Re: Javascript security question

To: or-talk@xxxxxxxxxxxxx

Subject: Re: Javascript security question

From: Flamsmark <flamsmark@xxxxxxxxx>

Date: Fri, 21 Aug 2009 09:48:03 -0400

Delivered-to: archiver@xxxxxxxx

Delivered-to: or-talk-outgoing@xxxxxxxx

Delivered-to: or-talk@xxxxxxxx

Delivery-date: Fri, 21 Aug 2009 09:56:02 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=ylIvCU4oPWCzJ4oV7OQfq2EJ0gemwSRrKL4q1Bsk4OY=; b=qj2Q7JXEKC5//w5hT7PklWuRZ/YBnqfY3sqcn/epfzzsRCpWkh/PDLIk0fsFuIuv5o LinTNvxTPWSRzzcK6FHtmM/sXdP7/EqU0xITvY6bVtvqasw/NyXYutArr9BiQBv7YaQn N2J8X8PRgKLiwgI8q+oDl1nIVULCxqal7X/ew=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=XG+as9xLsb8RBDpRY4lAFL0pHQReqmJf60hkV2y6AaZbYV1JagphTw+EKHFw3WUSRQ 5X0cm87UpaE963fh9/01oF5E5On3FUgQZrq6uGGR6SSJjnWg19+IfUYy8GZVlATRRbBU kWkf32Pcm0f6iF9+hK6c/SXgWgpaEaRgS/Jek=

In-reply-to: <20090821102617.476037d4@flaptop>

References: <236316.99637.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <20090821102617.476037d4@flaptop>

Reply-to: or-talk@xxxxxxxxxxxxx

Sender: owner-or-talk@xxxxxxxxxxxxx

On Fri, Aug 21, 2009 at 09:26, Freemor <freemor@xxxxxxxxx> wrote:

On Fri, 21 Aug 2009 09:25:15 +0000 (GMT)
Sadece Gercekler <inanma@xxxxxxxxx> wrote:

> I know that enabling _javascript_ is insecure. But my question is
> specific to gmail, google reader, yahoo mail, and blogger.com. These
> are the sites I'm mainly accessing.
>
> Do you think enabling _javascript_ for these sites can be OK?
>
> Thanks
>
>
>

It's not safe.. The problem isn't the sites you are visiting.. The
problem is that an Evil exit node can inject _javascript_ into any
(non https) page you are viewing. yahoo mail falls into this category,

Unfortunately, there is currently a vulnerability with HTTPS, which may make even 'secure' _javascript_ vulnerable.

as could google reader and blogger.com (you can force google reader to
https but it is easy to forget). The clever use of _javascript_ can pose
many security risks other then simply unmasking your IP address. I
would STRONGLY advise against using TOR with _javascript_ enabled.
(unless you explicitly trust (own/administer) the exit node.. but this
presents problems of it's own ;) ).

Regards,
Freemor

--
freemor@xxxxxxxxxxx
freemor@xxxxxxxxx

This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )