On Wednesday, March 07, 2007, at 07:42AM, "Roger Dingledine" <[EMAIL PROTECTED]> wrote: >On Wed, Mar 07, 2007 at 12:56:22AM -0500, James Muir wrote: >> > http://blogs.zdnet.com/security/?p=114 >> >> The approaches suggested won't work if you use Firefox with NoScript set >> to disable JavaScript, Java, Flash and any other plugins. > >You still have to be careful though -- if you enable them for some >domains that you trust (say, foo.com), then you can still get nailed >when you visit foo.com from an evil exit node, it inserts some malicious >applets, and your noscript says "well yeah, but the user typed in foo.com, >therefore this applet is from foo.com, so I trust it". > >So the moral of the story appears to be turn the plugins off, period. >The broader moral is: don't run code from strangers on your computer. The >even broader moral would be to lament that we're still not using SSL on >most Internet interactions. And maybe the fourth is that we (somebody >here) should work on easy instructions for locking down common OS network >interfaces so only Tor communications can get through. Or Tor LiveCDs >that have that already done. Or VM images that can be run as routers >between your computer and the Internet. > >--Roger >
Actually the moral of the story would be to surf using Lynx w/SSL from a Linux or BSD Tor enabled LiveCD. Unfortunately you won't see any pictures or movies so that will eliminate most users who use Tor for "private" surfing. ;-) Or you could get REALLY secure and just unplug the computers from the net and go outside for some fresh air and get a life! IMHO, Brad