Javascript security question

Flamsmark flamsmark at gmail.com
Fri Aug 21 13:48:03 UTC 2009


On Fri, Aug 21, 2009 at 09:26, Freemor <freemor at gmail.com> wrote:

> On Fri, 21 Aug 2009 09:25:15 +0000 (GMT)
> Sadece Gercekler <inanma at ymail.com> wrote:
>
> > I know that enabling javascript is insecure. But my question is
> > specific to gmail, google reader, yahoo mail, and blogger.com. These
> > are the sites I'm mainly accessing.
> >
> > Do you think enabling javascript for these sites can be OK?
> >
> > Thanks
> >
> >
> >
> It's not safe.. The problem isn't the sites you are visiting.. The
> problem is that an Evil exit node can inject javascript into any
> (non https) page you are viewing. yahoo mail falls into this category,


Unfortunately, there is currently a vulnerability with HTTPS, which may make
even 'secure' javascript vulnerable.


>
> as could google reader and blogger.com (you can force google reader to
> https but it is easy to forget). The clever use of javascript can pose
> many security risks other then simply unmasking your IP address. I
> would STRONGLY advise against using TOR with javascript enabled.
> (unless you explicitly trust (own/administer) the exit node.. but this
> presents problems of it's own ;)  ).
>
> Regards,
> Freemor
>
> --
> freemor at fastmail.fm
> freemor at gmail.com
>
> This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20090821/c3512ec4/attachment.htm>


More information about the tor-talk mailing list