On Saturday 16 October 2010 10:37:28 Florent Daigniere wrote: > On Fri, Oct 15, 2010 at 09:35:45PM -0400, Gregory Maxwell wrote: > > On Fri, Oct 15, 2010 at 9:22 PM, David ?Bombe? Roden > > <bombe at pterodactylus.net> wrote: > > > On Friday 15 October 2010 22:01:55 Gregory Maxwell wrote: > > > > > >> JS can be used for a lot of really really nasty tracking and anonymity > > >> busting. > > > > > > So, you trust our Java code but not our JavaScript code? > > > > > > I disregard the rest of your mail because I get the distinct feeling that > > > you > > > are not separating between the ?the Freenet web interface? and ?arbitrary > > > freesites random people insert.? > > > > That is unfortunate, because we've had a simple and easily corrected > > communication error. One which might have been corrected without any > > intervention on my part had you simply taken a moment more to read the > > rest of my message, but I apologize for being unclear. > > > > I'm not saying much about the trustworthiness of the freenet code. > > > > A browser which has javascript enabled is potentially subject to > > executing malicious code from third parties. > > Which part of "you shouldn't use the same browser for browsing freenet > and the web" did you not undestand?
Most users will use the rabbit icon to browse Freenet. That launches a browser in privacy/incognito mode. Unfortunately that is not entirely reliable, so we still have to warn the user. > > > The question of this risk > > existing via freenet is _mostly_ a question of fproxy successfully > > detecting and blocking any of the multitude of ways of tricking a > > browser into executing code on the page. Or, in other words, the > > _browser_ cannot distinguish between the freenet web interface and > > arbitrary freesites and so unless fproxy does a heroic job of removing > > everything the browser might possibly execute then javascript poses a > > significant risk. > > > > Fproxy does that and has done it since forever. We have now a significant > amount of whitelist filters, filtering along with other protocols both > CSS and HTML. Feel free to try the filter out and report bugs you find. > > It has been like that since... forever. We never relied on the user disabling > javascript in his browser. Simply because you don't need javascript to compromise a user's anonymity! You can do it with plain HTML! > > > The wild continued success of XSS indicates that this is a very hard > > problem? browsers try very hard to make "everything work", but that > > means that making things not work is tricky. > > > > XSS is about abusing the trust the browser has in the website it visits. > Whether we use javascript or not for the interface is irrevelant. > > > Also? I used the word mostly above because some JS driven attacks > > wouldn't pass through fproxy. E.g. a non-freenet site could use the JS > > CSS link-coloration information leak to learn about your use of > > freenet if you browser that site with the same browser you use to > > access freenet and have JS enabled. > > No, you don't need javascript to conduct that attack. Anyway, that's one of > the reasons why you should use a different browser for surfing the web and > freenet. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20101016/d284ebcb/attachment.pgp>
