[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]

On Mon, Feb 23, 2009 at 12:29 PM, Arjan
<n6bc23cpcduw@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> Noscript has some options (Options, Advanced, HTTPS) that may help.
> Disclaimer: I've not used these options and I don't know if it's secure.

from https://www.torproject.org/torbutton/faq.html
"Which Firefox extensions should I avoid using? ... NoScript: using
NoScript can actually disable protections that Torbutton itself
provides via Javascript, yet still allow malicious exit nodes to
compromise your anonymity via the default whitelist..."

as an aside, i found a plugin that could do everything above, but only
if the sites themselves send you a ForceHTTPS cookie securely:
the design paper does a good job of explaining why this is all more
complicated than you might think...

best regards,