On 06/11/11 10:20, Fabio Pietrosanti (naif) wrote: > c) Almost no website today can work with Javascript disabled As a long time NoScript user, I completely disagree with this. Almost every website today works completely fine without JavaScript. In fact, most websites work *better* without JavaScript, as they pull in far fewer unnecessary resources from third party domains. > That means also stopping mystification of "Javascript" like an > "insecurity feature", the world has changed, has become "web" and > javascript is part of the technological framework that we need to live with. JavaScript is useful, but browsing without it, and only turning it on for a limited set of sites when absolutely necessary, is much much safer, from both a security and privacy point of view. Hopefully JavaScript will become safer to use over time with the addition and take up of new tech like Content-Security-Policy. It certainly isn't safe at the moment though. > I absolutely like the idea of the JSONP interface, simple and effective. As a web developer, I like the implementation. I wont use it on my site though because I care about my visitors privacy and don't want to send the IP addresses of *all* of my site users to some "untrusted" third party. I also don't want to hand over the security of my website to said third party, by allowing them to inject arbitrary javascript into my pages and handing over complete control of the DOM. This isn't paranoid, AD networks have been hacked in the past leading to the compromise of lots of other websites because of this very problem. Clearly a lot of people don't even consider these problems though. The number of people using Google Analytics is proof enough of that. Also, my website is 100% https, however there isn't a https version of http://server.globaleaks.org/torcheck.php. Including non-ssl protected javascript in my site would make it easy to MITM. An attacker could just modify the javascript to read the contents of the DOM and then send it wherever. I would go so far as to say that the javascript returned by torcheck.php should actually check to see if it was loaded from a https website, but over http, and alert a warning if that happened. This would prevent silly mistakes. Also, there is a "vulnerability" in http://server.globaleaks.org/torcheck.php. The callback parameter should be extremely limited in what characters it accepts. For example, letters, underscores and numbers only. You shouldn't be able to do stuff like: http://server.globaleaks.org/torcheck.php?callback=arbitrary.javascript; Ouch, it's being returned with a content-type of text/html as well, so you can generate arbitrary html pages on server.globaleaks.org, containing javascript to steal cookies and such. XSS-tastic. http://server.globaleaks.org/torcheck.php?callback=%3Cimg%20src=%22https://grepular.com/images/me.jpg%22%3E%3C!-- The content-type should be application/json or at the very least text/plain. I'm available for website pen-testing by the way ;) -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk