Thus spake Gozu-san (gozu@xxxxxxxxxxxx): > OK, I just gotta ask. And I'm not trolling :) > > How can someone be concerned enough about privacy to use Tor, and yet > not be concerned about the possibility of inter-process communication? We are very concerned with it, but only up to a point. We have to assume (for our own sanity) that the underlying OS and concurrent applications are not malicious. However, even non-malicious IPC can still cause problems. See for example https://trac.torproject.org/projects/tor/ticket/4517 That bug was a new proxy bypass vuln (the first one in literally years) that happened on Ubuntu Unity, causing a regression in previously tested drag and drop features that were initially evaluated as safe. We really need an automated testing infrastructure to catch stuff like that, where the platform changes out from under us. I believe we'd find the need for automated testing with just about any approach as technologies change out from under us. It's either that, or learn to accept a higher failure rate over time in the field. That's just basic engineering :/. We however have zero automated testing in TBB, and instead depend entirely on the community, and anonymous reporters like the one who filed that ticket. Is that enough to lower overall risk? Well, we're just about the only ones in the world operating even at the level that we do currently, so who knows. Maybe it is good enough, for now. Can't beat the price :). -- Mike Perry Exterminate all dogma. Permit no exceptions.
Attachment:
pgpyJWiRnyoYn.pgp
Description: PGP signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk