On Fri, Oct 15, 2010 at 09:35:45PM -0400, Gregory Maxwell wrote: > On Fri, Oct 15, 2010 at 9:22 PM, David ‘Bombe’ Roden > <[email protected]> wrote: > > On Friday 15 October 2010 22:01:55 Gregory Maxwell wrote: > > > >> JS can be used for a lot of really really nasty tracking and anonymity > >> busting. > > > > So, you trust our Java code but not our JavaScript code? > > > > I disregard the rest of your mail because I get the distinct feeling that > > you > > are not separating between the “the Freenet web interface” and “arbitrary > > freesites random people insert.” > > That is unfortunate, because we've had a simple and easily corrected > communication error. One which might have been corrected without any > intervention on my part had you simply taken a moment more to read the > rest of my message, but I apologize for being unclear. > > I'm not saying much about the trustworthiness of the freenet code. > > A browser which has javascript enabled is potentially subject to > executing malicious code from third parties.
Which part of "you shouldn't use the same browser for browsing freenet and the web" did you not undestand? > The question of this risk > existing via freenet is _mostly_ a question of fproxy successfully > detecting and blocking any of the multitude of ways of tricking a > browser into executing code on the page. Or, in other words, the > _browser_ cannot distinguish between the freenet web interface and > arbitrary freesites and so unless fproxy does a heroic job of removing > everything the browser might possibly execute then javascript poses a > significant risk. > Fproxy does that and has done it since forever. We have now a significant amount of whitelist filters, filtering along with other protocols both CSS and HTML. Feel free to try the filter out and report bugs you find. It has been like that since... forever. We never relied on the user disabling javascript in his browser. > The wild continued success of XSS indicates that this is a very hard > problem— browsers try very hard to make "everything work", but that > means that making things not work is tricky. > XSS is about abusing the trust the browser has in the website it visits. Whether we use javascript or not for the interface is irrevelant. > Also— I used the word mostly above because some JS driven attacks > wouldn't pass through fproxy. E.g. a non-freenet site could use the JS > CSS link-coloration information leak to learn about your use of > freenet if you browser that site with the same browser you use to > access freenet and have JS enabled. No, you don't need javascript to conduct that attack. Anyway, that's one of the reasons why you should use a different browser for surfing the web and freenet. Florent _______________________________________________ Devl mailing list [email protected] http://freenetproject.org/cgi-bin/mailman/listinfo/devl
