Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]
coderman
coderman at gmail.com
Mon Feb 23 20:40:54 UTC 2009
On Mon, Feb 23, 2009 at 12:29 PM, Arjan
<n6bc23cpcduw at list.nospam.xutrox.com> wrote:
>
> Noscript has some options (Options, Advanced, HTTPS) that may help.
> Disclaimer: I've not used these options and I don't know if it's secure.
from https://www.torproject.org/torbutton/faq.html
"Which Firefox extensions should I avoid using? ... NoScript: using
NoScript can actually disable protections that Torbutton itself
provides via Javascript, yet still allow malicious exit nodes to
compromise your anonymity via the default whitelist..."
as an aside, i found a plugin that could do everything above, but only
if the sites themselves send you a ForceHTTPS cookie securely:
https://crypto.stanford.edu/forcehttps/
the design paper does a good job of explaining why this is all more
complicated than you might think...
best regards,
More information about the tor-talk
mailing list