On Tue, Jan 05, 2010 at 03:46:45AM -0500, Ringo wrote: > I figured it would work the same way but interestingly enough, even with > noscript on allow everything, some javascript still fails to work. I'm > guessing this means TorButton is doing some work in the background, but > I could be wrong.
Right. As I understand it, Noscript is toggling the "allow javascript or not" option inside Firefox, whereas Torbutton is actually rewriting parts of the javascript parser inside Firefox. So the two are compatible at that level: *if* javascript happens to be enabled, either via Firefox config or via Noscript config, then the javascript you get will be the javascript that Torbutton has modified. The original reason why Noscript was discouraged was because if you're using Tor but not using SSL (for example, you're using http:// addresses), then the address you see in your toolbar may or may not be the server you're talking to. Specifically, your exit relay can send you whatever it likes; so if the exit relay can guess any domain that you've whitelisted in Noscript, then it can embed an iframe or other link to that domain, and trick you into running javascript anyway. So if you really do need Noscript to get it right (i.e. allow some domains, disallow others), then it can't. Of course, this problem is present in internet cafes, hotels, conferences, and plenty of other contexts. And as long as you're using Noscript's feature as defense-in-depth, rather than relying on it for always-correct behavior, then it's fine to use both Noscript and Torbutton. I do. But to be clear, I use Noscript as a tool to change how my browser renders the page, and to avoid telling Google analytics about every page I go to. Lately I've been using RequestPolicy as well for the same results. If I were worried that Javascript will do bad things to me, then I would disable it, because Noscript won't protect me. Marco talked about "the ability of noscript to restrict the active contents from https only" -- that sounds like a great feature for those who fear javascript but trust the SSL mafia. > I have heard that js has an option to bypass proxies or contact local > routers, which is part of the "dangerous javascript" that I assume > torbutton would hook. For good measure, I've manually blocked anything > in the local subnets but I think that might be overkill. For the most part it's Java that can bypass proxies or contact local routers, not Javascript. That's why Torbutton blocks plugins, but permits (most) Javascript. All of that said, if you're really worried, you should learn more about "dns rebinding" attacks. As a good intro to the issue, I really liked the CCS 2007 paper on rebinding attacks: http://crypto.stanford.edu/dns/ --Roger *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
