Confusion about TorButton, Noscript, etc.
Marco Bonetti
marco.bonetti at slackware.it
Mon Aug 18 21:56:06 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ringo Kamens wrote:
> Ok, so as long as I don't whitelist anything, those attacks are pretty
> much nullified right?
not true: NoScript has a default whitelist with popular domains like
google.com or yahoo.com
> What specifically gets disabled in TorButton when I turn on NoScript?
nothing :)
> Sorry about all the questions, this is all very confusing to me.
let's try to clarify things a bit.
+ TorButton works on privacy: it enables the right proxy settings and
provides some extra protections to prevent identity leaking. One of this
feature is blocking of all javascript code to prevent injection by rogue
exit nodes.
+ NoScript works on security (which is not privacy) it enforce a set of
rules so that malicious sites or bad programmed one can't exploit some
common information stealing tactics like cross site scripting or cross
request forgery to gain illegal access to sites with your credentials.
The core of all NoScript defenses is blocking javascript too.
Those are the basic important concepts: the extensions works on two
different things and their core functionality is the same, block all
javascripts (then they do much more, but each of them in their context).
Now, the problem: one of the feature of NoScript is selectively
whitelisting sites so they can run javascripts or other possibly
dangerous content (like flash objects).
While this is a normal behaviour when browsing off-tor (as you usually
trust your ISP but it can be exploited nevertheless) it becomes
dangerous when browsing in-tor as TorButton will disable javascripts and
NoScript will enable them if the site you are tor-browsing is whitelisted.
I hope now it's a bit more clear :)
However, I've still a question regarding this problem: Maone wrote to me
saying that if someone or something globally disable javascripts,
NoScript will honor it and it will not try to revert the behaviour. To
me it looks like that if TorButton will switch the javascript.enabled
options, both of the extensions could work fine together. I'd like to
hear more from Perry about his work on this topic :-P
And, as a final consideration, whitelisting only ssl-ed sites is a
temporary workaround to be sure to have the functionality of both
extensions without the questioned problem.
HTH,
ciao
- --
Marco Bonetti
Slackintosh Linux Project Developer: http://workaround.ch/
Linux-live for powerpc: http://workaround.ch/pub/rsync/mb/linux-live/
My webstuff: http://sidbox.homelinux.org/
My GnuPG key id: 0x86A91047
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIqe/2yPKw+YapEEcRAqidAKCAxJZwO8TY0N5+TMfp1fLCRlryRQCfdPNa
tv/JKC/R6jcZx/Mfh2/IR0M=
=Y7Q/
-----END PGP SIGNATURE-----
More information about the tor-talk
mailing list