[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Stripping code with Privoxy (was: Warnings on the download page)

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Stripping code with Privoxy (was: Warnings on the download page)
From: Fabian Keil <freebsd-listen@xxxxxxxxxxxxx>
Date: Sat, 10 Mar 2007 16:17:09 +0100
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Sat, 10 Mar 2007 10:17:34 -0500
In-reply-to: <1173461854.17857.11.camel@localhost>
References: <200703081612.10419.torspam@metasploit.com> <20070308222234.GV28282@moria.seul.org> <20070309011709.GG568@fscked.org> <20070309081431.GX28282@moria.seul.org> <1173461854.17857.11.camel@localhost>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

Freemor <freemor@xxxxxxxx> wrote:

> I've been watching this thread with some interest and as the Talk of
> mis-onfigured browsers and mis-behaving plug-ins grew I found myself
> thinking that there must be an easier way to fix the problem. It occured
> to me that what is needed (at least until a more permenant solution can
> be found) is a way to stop the offending material from making it to a
> potentially misconfigured application. 
> 
>   So I started thinking about another proxy in the chain to strip all
> java and java script etc.. it then occured to me that Privoxy can most
> likely do this if a much more strict action file were written.
> 
> so my questions are:
> 
>   1 - Can a modified actions file be made that would strip all
> Java/javascript, flash, steaming media, etc. From looking at the Privoxy
> documentation it looks possible so far (but I'm no privoxy guru)

There are too many different ways to embed or reference
code in HTML. Creating such a Privoxy filter would take a lot
of time and I doubt that it would ever work reliable enough to
be remotely useful, even if you ignore the fact that it would
only work for HTTP anyway.

The filter would only remove the stuff its creators knew about,
and while that may (or may not) be a lot, it would still default
to permit.

Default permit is OK when it comes to blocking ads and other minor
annoyances, but it's a really bad idea when it comes to security: 
http://www.ranum.com/security/computer_security/editorials/dumb/

>   2 - If 1 is possible wouldn't it be easiest to include the stricter
> action file in the tor/privoxy/vidalia bundle. Tell people "look, a lot
> of stuff isn't going to fly.. but trust us.. you don't want it too"

If people wouldn't want this stuff, they shouldn't install the plugins
in the first place and disable remote code execution in the browser.

Don't want to get owned because of Java, PDF, flash or whatever?
Just don't install the plugins.

Can't trust your browser if JavaScript is enabled? Just disable it.

It's that simple.

Fabian

Attachment: signature.asc
Description: PGP signature

References:
- Re: Warnings on the download page
  - From: H D Moore
- Re: Warnings on the download page
  - From: Roger Dingledine
- Re: Warnings on the download page
  - From: Mike Perry
- Re: Warnings on the download page
  - From: Roger Dingledine
- Re: Warnings on the download page
  - From: Freemor

Prev by Author: Re: Privoxy and Java
Next by Author: Re: Free Software and Torpark (was: Ultimate solution)
Previous by thread: Re: Warnings on the download page
Next by thread: Re: Warnings on the download page
Index(es):
- Author
- Thread