On 6 August 2013 16:31, Lunar <[email protected]> wrote: > Hi Jon, > > A few of your assumptions look incorrect. Here's some of my > understandings.
Thanks Lunar, appreciate the input. You raise good points. > > Jon Tullett: >> My understanding is that NoScript shipped disabled in the TBB > > NoScript itself is enabled in the Tor Browser Bundle, configured to > allow JavaScript globally. This configuration already adds protection > from XSS and clickjacking attacks. It also allows users who wants it to > disable JavaScript globally to do so with only two clicks. Yes - I was summarising and you caught me. That's how I understood it too: NS was installed by default with some features enabled but the Javascript filtering specifically was disabled by default. I should have been clearer. Re the JS filter, granted, users can turn it on, but it's probably reasonable to assume (as the attacker here correctly did) that most users will not. >> However, it seems that doing so exposed users to a Javascript exploit >> (and probably predictably so: Javascript's attack surface is famous). > > Having JavaScript enabled is also about exposing users to a web that > works for them. When was the last time you have tried to surf with > JavaScript disabled? Today. I use NoScript by default when I browse with Firefox, because some tasks demand it. Sometimes it's a pain, as you say, but that's a compromise I make knowingly and willingly. I also use Lynx daily, so I'm kinda used to the web not looking like it does for most people :) Here's the thing though: when I use Tor (which I do), I do so knowing I'm making certain compromises: my usual ecosystem of browser plugins will not be available, scripting will be disabled, network performance will be slow, etc. I'm not sure I'm convinced by the "it's a compromise" argument, because I'm making several already. But some people wouldn't want to, you're right. And that's why I asked about awareness - is there scope for better communicating to a user (such as in the Tor browser homepage) that JS is enabled to improve their browsing experience and enhance privacy, but it may open them to (another) attack and here's how it can be disabled? If not, I'd be very interested to know the thinking behind that decision - it feels, to me, to be a decision not to inform a userbase of a clear and present danger. > How many websites were not working as you would > expect them to? Well, none, but that's because I know what to expect. But your point is valid - most users would find the web badly broken with JS disabled. > Do you have any experience in training users to > enable/disable JavaScript on a per site basis? I do - I have a security background. But _regular_ users, no - no chance. Lab workers, yes. However, I wouldn't classify Tor users as regular users - they are people who are taking extraordinary steps to protect themselves. One more extraordinary step doesn't seem that implausible, but then I probably do have a biased perspective. > Also, I suggest you take a look at the following paper: > <http://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf> > > It shows that JavaScript is not the only thing than can be > targeted to attack users. Disabling JavaScript will not prevent every > possible attacks. Definitely! The attack surface of the modern browser is a wonderful thing to behold. But surely you aren't suggesting that because another attack vector exists, we shouldn't defend others? That's kinda the whole reason for Tor to exist, no? "There are some ways your privacy can be violated that we can't help with, but we will do what we can to mitigate as many as possible..." >> So I have two questions: […] > > I have a hard time thinking of interesting answers to your questions > given all of the above. This is an interesting discussion anyway, so thank you. I think the questions, in context, boil down to this: Knowing that TBB users can be attacked a certain way, and knowing that at least one attack has taken place, should/will the configuration and/or messaging be re-evaluated? You're right in the points you raise - they aren't new points, and I'm sure they were taken into account when the existing decisions were taken. Those points would have been on one side of the balance, with possible security considerations on the other. So what I'm asking is, in the light of this incident, does that balance shift? Should stress that I'm ok with the answer being "no" :) I'm here to report, not to criticise. -Jon -- tor-talk mailing list - [email protected] To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
