On Fri, Oct 31, 2014 at 10:12:35AM -0600, Robert W. Gehl wrote: > Let's say people take this seriously -- to do so, they will have to use > Javascript, which is a bad move when using Tor.
Actually no problem with Tor at all.. after all Tor creates properly authenticated links which is a lot safer than https, let alone http. The risks of Tor are entirely about Tor possibly being targeted more than regular Internet routing users, which both exit nodes and hidden services could possibly do. In the case of these Facebook hidden services we seem to know who is running the other side, so if an attack is coming from Facebook it can pretty much only be by being a TAO customer. In other words, if you are a regular Facebook user, you are not more at risk by switching to the more secure .onion. If you are a target, then you are not better off by switching to .onion - you can still not trust Facebook for Javascript execution. Facebook would only have a harder time denying having allowed TAO on you. Facebook DOES allow most of its function to be used without Javascript via https://m.facebook.com, so to enable a truly safe usage of FB it would have to also provide an .onion for that address. Facebook has been quite cooperative allowing users to come from Tor exit nodes straight into https://m.facebook.com. They even recently fixed the ability to post to Facebook "Pages" (with Twitter gateway or not) without requiring Javascript. So for everyone who needs to do activism over FB, as questionable as that may be, but cannot risk getting her machine TAO'd, she should stick to https://m.facebook.com until a suitable .onion is provided. And keep that Javascript folly switched off. -- http://youbroketheinternet.org ircs://psyced.org/youbroketheinternet -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
