-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marco Bonetti wrote: > Ringo Kamens wrote: >> So just to confirm, if I install TorButton, that's all the protection I >> need and I don't need to worry about NoScript? > define "protection that you need" :) > if you "just" want to browse the tor network leaving less traces behind > you, yes, TorButton is enough. > NoScript offer extra services, which are useful during *BOTH* in- and > off- tor browsing session like XSS and CSRF protection, chrome > information leakage and some DOS using external protocols. > Unfortunately, this protection comes at a price: the main NoScript > feature is the whitelisting of trusted sites and this can be exploited > by rogue exit nodes which will inject javascript into clear text page > they'll send you back. > > Note that this behaviour is not tor dependant: an ISP can always inject > javascript in clear text pages it will route to you. It's just more > useful *WHEN* running a tor exit node as it could reveal the identity of > users. > > A good workaround is, for now, manually whitelisting only trusted ssl > pages (for which content injection is quite hard) or having this option > incorporated inside NoScript as mentioned in my previous mail regarding > this thread. > > ciao > Ok, so as long as I don't whitelist anything, those attacks are pretty much nullified right? What specifically gets disabled in TorButton when I turn on NoScript? Sorry about all the questions, this is all very confusing to me. ringo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIqeX4mBTzXUpNYqQRAlh8AJ4zVHo/4ubIaPMhe3NzF6mtgg/jNwCggfpU 0EqHA3C8Qw5+sY2G4ob7mAY= =RRK4 -----END PGP SIGNATURE-----
