[tor-bugs] #7085 [Tor bundles/installation]: Integrate Cryptocat Browser Extension into Tor Browser Bundle
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Nov 12 21:19:37 UTC 2012
#7085: Integrate Cryptocat Browser Extension into Tor Browser Bundle
Reporter: kaepora | Owner: erinn
Type: enhancement | Status: new
Priority: normal | Milestone: TorBrowserBundle 2.2.x-stable
Component: Tor bundles/installation | Version: Tor: unspecified
Keywords: | Parent:
Points: | Actualpoints:
Comment(by mikeperry):
My initial thoughts here are:
0. This is a totally awesome idea. I think it becomes even more awesome if
it either shipped with or contained an XMPP server that gets automatically
configured as a hidden service (#6660).
1. In fact, if we can easily do XMPP over fully P2P hidden services (where
each user gets their own hidden service), the timing issues with OTR
become secondary, as OTR would be largely redundant in that case.
2. We need to audit this for XUL XSS issues, especially since it is
displaying remote-provided content (chat messages) in XUL windows. Has
anyone done this audit yet? I assume the AMO reviewers have, but who knows
how competent they are for this stuff. There are several people around the
net that may be even more qualified reviewers than I am, in fact. There
have been a few BlackHat/DEFCON/other presentations on this topic.
3. It seems to use jsctypes. Is this dependency strictly necessary, or can
we do without it?
4. I'm pretty sure Pidgin is a security nightmare on Windows, and their
devs seem to take a rather lax attitude to such problems. It likely has
way worse vulnerabilities than timing attacks in the crypto... But
CryptoCat could be worse in terms of exploit, because XUL XSS exploits are
way easier to use (and cross-platform!) if they exist...
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7085#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list