I more or less give this plan my stamp of approval. Just mind the
gaps, and careful with NPAPI! I am able to review and advise XUL+XPCOM
code for security.. But for NPAPI, we'll need someone else.
Anyone on-list have any expertise with processing untrusted DOM
data in NPAPI, and then rendering out
Thus spake Moritz Bartl (mor...@torservers.net):
> On 10.10.2011 22:29, Fabio Pietrosanti (naif) wrote:
> > No code coming from the web would be allowed to interact with the
> > plug-in but the end-user will still have all the encryption features
> > under his power, usable in a modern web-based w
On Mon, Oct 10, 2011 at 09:54:50PM +0200, li...@infosecurity.ch wrote 2.2K
bytes in 64 lines about:
: By using that approach the user will not have the feeling of no
: "technical" decision has to be taken by the user in order to use Tor, no
: stopping-fear of breaking something, no compression/ext
On 2011-10-10, Fabio Pietrosanti (naif) wrote:
> Hi all,
>
> i understand all the doubt from Mike and Ransom about the possible
> exposure of user's security trough the exposure of functionality that
> can be "called by a remote web-application".
>
> This is an idea to mitigate most possible secur
On 10/10/2011 2:54 PM, Fabio Pietrosanti (naif) wrote:
Hi all,
i would like to propose some usability improvement for TorBrowserBundle
for Windows, in order to make it more usable.
There are a lot of users that "are not even able to install firefox".
Fabio, I understand your idea is well int
On 10.10.2011 22:29, Fabio Pietrosanti (naif) wrote:
> No code coming from the web would be allowed to interact with the
> plug-in but the end-user will still have all the encryption features
> under his power, usable in a modern web-based world.
The problem Robert and katmagic are referring to (r
On 10/10/11 22:18, Fabio Pietrosanti (naif) wrote:
> Yes,but please consider that TorBrowserBundle/OSX already required only
> 3 clicks from download to start:
So? That's just how you install stuff on OSX. It makes no difference to
my point. A naïve user who thinks they're anonymous but actually i
On 2011-10-10 22:27 , Eugen Leitl wrote:
> On Mon, Oct 10, 2011 at 07:07:35PM +0200, Jeroen Massar wrote:
>> On 2011-10-10 18:42 , Andre Risling wrote:
>>> Here's how Google is a compliant slave.
>>>
>>> You still use Gmail?!
>>
>> Does not matter what service you use, they all fail under the pre
On 10/10/11 11:01 PM, Julian Yon wrote:
> On 10/10/11 20:54, Fabio Pietrosanti (naif) wrote:
>> Really dumb users
>
> You can make things too simple. Tor is not a silver bullet. A user who
> is so "dumb" (as you put it) as to not be able to install a simple piece
> of software will almost certainl
On 10/10/11 20:54, Fabio Pietrosanti (naif) wrote:
> Really dumb users
You can make things too simple. Tor is not a silver bullet. A user who
is so "dumb" (as you put it) as to not be able to install a simple piece
of software will almost certainly be a liability to themselves.
Unfortunately, wher
On 2011-10-10, Fabio Pietrosanti (naif) wrote:
> Hi Kyle and Aaron,
>
> let me answer to you by making in Cc the tor-talk mailing lists where
> there is an on-going discussion about it.
>
> It has been suggested that FireGPG is unsafe
> (https://tails.boum.org/bugs/FireGPG_may_be_unsafe/), your ap
On Mon, Oct 10, 2011 at 07:07:35PM +0200, Jeroen Massar wrote:
> On 2011-10-10 18:42 , Andre Risling wrote:
> > Here's how Google is a compliant slave.
> >
> > You still use Gmail?!
>
> Does not matter what service you use, they all fail under the pressure
Use your own servers at the co-lo. Us
Thus spake Arturo Filastò (a...@globaleaks.org):
> I actually think it would be a great idea to include PGP encryption
> support into the browser.
> I remember discussing this with Jake some time ago of maybe in the
> future having a bundle for Thunderbird and enigmail. I don't see why it
> it a b
On 10/10/2011 01:07 PM, Mike Perry wrote:
The problem with a browser extension is that the very thing that makes
it useful is what makes it so risky. A GPG plugin of any kind becomes
a vector for all sorts of nasty web attacks that would have normally
been stopped by the server, such as XSS, XSRF
Hi all,
i would like to propose some usability improvement for TorBrowserBundle
for Windows, in order to make it more usable.
Reduce to 3-clicks the requirements to use TorBrowserBundle on Windows.
Today the Tor Browser Bundle require the user to make several action
before using it that can repr
Hi all,
i understand all the doubt from Mike and Ransom about the possible
exposure of user's security trough the exposure of functionality that
can be "called by a remote web-application".
This is an idea to mitigate most possible security issues:
* Put the encryption functionality into the han
On 10/10/11 6:44 PM, Kyle L. Huff wrote:
> Another, more narrow approach would be to enforce within the plug-in
> that the URL of the page that the plug-in is embedded on must match the
> extension path. For example, the plug-in could detect if it was loaded
> on a page with the URL containing
> "c
On 2011-10-10 18:42 , Andre Risling wrote:
> Here's how Google is a compliant slave.
>
> You still use Gmail?!
Does not matter what service you use, they all fail under the pressure
of organizations that want access to it, be that legal or illegal.
(The bigger problem with the context of the ar
I just heard that if the private_key file of your hidden service would have
gotten in the hands of an attacker, he could have located your hidden
service just like that. I just wonder how that can be done, since it's just
a file with encrypted code in it.
I wanted to support the idea of free speech for people in
repressed countries. However, shortly
after installing TOR, Comcast threatened to force me to a business account
(extra $12/month). So, I've killed my
node. Still don't know if Comcast will force some penalty on me. I'd switch to
another
On 10/10/11 9:44 AM, Robert Ransom wrote:
> On 2011-10-10, Fabio Pietrosanti (naif) wrote:
>> is anyone evaluating whenever to include PGP encryption support into the
>> default Tor Browser Bundle as a Firefox extension?
> No.
>
I actually think it would be a great idea to include PGP encryption
s
Here's how Google is a compliant slave.
You still use Gmail?!
http://online.wsj.com/article/SB10001424052970203476804576613284007315072.html#ixzz1aMoq8l2i
--
http://www.fastmail.fm - The professional email service
___
tor-talk mailing list
tor-talk
Hi Kyle and Aaron,
let me answer to you by making in Cc the tor-talk mailing lists where
there is an on-going discussion about it.
It has been suggested that FireGPG is unsafe
(https://tails.boum.org/bugs/FireGPG_may_be_unsafe/), your approach by
design sounds very nice.
I am wondering whether i
On 10/10/11 13:48, Joe Btfsplk wrote:
>> tails.boum.org uses an invalid security certificate.
> Anyone else seeing same security msg?
Well done, you've found the flaw in the PKI model.
Julian
--
3072D/D2DE707D Julian Yon (2011 General Use)
signature.asc
Description: OpenPGP digital signatu
On Oct 10, 2011, at 2:48 PM, Joe Btfsplk wrote:
> On 10/10/2011 2:44 AM, Robert Ransom wrote:
>> No. See https://tails.boum.org/bugs/FireGPG_may_be_unsafe/ , but beware --
>> I'm sure katmagic and I missed a few dozen attacks.
> You're correct - that is, the https site you link has an unsafe cer
On 10/10/2011 2:44 AM, Robert Ransom wrote:
No. See https://tails.boum.org/bugs/FireGPG_may_be_unsafe/ , but
beware -- I'm sure katmagic and I missed a few dozen attacks.
You're correct - that is, the https site you link has an unsafe
certificate, * per msg * in Firefox 7:
tails.boum.org uses a
On 2011-10-10, Fabio Pietrosanti (naif) wrote:
> is anyone evaluating whenever to include PGP encryption support into the
> default Tor Browser Bundle as a Firefox extension?
No.
> I looked at the implementation and:
>
> * FireGPG it's discontinued http://getfiregpg.org/s/install
> It also see
27 matches
Mail list logo