[tor-talk] Tor security advisory: Old Tor Browser Bundles vulnerable

Bry8 Star bry8star at inventati.org
Wed Aug 7 14:21:52 UTC 2013


Response is below, in-between.

Received from scarp, on 2013-08-07 4:44 AM:
> Bry8 Star:
>> In my opinion,
> 
>> After installing TBB (Tor Browser Bundle), users should disable JS 
>> (JavaScript) by default, and enable JS, ONLY when visiting a
>> website and if the user must have to, to view a very specific
>> portion.
> 
>> TBB by default keeps "Script Globally Allowed" option ENABLED or 
>> selected, inside "NoScript" extension/plugin. It should be set to 
>> Disabled or keep unselected.  If your "NoScript" plugin/extension 
>> shows the option "Forbid Scripts Globally", (inside "General" tab 
>> window), then select/enable it.
> 
>> It is more important that Privacy remains intact, then a website 
>> appearing nice on 1st visit.
> 

... than a website ...

> 
>> User can enable JS for certain set of URL for a website, if they 
>> NEED to, by themselves.
> 
> You're forgetting an exploiter can use AngularJS or something similar
> that uses MVC strategies to make the website non-functional until you
> enable JavaScript on that page. Doing so, many users unaware of their
> favorite website has been compromised would do so just thinking that
> the site was updated to require JavaScript.
> 

A new firefox extension Tor-WOT (Web Of Trust) can be useful, as
already mentioned by me in my previous email. WOT shows icon. After
visiting a site, users can just look at the WOT-icon status, and
can/may decide/choose if he/she wants to allow JS or not.

> 
> Unless you audit the JavaScript code "using noscript" isn't the
> be-all-end-all protection. I believe the torproject provides that to
> prevent some XSS attacks.
> 
> I believe the bigger problem here is that the Tor Browser needs to
> automatically update itself. Users of 17.0.7 (june's release) were
> unaffected. The idea that a web browser doesn't automatically accept
> security patches is a joke in this day and age. That issue needs to be
> expedited.
> 

I would suggest such way : Tor-Browser need to download the
"UPDATEable" Tor-Browser like this : 1st get ONLY the SHA-256 or
SHA-512 hash/checksum of the "Updateable" Tor-Browser (a small file)
file from (TorProject.org's) onion host via Tor proxy.  Then
TorBrowser should get the actual full "Updateable" file from any one
of the set of download mirror onion sites. Check downloaded file
with the previously received HASH code. When checking succeeded,
then update it. But pls make sure update-process asks user, in what
way he/she wants to update ? in (1) an "overwrite and loose all
previous settings" way, or (2) keep existing extension settings
(like, TabMix Plus, SessionManager, Torbutton, NoScript, etc) and
update older one with new Tor-Browser.

(I have updated older TorBrowser (Firefox portion only) with newer
ones, first few times i wasn't able to update without loosing my old
extension's settings, luckily i made backup of original folder
before experimenting, so at the end i was able to figure out which
folders and files need to be updated so that older extensions do not
loose data (or settings data were exported in external file), and
then after update, settings were imported back which were exported).

Best would have been something similar to what PortableApps Firefox
does, it can completely keep previous settings.  User who needs
fresh installations, they can install TBB or update in a new folder.

> 
> Further I think more emphasis needs to be there to get users to use
> isolated network setups like Whonix or TAILS, or some other officially
> supported method that accomplishes the same outcomes. JavaScript will
> be irrelevant if users are socially engineered to run some other
> arbitrary code, possibly posing as a browser extension or email
> attachment, ie a PDF.
> 
> 

These (TAILS, etc) requires more extra tools or device and/or
more/other necessary steps or components. If simple Tor users cannot
choose or do simple mouse-click on "Allow" or "Temporarily allow" JS
options in "NoScipt" icon, for the site he/she is visiting, (and may
need to temporarily-allow few more extra/related content sites, used
by primary website that he/she is visiting), then such users will
make even more mistakes in using those, and will be more hard for
them. But no doubt those are best (recommended) ways.


The "NoScript" is like your pet-dog, you will have to train it, once
you adjust or train (that is, you select JS options properly) then
it will not bother you anymore, and keep obeying/following you/your
instructions, the way you want it.

First dis-allow execution of global JS option in NoScript.

TLD = Top Level Domain. For example, the ".org" portion in
"TorProject.org".

SLD = Second Level Domain. For example, the "TorProject" portion in
"TorProject.org".

3LD/sub = 3rd level domain. For example, the "trac" portion in
"trac.TorProject.org".
The "trac" portion can also be called a sub-domain. Sub-domain of
"TorProject.org".

The website which Tor user is visiting, if user trusts it (you may
see WOT icon's recommendation), then select "Allow" (SLD portion) in
"NoScript" icon.  And the websites which you/user do not need to
work normally on all visitation, you/user can manually select them
each time by using "Temporarily allow" option.  And the websites you
do not trust at all or which shows AD(vertisements, etc or has the
word "AD") or other unnecessary things, do not click any one of
those sites, but advertisers wont be happy that their JS is not
running.  Because that is what we want, we want them to use simple
non-fishy HTML codes and images.

Primary website often use another secondary website (or sub-domain
site) as their content or media-file delivery website, that
secondary needs to be JS enabled sometime, for the primary website
to work better.  This/such duo/trio combination is very well known
for well known websites, once you start using the way many other
"NoScript" users, then it will come very easy to you, which to
allow, and which to not.  For example, for some JS scripts to work
properly on "wikipedia.org", it may need "wikimedia.org" website JS
also.  For images/pictures to work properly "Yahoo.com" will needs
"ytimg.com",  Yahoo.com sometime needs "yahooapis.com" if you need
to view portion of yahoo website which involves JS codes, so
be-extra careful when enabling/allowing "yahooapis.com".

If you/user enable JS globally then all unnecessary websites,
advertisement, and "fishy" cross-site websites, etc all JS codes
gets executed on 1st visit, (and they saves cookies on 1st
visitation/connection as well), very dangerous.

Change cookie related settings, so that, only the site you are
visiting only that website's cookie is accepted, when YOU want to
and choose to do so.  Also use "AdBlock Plus" plugin/extension for
bit higher level safety.

So bottom line is : use restrictively, for your own safety.

NoScript has many many options. One of them is to allow certain
internal codes or config page of firefox to be allowed if
pre-programmed. Those can be used for executing certain firefox and
anonymity related codes, but all other should be kept blocked normally.

Many are using it for protecting their Privacy+Anonymity.  And that
is suppose to be the purpose of TorProject.

And it is also true many are using it for mixed usage.

May be there should be TWO TBB, so that these TWO groups of users
can choose which to use, and be happy about it, and cannot blame you
in future anymore.  One TBB should be optimized to protect and place
priority on protecting user's Privacy+Anonymity.  Another can be
optimized the way now the current TBB is, optimized for convenience,
as it by default allows all JS !

-- Bright Star.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20130807/89b8ccee/attachment.sig>


More information about the tor-talk mailing list