[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
From: Yuri <yuri@xxxxxxxxx>
Date: Tue, 21 Jan 2014 17:25:21 -0800
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 21 Jan 2014 20:27:45 -0500
In-reply-to: <1390347825.503212.25813.18568@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <52DE5C45.3030107@xxxxxxxxxx> <1390347825.503212.25813.18568@xxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0

On 01/21/2014 15:43, TT Security wrote:

Absolutely agree with you!
Just let not treat it as BUG but as some security issue even if onlypotentially dangerous.ABE of NoScript can close this issue - simply and quickly. But maybein the future TBB must prohibit all connections to local LAN resourcesfor global html web-pages.

If you are after high anonymity and security, you should run yourbrowser from the virtual machine. This issue is probably not any worsethan potential DNS leaks, or connections accidentally made around tor.Hunting down such bugs is ultimately unproductive, and will always beinferior to security-by-isolation approach. You can take a look atWhonix distribution, which is merely a chained pair of virtual machines,middle one configured as a tor router, and a tail one working as aclient. Any OS can be a client. This solution is far superior to TBBapproach, and has much more limited potential of being compromised. Iwish tor project could offer something similar.


Yuri
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
  - From: Olivier Cornu
- Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
  - From: TT Security

Prev by Author: Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Previous by thread: Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Next by thread: Re: [tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Index(es):
- Author
- Thread