- and
> off- tor browsing session like XSS and CSRF protection, chrome
> information leakage and some DOS using external protocols.
> Unfortunately, this protection comes at a price: the main NoScript
> feature is the whitelisting of trusted sites and this can be exploited
> by rogue exit nodes which will inject javascript into clear text page
> they'll send you back.
>
> Note that this behaviour is not tor dependant: an ISP can always inject
> javascript in clear text pages it will route to you. It's just more
> useful *WHEN* running a tor exit node as it could reveal the identity of
> users.
>
> A good workaround is, for now, manually whitelisting only trusted ssl
> pages (for which content injection is quite hard) or having this option
> incorporated inside NoScript as mentioned in my previous mail regarding
> this thread.
>
> ciao
>
Ok, so as long as I don't whitelist anything, those attacks are pretty
much nullified right?
What specifically gets disabled in TorButton when I turn on NoScript?
Sorry about all the questions, this is all very confusing to me.
ringo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIqeX4mBTzXUpNYqQRAlh8AJ4zVHo/4ubIaPMhe3NzF6mtgg/jNwCggfpU
0EqHA3C8Qw5+sY2G4ob7mAY=
=RRK4
-----END PGP SIGNATURE-----