[tor-bugs] #7085 [Tor bundles/installation]: Integrate Cryptocat Browser Extension into Tor Browser Bundle

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Nov 12 21:19:37 UTC 2012 

#7085: Integrate Cryptocat Browser Extension into Tor Browser Bundle
--------------------------------------+-------------------------------------
 Reporter:  kaepora                   |          Owner:  erinn                        
     Type:  enhancement               |         Status:  new                          
 Priority:  normal                    |      Milestone:  TorBrowserBundle 2.2.x-stable
Component:  Tor bundles/installation  |        Version:  Tor: unspecified             
 Keywords:                            |         Parent:                               
   Points:                            |   Actualpoints:                               
--------------------------------------+-------------------------------------

Comment(by mikeperry):

 My initial thoughts here are:

 0. This is a totally awesome idea. I think it becomes even more awesome if
 it either shipped with or contained an XMPP server that gets automatically
 configured as a hidden service (#6660).

 1. In fact, if we can easily do XMPP over fully P2P hidden services (where
 each user gets their own hidden service), the timing issues with OTR
 become secondary, as OTR would be largely redundant in that case.

 2. We need to audit this for XUL XSS issues, especially since it is
 displaying remote-provided content (chat messages) in XUL windows. Has
 anyone done this audit yet? I assume the AMO reviewers have, but who knows
 how competent they are for this stuff. There are several people around the
 net that may be even more qualified reviewers than I am, in fact. There
 have been a few BlackHat/DEFCON/other presentations on this topic.

 3. It seems to use jsctypes. Is this dependency strictly necessary, or can
 we do without it?

 4. I'm pretty sure Pidgin is a security nightmare on Windows, and their
 devs seem to take a rather lax attitude to such problems. It likely has
 way worse vulnerabilities than timing attacks in the crypto... But
 CryptoCat could be worse in terms of exploit, because XUL XSS exploits are
 way easier to use (and cross-platform!) if they exist...

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7085#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list