On Wed, Mar 07, 2007 at 12:56:22AM -0500, James Muir wrote: > > http://blogs.zdnet.com/security/?p=114 > > The approaches suggested won't work if you use Firefox with NoScript set > to disable JavaScript, Java, Flash and any other plugins.
You still have to be careful though -- if you enable them for some domains that you trust (say, foo.com), then you can still get nailed when you visit foo.com from an evil exit node, it inserts some malicious applets, and your noscript says "well yeah, but the user typed in foo.com, therefore this applet is from foo.com, so I trust it". So the moral of the story appears to be turn the plugins off, period. The broader moral is: don't run code from strangers on your computer. The even broader moral would be to lament that we're still not using SSL on most Internet interactions. And maybe the fourth is that we (somebody here) should work on easy instructions for locking down common OS network interfaces so only Tor communications can get through. Or Tor LiveCDs that have that already done. Or VM images that can be run as routers between your computer and the Internet. --Roger
