Slashdot Mirror

← Back to Stories (view on slashdot.org)

TOR Wants You To Stop Using Windows, Disable JavaScript

Posted by timothy on from the so-say-we-all dept.

itwbennett writes "The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network. The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network. 'Really, switching away from Windows is probably a good security move for many reasons,' according to a security advisory posted Monday by The TOR Project."

11 of 341 comments (clear)

  1. Re:Firefox by The+MAZZTer · · Score: 4, Informative

    Firefox allows it, as does every major browser. But it is not the default, because it is incredibly inconvenient considering how many websites rely on it. There are tools to make it easier for Firefox and Chrome but it is still a bit of a bother.

  2. Proper Summary by Freshly+Exhumed · · Score: 3, Informative

    FTA: 'The vulnerability was patched by Mozilla in later versions of Firefox, but some people may still be using the older versions of the TOR Browser Bundle.'

    Geeez, this is all about running old TOR on old Windows... who knew something could possibly go wrong with that?

    --
    I deny that I have not avoided attaining the opposite of that which I do not want.
  3. NSA owned netblocks by NynexNinja · · Score: 5, Informative

    Looks like the NSA is up to their old dirty tricks: http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted-malware-phoned-home-to-nsa/ ... And yes, I second the motion to stop using Windows -- its full of zero day bugs like this. Not a day goes by where you don't hear about a new zero day attack focused on Windows, and its been that way for decades.

  4. Re:Why not stop using firefox and Java by RedHackTea · · Score: 3, Informative
    FTFA:

    The TOR Project's reasoning comes from the characteristics of the malicious JavaScript that exploited the zero-day vulnerability. The script was written to target Windows computers running Firefox 17 ESR (Extended Support Release), a version of the browser customized to view websites using TOR.

    People using Linux and OS X were not affected, but that doesn't mean they couldn't be targeted in the future. "This wasn't the first Firefox vulnerability, nor will it be the last," The TOR Project warned.

    --
    The G
  5. Re:Firefox by Anonymous Coward · · Score: 3, Informative

    Firefox is apparently opting to remove the option from their settings and for a good reason - no one wants to globally disable JS these days. A default off with allowed sites is workable though, but there are extensions like NoScript to add that functionality.

  6. Re:Very poor advice by CAIMLAS · · Score: 3, Informative

    It's trivial to use Tor in a secure fashion. In fact, if you need the security provided by Tor, chances are you're better off doing it this way instead:

    1) Download Tails
    2) Burn to CD
    3) Boot disk
    4) Use Tor

    How hard was that?

    (Personally, I use IE5 and Windows 2000 for Tor. Nobody's going to try to exploit that... and yes, I'm kidding.)

    --
    ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
  7. Re:Firefox by Krojack · · Score: 3, Informative

    URL about:config then enter 'javascript.enabled' into the search bar. Double click that setting in the list below to toggle back and forth.

  8. Car / Caramel = Java / Javascript by raymorris · · Score: 3, Informative

    To clarify what AC posted, the words "Java" and "Javascript" are like "car" and "caramel", or "ear" and "early" - they are completely unrelated. They just have some letters in common.

    Netscape had an interpreted scripting language called LiveScript. It wasn't used a whole lot.
    Later, Sun released a virtual machine and a compiled language to program it in called Java. Java got a lot of press.
    Seeing all the press that Java was getting, Netscape renamed Livescript "Javascript", to ride the coat-tails of the
    completely different system, called Java.

    They were developed completely separately, by different companies, for different purposes, and based on different principles.
    It's exactly as if the BETAMAX were renamed DroidVideo.

  9. Re:Firefox by danbuter · · Score: 3, Informative

    NoScript works for me...

  10. Re:Don't use Firefox bundled by TOR by Burz · · Score: 3, Informative

    This is a sure way to reveal your IP address to an attacker. The only proxy switcher ever deemed safe to use with Tor was TorButton... the rest allowed cache and history-based attacks. Even so, Tor project recommends the entire browser now be customized for Tor and not used for any in-the-clear web access.

  11. Re:Security professionals generally missing the po by MechaStreisand · · Score: 4, Informative

    Take a look at all the certificate authorities your browser trusts sometime. Any one of those can issue a certificate for ANY website, not just those in the area where that authority. If any ONE of those authorities issues a certificate for, say, the NSA, then they can MITM your communication with any website if they're in a position to do so (and the NSA most definitely is), regardless of that website's original certificate. By default, the browser doesn't give a shit if the certificate changes. All of this makes SSL useless against a determined attacker.

    --
    Disclaimer: IANAL. This post is, however, legal advice, and creates an attorney-client relationship.