There are a lot of questions here that require answers from the developers. This would not only protect against simple JS exploits but also vulnerabilities in the HTML or image file rendering code. The real solution however would be to add some level of sandboxing (be that built into the browser, the OS like MIC, Apparmor, SeLinux or seatbelt or through a 3rd party standalone application like a VM or sandboxie). NoScript white-list consisting of only https domains would be a better default and still offer a reasonable user-experience. Add the lack of auto updating (all you get is a warning/notice on the default homepage) and I'm sure a good portion of Tor users is vulnerable because of this decision. The window of several days between the upstream release of security patches for Firefox and TBB releases doesn't help. Every JavaScript related code execution vulnerability can be used not only to fully compromise browser sessions, saved cookies, history and passwords but your entire user account on your OS, all files and most importantly, your IP address! Of course it's the wrong decision, especially since Firefox doesn't do sandboxing like Chrome, IE and now Safari. It has been brought up before but the developers think it's a good idea. Same with the Linux bundle since several versions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |