[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Javascript security question
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: Javascript security question
- From: Sadece Gercekler <inanma@xxxxxxxxx>
- Date: Fri, 21 Aug 2009 13:39:47 +0000 (GMT)
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Fri, 21 Aug 2009 09:46:32 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ymail.com; s=s1024; t=1250861988; bh=fs5bGLhFsjbL27G08LinGuCb84E8J6mA24R59V7m6Ec=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=3Xdan0dRJdnmY9WmpUQwMG0+9OvT597+arAzhdMTUK7mfsBMegCBDGu5GrYqVufXg2+7sR86nnP3MZRtzDJp9AZxMB0PXVJnO6yseL1e/P6zTmRB+59oGEZmiwXz9+uQFQzXWk/gLbS9gN6u1NekgIhvobSkrf5MeZzmsQHw5+k=
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=ymail.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Rm7jlWh2kMkoaZUKxSTSrTt/ByogkxfMJXhwf/hJ+MlGJOeLQYi8x4aq1LPnzeZgurPOV4Su5AOJYpH0NY8y/ZJVqtA0YR/5GkTien2ouqds23miCuNZh7efodY/yt5frVVE0CdsYpEM0QQaf6+eqelqXiy3dL3hyB8uYFYVj9E=;
- In-reply-to: <20090821102617.476037d4@flaptop>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
Thanks everybody for the explanation.
So the exit node I'm using can be Evil and there is no way I can know this. If so, is it wise to use the Tor network even with javascript disabled?
--- On Fri, 21/8/09, Freemor <freemor@xxxxxxxxx> wrote:
> From: Freemor <freemor@xxxxxxxxx>
> Subject: Re: Javascript security question
> To: or-talk@xxxxxxxxxxxxx
> Date: Friday, 21 August, 2009, 1:26 PM
> On Fri, 21 Aug 2009 09:25:15 +0000
> (GMT)
> Sadece Gercekler <inanma@xxxxxxxxx>
> wrote:
>
> > I know that enabling javascript is insecure. But my
> question is
> > specific to gmail, google reader, yahoo mail, and
> blogger.com. These
> > are the sites I'm mainly accessing.
> >
> > Do you think enabling javascript for these sites can
> be OK?
> >
> > Thanks
> >
> >
> >
> It's not safe.. The problem isn't the sites you are
> visiting.. The
> problem is that an Evil exit node can inject javascript
> into any
> (non https) page you are viewing. yahoo mail falls into
> this category,
> as could google reader and blogger.com (you can force
> google reader to
> https but it is easy to forget). The clever use of
> javascript can pose
> many security risks other then simply unmasking your IP
> address. I
> would STRONGLY advise against using TOR with javascript
> enabled.
> (unless you explicitly trust (own/administer) the exit
> node.. but this
> presents problems of it's own ;) ).
>
> Regards,
> Freemor
>
> --
> freemor@xxxxxxxxxxx
> freemor@xxxxxxxxx
>
> This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )
>