Response is below, in-between. Received from scarp, on 2013-08-07 4:44 AM: > Bry8 Star: >> In my opinion, > >> After installing TBB (Tor Browser Bundle), users should disable JS >> (JavaScript) by default, and enable JS, ONLY when visiting a >> website and if the user must have to, to view a very specific >> portion. > >> TBB by default keeps "Script Globally Allowed" option ENABLED or >> selected, inside "NoScript" extension/plugin. It should be set to >> Disabled or keep unselected. If your "NoScript" plugin/extension >> shows the option "Forbid Scripts Globally", (inside "General" tab >> window), then select/enable it. > >> It is more important that Privacy remains intact, then a website >> appearing nice on 1st visit. > ... than a website ... > >> User can enable JS for certain set of URL for a website, if they >> NEED to, by themselves. > > You're forgetting an exploiter can use AngularJS or something similar > that uses MVC strategies to make the website non-functional until you > enable JavaScript on that page. Doing so, many users unaware of their > favorite website has been compromised would do so just thinking that > the site was updated to require JavaScript. > A new firefox extension Tor-WOT (Web Of Trust) can be useful, as already mentioned by me in my previous email. WOT shows icon. After visiting a site, users can just look at the WOT-icon status, and can/may decide/choose if he/she wants to allow JS or not. > > Unless you audit the JavaScript code "using noscript" isn't the > be-all-end-all protection. I believe the torproject provides that to > prevent some XSS attacks. > > I believe the bigger problem here is that the Tor Browser needs to > automatically update itself. Users of 17.0.7 (june's release) were > unaffected. The idea that a web browser doesn't automatically accept > security patches is a joke in this day and age. That issue needs to be > expedited. > I would suggest such way : Tor-Browser need to download the "UPDATEable" Tor-Browser like this : 1st get ONLY the SHA-256 or SHA-512 hash/checksum of the "Updateable" Tor-Browser (a small file) file from (TorProject.org's) onion host via Tor proxy. Then TorBrowser should get the actual full "Updateable" file from any one of the set of download mirror onion sites. Check downloaded file with the previously received HASH code. When checking succeeded, then update it. But pls make sure update-process asks user, in what way he/she wants to update ? in (1) an "overwrite and loose all previous settings" way, or (2) keep existing extension settings (like, TabMix Plus, SessionManager, Torbutton, NoScript, etc) and update older one with new Tor-Browser. (I have updated older TorBrowser (Firefox portion only) with newer ones, first few times i wasn't able to update without loosing my old extension's settings, luckily i made backup of original folder before experimenting, so at the end i was able to figure out which folders and files need to be updated so that older extensions do not loose data (or settings data were exported in external file), and then after update, settings were imported back which were exported). Best would have been something similar to what PortableApps Firefox does, it can completely keep previous settings. User who needs fresh installations, they can install TBB or update in a new folder. > > Further I think more emphasis needs to be there to get users to use > isolated network setups like Whonix or TAILS, or some other officially > supported method that accomplishes the same outcomes. JavaScript will > be irrelevant if users are socially engineered to run some other > arbitrary code, possibly posing as a browser extension or email > attachment, ie a PDF. > > These (TAILS, etc) requires more extra tools or device and/or more/other necessary steps or components. If simple Tor users cannot choose or do simple mouse-click on "Allow" or "Temporarily allow" JS options in "NoScipt" icon, for the site he/she is visiting, (and may need to temporarily-allow few more extra/related content sites, used by primary website that he/she is visiting), then such users will make even more mistakes in using those, and will be more hard for them. But no doubt those are best (recommended) ways. The "NoScript" is like your pet-dog, you will have to train it, once you adjust or train (that is, you select JS options properly) then it will not bother you anymore, and keep obeying/following you/your instructions, the way you want it. First dis-allow execution of global JS option in NoScript. TLD = Top Level Domain. For example, the ".org" portion in "TorProject.org". SLD = Second Level Domain. For example, the "TorProject" portion in "TorProject.org". 3LD/sub = 3rd level domain. For example, the "trac" portion in "trac.TorProject.org". The "trac" portion can also be called a sub-domain. Sub-domain of "TorProject.org". The website which Tor user is visiting, if user trusts it (you may see WOT icon's recommendation), then select "Allow" (SLD portion) in "NoScript" icon. And the websites which you/user do not need to work normally on all visitation, you/user can manually select them each time by using "Temporarily allow" option. And the websites you do not trust at all or which shows AD(vertisements, etc or has the word "AD") or other unnecessary things, do not click any one of those sites, but advertisers wont be happy that their JS is not running. Because that is what we want, we want them to use simple non-fishy HTML codes and images. Primary website often use another secondary website (or sub-domain site) as their content or media-file delivery website, that secondary needs to be JS enabled sometime, for the primary website to work better. This/such duo/trio combination is very well known for well known websites, once you start using the way many other "NoScript" users, then it will come very easy to you, which to allow, and which to not. For example, for some JS scripts to work properly on "wikipedia.org", it may need "wikimedia.org" website JS also. For images/pictures to work properly "Yahoo.com" will needs "ytimg.com", Yahoo.com sometime needs "yahooapis.com" if you need to view portion of yahoo website which involves JS codes, so be-extra careful when enabling/allowing "yahooapis.com". If you/user enable JS globally then all unnecessary websites, advertisement, and "fishy" cross-site websites, etc all JS codes gets executed on 1st visit, (and they saves cookies on 1st visitation/connection as well), very dangerous. Change cookie related settings, so that, only the site you are visiting only that website's cookie is accepted, when YOU want to and choose to do so. Also use "AdBlock Plus" plugin/extension for bit higher level safety. So bottom line is : use restrictively, for your own safety. NoScript has many many options. One of them is to allow certain internal codes or config page of firefox to be allowed if pre-programmed. Those can be used for executing certain firefox and anonymity related codes, but all other should be kept blocked normally. Many are using it for protecting their Privacy+Anonymity. And that is suppose to be the purpose of TorProject. And it is also true many are using it for mixed usage. May be there should be TWO TBB, so that these TWO groups of users can choose which to use, and be happy about it, and cannot blame you in future anymore. One TBB should be optimized to protect and place priority on protecting user's Privacy+Anonymity. Another can be optimized the way now the current TBB is, optimized for convenience, as it by default allows all JS ! -- Bright Star.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk