Freemor <freemor@xxxxxxxx> wrote: > I've been watching this thread with some interest and as the Talk of > mis-onfigured browsers and mis-behaving plug-ins grew I found myself > thinking that there must be an easier way to fix the problem. It occured > to me that what is needed (at least until a more permenant solution can > be found) is a way to stop the offending material from making it to a > potentially misconfigured application. > > So I started thinking about another proxy in the chain to strip all > java and java script etc.. it then occured to me that Privoxy can most > likely do this if a much more strict action file were written. > > so my questions are: > > 1 - Can a modified actions file be made that would strip all > Java/javascript, flash, steaming media, etc. From looking at the Privoxy > documentation it looks possible so far (but I'm no privoxy guru) There are too many different ways to embed or reference code in HTML. Creating such a Privoxy filter would take a lot of time and I doubt that it would ever work reliable enough to be remotely useful, even if you ignore the fact that it would only work for HTTP anyway. The filter would only remove the stuff its creators knew about, and while that may (or may not) be a lot, it would still default to permit. Default permit is OK when it comes to blocking ads and other minor annoyances, but it's a really bad idea when it comes to security: http://www.ranum.com/security/computer_security/editorials/dumb/ > 2 - If 1 is possible wouldn't it be easiest to include the stricter > action file in the tor/privoxy/vidalia bundle. Tell people "look, a lot > of stuff isn't going to fly.. but trust us.. you don't want it too" If people wouldn't want this stuff, they shouldn't install the plugins in the first place and disable remote code execution in the browser. Don't want to get owned because of Java, PDF, flash or whatever? Just don't install the plugins. Can't trust your browser if JavaScript is enabled? Just disable it. It's that simple. Fabian
Attachment:
signature.asc
Description: PGP signature