[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default

Yuri yuri at rawbw.com
Wed Jan 22 01:25:21 UTC 2014


On 01/21/2014 15:43, TT Security wrote:
> Absolutely agree with you!
> Just let not treat it as BUG but as some security issue even if only 
> potentially dangerous.
> ABE of NoScript can close this issue - simply and quickly. But maybe 
> in the future TBB must prohibit all connections to local LAN resources 
> for global html web-pages. 

If you are after high anonymity and security, you should run your 
browser from the virtual machine. This issue is probably not any worse 
than potential DNS leaks, or connections accidentally made around tor. 
Hunting down such bugs is ultimately unproductive, and will always be 
inferior to security-by-isolation approach. You can take a look at 
Whonix distribution, which is merely a chained pair of virtual machines, 
middle one configured as a tor router, and a tail one working as a 
client. Any OS can be a client. This solution is far superior to TBB 
approach, and has much more limited potential of being compromised. I 
wish tor project could offer something similar.

Yuri


More information about the tor-talk mailing list