Confusion about TorButton, Noscript, etc.
Ringo Kamens
2600denver at gmail.com
Mon Aug 18 21:13:28 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Marco Bonetti wrote:
> Ringo Kamens wrote:
>> So just to confirm, if I install TorButton, that's all the protection I
>> need and I don't need to worry about NoScript?
> define "protection that you need" :)
> if you "just" want to browse the tor network leaving less traces behind
> you, yes, TorButton is enough.
> NoScript offer extra services, which are useful during *BOTH* in- and
> off- tor browsing session like XSS and CSRF protection, chrome
> information leakage and some DOS using external protocols.
> Unfortunately, this protection comes at a price: the main NoScript
> feature is the whitelisting of trusted sites and this can be exploited
> by rogue exit nodes which will inject javascript into clear text page
> they'll send you back.
>
> Note that this behaviour is not tor dependant: an ISP can always inject
> javascript in clear text pages it will route to you. It's just more
> useful *WHEN* running a tor exit node as it could reveal the identity of
> users.
>
> A good workaround is, for now, manually whitelisting only trusted ssl
> pages (for which content injection is quite hard) or having this option
> incorporated inside NoScript as mentioned in my previous mail regarding
> this thread.
>
> ciao
>
Ok, so as long as I don't whitelist anything, those attacks are pretty
much nullified right?
What specifically gets disabled in TorButton when I turn on NoScript?
Sorry about all the questions, this is all very confusing to me.
ringo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIqeX4mBTzXUpNYqQRAlh8AJ4zVHo/4ubIaPMhe3NzF6mtgg/jNwCggfpU
0EqHA3C8Qw5+sY2G4ob7mAY=
=RRK4
-----END PGP SIGNATURE-----
More information about the tor-talk
mailing list