[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Self-deleting scripts in http connections



> This sequence of events got me thinking; the exit node queries servers on
> the behalf of the Tor Browser. Some sites simply cannot be connected to via
> HTTPS. Thus, the exit node must query the site requested in HTTP, which can
> be modified in transit. If done, what form of protections could a MitM do
> between the site and the exit node bypass by, say, inserting a CSS document
> that references an external JS script to force a query from the browser?

Such an attacker could insert some JS or cookies etc. to track a user around 
the web or more dangerous attacks like stealing user data. The possibilities 
of JS are far-reaching. In the worst case scenario, JS can be used to exploit 
a user's device and gain priviliges within the OS. Such an attack has just 
been discovered last month on this mailing list right here.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk