In my opinion, After installing TBB (Tor Browser Bundle), users should disable JS (JavaScript) by default, and enable JS, ONLY when visiting a website and if the user must have to, to view a very specific portion. TBB by default keeps "Script Globally Allowed" option ENABLED or selected, inside "NoScript" extension/plugin. It should be set to Disabled or keep unselected. If your "NoScript" plugin/extension shows the option "Forbid Scripts Globally", (inside "General" tab window), then select/enable it. It is more important that Privacy remains intact, then a website appearing nice on 1st visit. User can enable JS for certain set of URL for a website, if they NEED to, by themselves. They just need to enable few domains with certain sub-domains of from the "NoScript" icon or warning-button. If a website (for example: TorProject.org) is trustworthy then users can choose "Allow TorProject.org" in "NoScrpt" plugin/extension ("Crossed-out-alphabet-S") icon, instead of "Temporarily allow TorProject.org" option. Then allowed site will not cause "NoScript" to bug/ask user with prompt-message for permission. (I requested to keep Global JS disabled by default, many times, but many ignored, we had long conversation in IRC chans, multiple times). The main purpose of using "NoScript" is, that, on 1st visit to a known or unknown website, that website's JS codes not suppose to load/start automatically, unless user (website's visitor) inspects website first, and then allows JS for sub-domains/domains manually. Those who want to keep JS globally enabled, they should do it by selves and understand+take the risk, (which is not right thing to do at-all), but that is again, just my own opinion and request. Do not infect your web-browser or loose Anonymity on your 1st visit to a website. (So, Keep JS off, cross-site script off/disabled, etc). Regular user has no way to know, when a website is/was hacked or when "some" mistake was made, and then, some unwanted (harmful/malware) codes are coming to you and getting executed on your computer. There is "WOT" plugin, for non Tor internet websites. A similar new plugin is needed, which will accept recommendation only from users who are using "Tor" exit-nodes or onion host. So that such new Tor-WOT plugin can show which site is trusted or not, by other Tor proxy users. May be new one can even import some portion of data from regular WOT, if that data is GPL/shareable. -- Bright Star. Received from Roger Dingledine, on 2013-08-05 8:13 AM: > SUMMARY: > This is a critical security announcement. > > An attack that exploits a Firefox vulnerability in JavaScript [1] > has been observed in the wild. Specifically, Windows users using the > Tor Browser Bundle (which includes Firefox plus privacy patches [2]) > appear to have been targeted. > > This vulnerability was fixed in Firefox 17.0.7 ESR [3]. The following > versions of the Tor Browser Bundle include this fixed version: > 2.3.25-10 (released June 26 2013) [4] > 2.4.15-alpha-1 (released June 26 2013) [4] > 2.4.15-beta-1 (released July 8 2013) [5] > 3.0alpha2 (released June 30 2013) [6] > > Tor Browser Bundle users should ensure they're running a recent enough > bundle version, and consider taking further security precautions as > described below. > > WHO IS AFFECTED: > In principle, all users of all Tor Browser Bundles earlier than > the above versions are vulnerable. But in practice, it appears that > only Windows users with vulnerable Firefox versions were actually > exploitable by this attack. > > (If you're not sure what version you have, click on "Help -> About > Torbrowser" and make sure it says Firefox 17.0.7. Here's a video: [7]) > > To be clear, while the Firefox vulnerability is cross-platform, the > attack code is Windows-specific. It appears that TBB users on Linux > and OS X, as well as users of LiveCD systems like Tails, were not > exploited by this attack. > > IMPACT: > The vulnerability allows arbitrary code execution, so an attacker > could in principle take over the victim's computer. However, the > observed version of the attack appears to collect the hostname and MAC > address of the victim computer, send that to a remote webserver over > a non-Tor connection, and then crash or exit [8]. The attack appears > to have been injected into (or by) various Tor hidden services [9], > and it's reasonable to conclude that the attacker now has a list of > vulnerable Tor users who visited those hidden services. > > We don't currently believe that the attack modifies anything on the > victim computer. > > WHAT TO DO: > First, be sure you're running a recent enough Tor Browser Bundle. That > should keep you safe from this attack. > > Second, be sure to keep up-to-date in the future. Tor Browser Bundle > automatically checks whether it's out of date, and notifies you on its > homepage when you need to upgrade. Recent versions also add a flashing > exclamation point over the Tor onion icon. We also post about new > versions on the Tor blog: https://blog.torproject.org/ > > Third, realize that this wasn't the first Firefox vulnerability, nor > will it be the last [10]. Consider disabling JavaScript (click the blue > "S" beside the green onion, and select "Forbid Scripts Globally"). > Disabling JavaScript will reduce your vulnerability to other attacks > like this one, but disabling JavaScript will make some websites not work > like you expect. A future version of Tor Browser Bundle will have an > easier interface for letting you configure your JavaScript settings [11]. > You might also like Request Policy [12]. And you might want to randomize > your MAC address, install various firewalls, etc. > > Fourth, consider switching to a "live system" approach like Tails [13]. > Really, switching away from Windows is probably a good security move > for many reasons. > > And finally, be aware that many other vectors remain for vulnerabilities > in Firefox. JavaScript is one big vector for attack, but many other > big vectors exist, like css, svg, xml, the renderer, etc. We need > help improving usability of (and doing more security analysis of) > better sandboxing approaches [14] as well as VM-based approaches like > Whonix [15] and WiNoN [16]. Please help! > > [1] https://www.mozilla.org/security/announce/2013/mfsa2013-53.html > > [2] https://www.torproject.org/projects/torbrowser/design/ > > [3] https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/ > > [4] https://blog.torproject.org/blog/new-tor-browser-bundles-and-tor-02414-alpha-packages > > [5] https://blog.torproject.org/blog/tor-02415-rc-packages-available > > [6] https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released > > [7] https://media.torproject.org/video/2013-08-05-TBBversion.mp4 > > [8] http://tsyrklevich.net/tbb_payload.txt > > [9] https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting > > [10] https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html > > [11] https://trac.torproject.org/projects/tor/ticket/9387 > > [12] https://www.requestpolicy.com/ > > [13] https://tails.boum.org/ > > [14] https://trac.torproject.org/projects/tor/ticket/7680 > > [15] http://sourceforge.net/projects/whonix/ > > [16] http://dedis.cs.yale.edu/2010/anon/papers/osdi12.pdf > https://trac.torproject.org/projects/tor/ticket/7681 > > >
Attachment:
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk