[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: The dh small subgroup confinement attack and Tor

On Sun, 9 Aug 2009 04:53:15 -0700 (PDT)
Curious Kid <letsshareinformation@xxxxxxxxx> wrote:

> Maybe not a good week.
> Browser flaws expose users to man-in-the-middle attacks
> http://blogs.zdnet.com/security/?p=3950
> Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS
> Deployments
> http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf

Interesting paper thanks for posting the link to it. I've given it a
quick once over and from what I can see all variations of this attack
require scripting of one sort or another. Since the recommended way to
run a Browser on Tor is with ALL scripting disabled, this shouldn't
effect people that are configured correctly. Of greater concern for me
is if NoScript which I use for my non Tor browsing would catch this or
not. Does anyone know if NoScript relies on the browser for the context
of a frame or does it check the origin it self?


This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )

Attachment: signature.asc
Description: PGP signature