[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Quick question on Torbutton and NoScript



On Tue, Jan 05, 2010 at 03:46:45AM -0500, Ringo wrote:
> I figured it would work the same way but interestingly enough, even with
> noscript on allow everything, some javascript still fails to work. I'm
> guessing this means TorButton is doing some work in the background, but
> I could be wrong.

Right. As I understand it, Noscript is toggling the "allow javascript
or not" option inside Firefox, whereas Torbutton is actually rewriting
parts of the javascript parser inside Firefox. So the two are compatible
at that level: *if* javascript happens to be enabled, either via Firefox
config or via Noscript config, then the javascript you get will be the
javascript that Torbutton has modified.

The original reason why Noscript was discouraged was because if you're
using Tor but not using SSL (for example, you're using http:// addresses),
then the address you see in your toolbar may or may not be the server
you're talking to. Specifically, your exit relay can send you whatever
it likes; so if the exit relay can guess any domain that you've
whitelisted in Noscript, then it can embed an iframe or other link to
that domain, and trick you into running javascript anyway.

So if you really do need Noscript to get it right (i.e. allow some
domains, disallow others), then it can't.

Of course, this problem is present in internet cafes, hotels, conferences,
and plenty of other contexts. And as long as you're using Noscript's
feature as defense-in-depth, rather than relying on it for always-correct
behavior, then it's fine to use both Noscript and Torbutton. I do.

But to be clear, I use Noscript as a tool to change how my browser
renders the page, and to avoid telling Google analytics about every
page I go to. Lately I've been using RequestPolicy as well for the same
results. If I were worried that Javascript will do bad things to me, then
I would disable it, because Noscript won't protect me. Marco talked about
"the ability of noscript to restrict the active contents from https only"
-- that sounds like a great feature for those who fear javascript but
trust the SSL mafia.

> I have heard that js has an option to bypass proxies or contact local
> routers, which is part of the "dangerous javascript" that I assume
> torbutton would hook. For good measure, I've manually blocked anything
> in the local subnets but I think that might be overkill.

For the most part it's Java that can bypass proxies or contact local
routers, not Javascript. That's why Torbutton blocks plugins, but permits
(most) Javascript.

All of that said, if you're really worried, you should learn more about
"dns rebinding" attacks. As a good intro to the issue, I really liked
the CCS 2007 paper on rebinding attacks:
http://crypto.stanford.edu/dns/

--Roger

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/