On Fri, Oct 15, 2010 at 9:22 PM, David ?Bombe? Roden <bombe at pterodactylus.net> wrote: > On Friday 15 October 2010 22:01:55 Gregory Maxwell wrote: > >> JS can be used for a lot of really really nasty tracking and anonymity >> busting. > > So, you trust our Java code but not our JavaScript code? > > I disregard the rest of your mail because I get the distinct feeling that you > are not separating between the ?the Freenet web interface? and ?arbitrary > freesites random people insert.?
That is unfortunate, because we've had a simple and easily corrected communication error. One which might have been corrected without any intervention on my part had you simply taken a moment more to read the rest of my message, but I apologize for being unclear. I'm not saying much about the trustworthiness of the freenet code. A browser which has javascript enabled is potentially subject to executing malicious code from third parties. The question of this risk existing via freenet is _mostly_ a question of fproxy successfully detecting and blocking any of the multitude of ways of tricking a browser into executing code on the page. Or, in other words, the _browser_ cannot distinguish between the freenet web interface and arbitrary freesites and so unless fproxy does a heroic job of removing everything the browser might possibly execute then javascript poses a significant risk. The wild continued success of XSS indicates that this is a very hard problem? browsers try very hard to make "everything work", but that means that making things not work is tricky. Also? I used the word mostly above because some JS driven attacks wouldn't pass through fproxy. E.g. a non-freenet site could use the JS CSS link-coloration information leak to learn about your use of freenet if you browser that site with the same browser you use to access freenet and have JS enabled.
