[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Javascript security question

On Fri, Aug 21, 2009 at 09:26, Freemor <freemor@xxxxxxxxx> wrote:
On Fri, 21 Aug 2009 09:25:15 +0000 (GMT)
Sadece Gercekler <inanma@xxxxxxxxx> wrote:

> I know that enabling _javascript_ is insecure. But my question is
> specific to gmail, google reader, yahoo mail, and blogger.com. These
> are the sites I'm mainly accessing.
> Do you think enabling _javascript_ for these sites can be OK?
> Thanks
It's not safe.. The problem isn't the sites you are visiting.. The
problem is that an Evil exit node can inject _javascript_ into any
(non https) page you are viewing. yahoo mail falls into this category,

Unfortunately, there is currently a vulnerability with HTTPS, which may make even 'secure' _javascript_ vulnerable.

as could google reader and blogger.com (you can force google reader to
https but it is easy to forget). The clever use of _javascript_ can pose
many security risks other then simply unmasking your IP address. I
would STRONGLY advise against using TOR with _javascript_ enabled.
(unless you explicitly trust (own/administer) the exit node.. but this
presents problems of it's own ;)  ).



This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )