On 7/2/14, Geoff Down <[email protected]> wrote: > On Tue, Jul 1, 2014, at 10:54 PM, [email protected] wrote: >> On 2014-06-30 22:33, Geoff Down wrote: >> > If the code is injected between the target_website.com and the exit >> > node, the exit node will relay it faithfully back through the Tor >> > network to the client. >> > It's all just bytes to Tor. >> >> This is presumably dependent on the TBB having a vulnerability. > > Or the user being foolish and opening a downloaded file (they trust the > site, right?), enabling Flash etc. > >> So, even >> if all users of target_website.com were considered evil and should be >> targeted, this could only happen if a) there was a 0-day for Firefox on >> which TBB is based or b) there is a known vulnerability for Firefox but >> certain users did not bother to update. > > for websites, that would seem to be right. But don't forget about > Openssl vulnerabilities (Firefox doesn't use Openssl iirc) or other > software that people use over Tor - it's not all Torbrowser. So reasons > for concern, but not all doom and gloom. > GD
More and more reasons to run TBB or Tor in a sandbox (Whonix or Tails). -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
