[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Implement JSONP interface for check.torproject.org

On 06/11/11 10:20, Fabio Pietrosanti (naif) wrote:

> c) Almost no website today can work with Javascript disabled

As a long time NoScript user, I completely disagree with this. Almost
every website today works completely fine without JavaScript. In fact,
most websites work *better* without JavaScript, as they pull in far
fewer unnecessary resources from third party domains.

> That means also stopping mystification of "Javascript" like an
> "insecurity feature", the world has changed, has become "web" and
> javascript is part of the technological framework that we need to live with.

JavaScript is useful, but browsing without it, and only turning it on
for a limited set of sites when absolutely necessary, is much much
safer, from both a security and privacy point of view. Hopefully
JavaScript will become safer to use over time with the addition and take
up of new tech like Content-Security-Policy. It certainly isn't safe at
the moment though.

> I absolutely like the idea of the JSONP interface, simple and effective.

As a web developer, I like the implementation. I wont use it on my site
though because I care about my visitors privacy and don't want to send
the IP addresses of *all* of my site users to some "untrusted" third
party. I also don't want to hand over the security of my website to said
third party, by allowing them to inject arbitrary javascript into my
pages and handing over complete control of the DOM. This isn't paranoid,
AD networks have been hacked in the past leading to the compromise of
lots of other websites because of this very problem.

Clearly a lot of people don't even consider these problems though. The
number of people using Google Analytics is proof enough of that.

Also, my website is 100% https, however there isn't a https version of
http://server.globaleaks.org/torcheck.php. Including non-ssl protected
javascript in my site would make it easy to MITM. An attacker could just
modify the javascript to read the contents of the DOM and then send it

I would go so far as to say that the javascript returned by torcheck.php
should actually check to see if it was loaded from a https website, but
over http, and alert a warning if that happened. This would prevent
silly mistakes.

Also, there is a "vulnerability" in
http://server.globaleaks.org/torcheck.php. The callback parameter should
be extremely limited in what characters it accepts. For example,
letters, underscores and numbers only. You shouldn't be able to do stuff


Ouch, it's being returned with a content-type of text/html as well, so
you can generate arbitrary html pages on server.globaleaks.org,
containing javascript to steal cookies and such. XSS-tastic.


The content-type should be application/json or at the very least text/plain.

I'm available for website pen-testing by the way ;)

Mike Cardwell https://grepular.com/  https://twitter.com/mickeyc
Professional  http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu   0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

Attachment: signature.asc
Description: OpenPGP digital signature

tor-talk mailing list