[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Warnings on the download page

Thus spake sy16 (sy_c16@xxxxxxxxxxx):

> My suggestions as a no-tech user:
> Perhaps the Warning should be put on top of the page, before the
> download links - sometimes people don't go further than the download
> links.
> Also, might I suggest NoScript to be used in conjunction with
> QuickJava? And please add a line reminding users to reload the page
> if they use QuickJava. NoScript reloads automatically but not
> QuickJava.

The problem with NoScript is that it is incredibly complex, and unless
you configure it properly (which is NOT the default), it is really no
protection against an attack like Moore's. The default whitelist is
enough for him to abuse. A bad tor node can fake any host it wants.

Even worse, it is possible to THINK you are configuring NoScript
properly and make yourself even more insecure. For example, the
addons.mozilla.org people got the brilliant idea to transmit
extensions over http (even though the site itself is https). They
verify MD5s using javascript that runs on the https connection.. If
you disable javascript for them, you are downloading extensions
without any verification :(.

Unfortunately, QuickJava by itself is not enough to disable java
launched from a moore-style attack.
http://metasploit.com/research/misc/decloak/ actually builds the
applet html in a hidden div using javascript. QuickJava lets it
through.. On the plus side, Sun Java 5.0r10 seems to obey SOCKS for
his datagramsocket test, which is a huge surprise... Who knows if the
same can be said for MS Java.

This last point puts us in a catch-22. Personally, I think even if we
could describe to people how to use NoScript, it is going to be waay
too much of a hassle and too error prone to work reliabily for the
average user, especially as more and more sites go AJAX with no other
option. On the plus side, the author of QuickJava has also authored an
anonymity extension for anonmouse. Perhaps he would be amenable to
fixing his extension against moore's on-the-fly HTML generation.
However his email address is not listed on the author page :(

> About the evil exit nodes, these extensions might help detect false
> pages: HostIP.Geolocation plugin, netcrafttoolbar, FormFox, and
> Shazou. FormFox is somewhat paranoid and not always accurate, but it
> serves as a reminder of thinking before clicking "submit".
> About mail client: I configure my Thunderbird 995 and 465, same
> server name for pop and smtp, with Torbutton. So far I have had no
> problem retrieving and sending. There have been mentions in this
> list about problems with smtp, so maybe I am missing something. Am I
> blithely assuming my getting and sending mail  through tor and SSL?
> About Windows (sorry guys) security, set up a normal user account
> for browsing, like they do in Linux. Change Administrator to some
> other moniker and set a password. And disable remote administration
> if you don't need this enabled.

Yea, these are good ideas for a second page. But on the front page we
just want a few paragraphs that covers all the bases.

Mike Perry
Mad Computer Scientist
fscked.org evil labs