[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] FBI cracked Tor security

> Should add that users with NoScript enabled would not have been
> vulnerable - I get the "noscript decreases privacy" argument, but I'd
> still kinda like it to be on by default to protect users. Maybe with a
> big red "Turn on Javascript because I'm happy to get pwned by
> malicious ads, FBI malware, and miscellaneous trackers" button :)

>>> There are frequently vulnerabilities in hosting services - content
>>> platforms, web forums, third-party Javascript libraries, file uploads,
>>> management interfaces...many sites, darkweb or not, have much broader
>>> attack surfaces than their owners understand.

What do you think about these recommendations for onion sites:

1) Ensure javascript is not needed to use the site, and tell users so.

2) Ensure there are no offsite images dynamically included, and no
dependencies on other domains (e.g. wordpress, google fonts).

3) good quality SSL certs from e.g. Lets Encrypt, with instructions how
users can verify.

It might look more "primitive" but the content is what users come for.

For months i have been suggesting to friends and clients, who are
regular (non-Tor) users, to install Ublock Origin.
Once enough people get used to rejecting 3rd party ads and snooping,
TorBrowser can safely make that the default behaviour.  Firefox "reader
mode" already seems to do something like it, but not for privacy purposes.

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to