-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Bry8 Star: > In my opinion, > > After installing TBB (Tor Browser Bundle), users should disable JS > (JavaScript) by default, and enable JS, ONLY when visiting a > website and if the user must have to, to view a very specific > portion. > > TBB by default keeps "Script Globally Allowed" option ENABLED or > selected, inside "NoScript" extension/plugin. It should be set to > Disabled or keep unselected. If your "NoScript" plugin/extension > shows the option "Forbid Scripts Globally", (inside "General" tab > window), then select/enable it. > > It is more important that Privacy remains intact, then a website > appearing nice on 1st visit. > > User can enable JS for certain set of URL for a website, if they > NEED to, by themselves.
You're forgetting an exploiter can use AngularJS or something similar that uses MVC strategies to make the website non-functional until you enable JavaScript on that page. Doing so, many users unaware of their favorite website has been compromised would do so just thinking that the site was updated to require JavaScript. Unless you audit the JavaScript code "using noscript" isn't the be-all-end-all protection. I believe the torproject provides that to prevent some XSS attacks. I believe the bigger problem here is that the Tor Browser needs to automatically update itself. Users of 17.0.7 (june's release) were unaffected. The idea that a web browser doesn't automatically accept security patches is a joke in this day and age. That issue needs to be expedited. Further I think more emphasis needs to be there to get users to use isolated network setups like Whonix or TAILS, or some other officially supported method that accomplishes the same outcomes. JavaScript will be irrelevant if users are socially engineered to run some other arbitrary code, possibly posing as a browser extension or email attachment, ie a PDF. - -- scarp | A4F7 25DB 2529 CB1A 605B 3CB4 5DA0 4859 0FD4 B313 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSAjMeAAoJEF2gSFkP1LMTQYgQAJIrEP8FebJjZAWGrfhmpGMd smw0i09LlzOwNYZe6C6qymzwDjvNwFdSGucAho83EawyjWCk33jO2vzS88lYhtts rW9OWAV5eF1qpPezcFGHTlqMNYt2T/NYC8KLssGGfoIt7CSoVbZ7ByNFgT5YC9ZE Begk+WWFKdifj711R1hdQQ2+fyqQOtemftREWjmeeTBgBcVgRDmyz+bWb+gyjJag KdM51S8Epk0C+BQy+7KH3B2BD9bartEVAjqoMsrI10lO1P5uLhcTG3LoboZg2l+e wLlOa9K7KKcAwz2khSvZW6oojjbCFud4/5yTZ2SAGtzaEpGPmQ7iW8YfynBdnMvE /ikUOmP1v0HMvWahpZ+TPv8HEmpQjLebX5XI4PGzGhlmRXEE4mQ3ziOVnvwEPqYa NhMnNvjFDmOa+qlSBD+z2sTDFGU2+ll2JvnlcjD7WzPUYBJbdLhUfV5lHxN1Ov9D LXTADiYuZZqqXlJEF60710SJvNPb/3+5P8MnUbOHcpxeuDh7XbbXMXnJ7JQcYlL1 ZNUqlYOEKzL6eN43U51Qmd+15SglNMOoyOSq3zcbdZLhD5hqGqrZ3ZCnjIasigyY 6v1x9Pwyp9oTgBB2IWxz1AOen37wZIvq1XUzg5BWRmJJ+ZkdHa3i1p6A+wdOm/Wu 7RMwSvtz6Staukjr7LGC =NNp0 -----END PGP SIGNATURE----- -- tor-talk mailing list - [email protected] To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
