[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Yuri
yuri at rawbw.com
Wed Jan 22 01:25:21 UTC 2014
On 01/21/2014 15:43, TT Security wrote:
> Absolutely agree with you!
> Just let not treat it as BUG but as some security issue even if only
> potentially dangerous.
> ABE of NoScript can close this issue - simply and quickly. But maybe
> in the future TBB must prohibit all connections to local LAN resources
> for global html web-pages.
If you are after high anonymity and security, you should run your
browser from the virtual machine. This issue is probably not any worse
than potential DNS leaks, or connections accidentally made around tor.
Hunting down such bugs is ultimately unproductive, and will always be
inferior to security-by-isolation approach. You can take a look at
Whonix distribution, which is merely a chained pair of virtual machines,
middle one configured as a tor router, and a tail one working as a
client. Any OS can be a client. This solution is far superior to TBB
approach, and has much more limited potential of being compromised. I
wish tor project could offer something similar.
Yuri
More information about the tor-talk
mailing list