-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I understand that JavaScript was enabled globally in the Tor Browser Bundle for usability reasons as well as to prevent browser fingerprinting. I believe this is the correct decision.
If the torproject were to disable it by default, that would not ensure that users are protected in the future by similar methods. Sites can be written in a way that if you do not allow JavaScript they simply won't work at all. If I was writing an exploit I'd do this to frustrate users so hopefully they enable JavaScript and accept my exploit. Also future exploits may not use JavaScript, but may somehow socially engineer the user into installing a browser extension or something like that. This brings us to another issue. This exploit wasn't new. It had been on the Mozilla bug tracker for a while. Users running the latest Tor Browser Bundle (17.0.7) didn't have any issues as their browsers had been patched. It is inappropriate for a web browser to not be automatically updated. In this day and age where we have full disclosures about critical bugs, we must also have a way for users to get patches easily and effortlessly, let's please keep vulnerabilities to be 0day rather than 0month, or 0year. Had the Tor Browser's update mechanism been working like the official Mozilla Firefox browser and Google Chrome, this would not have been nearly as serious. Whonix users of course were protected in 3 ways, firstly whonixcheck would have warned them about an outdated browser, secondly hardware addresses would have been masked by virtual network interfaces and thirdly the network isolation it provides would have made this kind of exploit not possible in the first place. TAILS users would have been protected similarly, from the first and third issue. I'd like to see torproject make a push for isolated network setups, because the cold hard truth is running the Tor Browser Bundle on windows while easy for the users is a nightmare for the developers, and keeping it secure is a big, big task. Maybe even an officially supported Tor distribution. The Tor Browser Bundle has to work with the network configuration the user has given it, which most certainly is not going to prevent arbitrary code from directly contacting remote servers and circumventing the Tor service. Given the successfulness of this of this vector you can bet this will become something governments will look to investing in, in the future. - -- scarp | A4F7 25DB 2529 CB1A 605B 3CB4 5DA0 4859 0FD4 B313 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSAitRAAoJEF2gSFkP1LMTJKIP/1im2epJBhTqQDExpwh5zOrr A/CYyM18hM0cmXBNihflcv7Aerp1Ry5lL5x0b/zvPxzSmcuwxGwUWR3nsJoqGHBp T48OiCP2ZcZmugas8BZ5gJ1ME6fRocqmpecXqxhpo5c0avK/bTR7sJhH2MIIyWwe MPQKrgX/AjOQcY1qJJxxO0fxPeGorifVzvlyFfW7lyVFeSGunvZFV41gYXt7gbcn Jq0mCxWWcUgkCYEvE1ZvxyDyCZS+WUoUqp9HTRDYL372c3tLqVVaC6uf0zJfcDt4 yRFjLPtc5uUI9Or1dYapPzCL57xvOs+HKFfYP0KeU2/6bEF9HynS6wRe7p+GeSIp fSpBoHNn4XoHreRNLAJXqInvpHzVf2w1olVC6fZ3KnlqvX5RpW4hxfXREFj9qsHr S0iPQaiawHHYrlGzwehmHGMLUep4Gr7GxC1i3dOwcaPMqxKB6yIoOB8ZbmRY5xux 2mjcj+mvouKYCSYpd+Azw0nzgGCYbWbOGujCEQKiUcQrlgJDl6i7+z8quGDwtZac MNRUdSP2yCipdmbMdCwdeSyC8UlWtGh9rmStUnycCUDdgmZcD+dAbzcJAd+lDR9/ TsHgmINZWlsdEPCwBiOqQj11mJYltoh4XZFkl4TR2J9sElqjXoLzfXkNxOLdW9A5 X9eO8WRj99Php7JEde9l =hjPe -----END PGP SIGNATURE----- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
