Javascript security question
Freemor
freemor at gmail.com
Fri Aug 21 13:26:17 UTC 2009
On Fri, 21 Aug 2009 09:25:15 +0000 (GMT)
Sadece Gercekler <inanma at ymail.com> wrote:
> I know that enabling javascript is insecure. But my question is
> specific to gmail, google reader, yahoo mail, and blogger.com. These
> are the sites I'm mainly accessing.
>
> Do you think enabling javascript for these sites can be OK?
>
> Thanks
>
>
>
It's not safe.. The problem isn't the sites you are visiting.. The
problem is that an Evil exit node can inject javascript into any
(non https) page you are viewing. yahoo mail falls into this category,
as could google reader and blogger.com (you can force google reader to
https but it is easy to forget). The clever use of javascript can pose
many security risks other then simply unmasking your IP address. I
would STRONGLY advise against using TOR with javascript enabled.
(unless you explicitly trust (own/administer) the exit node.. but this
presents problems of it's own ;) ).
Regards,
Freemor
--
freemor at fastmail.fm
freemor at gmail.com
This e-mail has been digitally signed with GnuPG - ( http://gnupg.org/ )
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20090821/a8d010cb/attachment.pgp>
More information about the tor-talk
mailing list