On Wed, Mar 07, 2007 at 12:56:22AM -0500, James Muir wrote:
> http://blogs.zdnet.com/security/?p=114
The approaches suggested won't work if you use Firefox with NoScript set
to disable JavaScript, Java, Flash and any other plugins.
You still have to be careful though -- if you enable them for some
domains that you trust (say, foo.com), then you can still get nailed
when you visit foo.com from an evil exit node, it inserts some malicious
applets, and your noscript says "well yeah, but the user typed in foo.com,
therefore this applet is from foo.com, so I trust it".
So the moral of the story appears to be turn the plugins off, period.
The broader moral is: don't run code from strangers on your computer. The
even broader moral would be to lament that we're still not using SSL on
most Internet interactions. And maybe the fourth is that we (somebody
here) should work on easy instructions for locking down common OS network
interfaces so only Tor communications can get through. Or Tor LiveCDs
that have that already done. Or VM images that can be run as routers
between your computer and the Internet.
--Roger