[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Some Tor w/ Firefox Questions

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Some Tor w/ Firefox Questions
From: Marco Bonetti <marco.bonetti@xxxxxxxxxxxx>
Date: Sat, 03 Jan 2009 12:44:26 +0100
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Sat, 03 Jan 2009 06:44:32 -0500
In-reply-to: <495F3D71.7060906@xxxxxxxxx>
References: <495F3D71.7060906@xxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.18 (X11/20081125)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ringo Kamens wrote:
> 1. If I have multiple Firefox profiles, one of which is exclusively for
> Tor use, if I use another profile with javascript later on, is that a
> threat to the data stored in the other profiles? Can add-ons see
> information in other profiles?
I think that mozilla policies for accepting addons should not allow an
extension to tamper with information stored in other profiles but I've
to admit that I didn't read all of them :-P
Generally speaking, if your javascript enabled profile is being
exploited by a malicious site, well, there's nothing which will prevent
the browser from reading any other files or directories on your disk.

> 2. If I'm doing my Tor browsing in one browser (say, Firefox) and open
> up another one (say Ephiphany) that has javascript enabled, what risks
> do I face? AFAIK javascript can see what's in your clipboard, which
> would be bad if I'm using the clipboard with Torified content Is that it?
yup, see above.

> 3. One of the common criticisms of NoScript+Tor is that a malicious exit
> node can pretend to be any site it wishes. What about enabling js on
> file:// urls? If I understand them correctly, the browser won't make any
> external requests and then there would be no threat of an attack.
The only real threat scenario I could see is that a user donwloads a
compressed file with html and js via Tor, unpacks it and browses its
contents. Enabling file:// could allow any plugins/script/whatever to do
nasty things(tm) but, frankly, it's quite absurd.
In the past there were virus spreading via password protected zip
attachments with the password written down in the mail, so the victim
had to consciously open the file and run the executables, but I've still
some hope in the average Tor user ;-)

> 4. TorButton (wisely) disabled updates. Aside from the risk of an exit
> node making you download it's own module, what other risks are there?
> Does firefox submit any information that could identify you aside from
> what plugins you use?
AFAIK, only the download of crafted addons. But I'm also interested in
the question.

hope this helps,
ciao

- --
Marco Bonetti
BT3 EeePC 70x enhancing module: http://sid77.slackware.it/bt3/
Slackintosh Linux Project Developer: http://workaround.ch/
Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/
My webstuff: http://sidbox.homelinux.org/

My GnuPG key id: 0x86A91047
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJX0+ayPKw+YapEEcRAs5qAJ4t7fSsIPe//qnjWNB+NPfsSHiYqwCglCUQ
j2+vdWSR4DYjb+bv0K5t9jQ=
=ObFM
-----END PGP SIGNATURE-----

References:
- Some Tor w/ Firefox Questions
  - From: Ringo Kamens

Prev by Author: Re: Discovering Than Several Accounts Belong To One Person
Next by Author: SSL certificate checker plugin for Firefox?
Previous by thread: Some Tor w/ Firefox Questions
Next by thread: Re: Some Tor w/ Firefox Questions
Index(es):
- Author
- Thread