Mageia forum

[zxr250cc]

I have been reading about Firefox ESR 17 having serious javascript vulnerabilities on /. and wonder if the solution is to remove it from my laptop and use Opera for the time being until Mageia either move to Firefox 23 or Firefox fixes their problem? Anyone else wondering about this?

Cheers all,

[doktor5000]

Are you sure it wasn't actually about TOR and javascript vulnerabilities?
http://it.slashdot.org/story/13/08/06/1 ... javascript

Otherwise please provide a link.

[zxr250cc]

I am not sure...

http://www.itworld.com/software/367979/ ... javascript

It looks to me as if the javascript problem is more than the TOR issue. Maybe I am not getting the meaning of this?

cheers

[doktor5000]

It looks to me as if the javascript problem is more than the TOR issue. Maybe I am not getting the meaning of this?

It's a privacy issue. If you use TOR, normally you want to be anonymous. At the same time, allowing javascript applets
to be executed nearly completely ruins your privacy, and defeats the purpose of TOR.

This is nowadays the default for TOR, and as lame excuse their reason is "Without javascript many websites don't work ..."
See https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled

So basically you decide: Do you want anonymity/privacy, then disable Javascript in your TOR browser.

This has nothing to do with Firefox, reread your linked page:

The TOR Project's reasoning comes from the characteristics of the malicious JavaScript that exploited the zero-day vulnerability. The script was written to target Windows computers running Firefox 17 ESR (Extended Support Release), a version of the browser customized to view websites using TOR.

You won't be safer by switching to Firefox last stable or Opera, generally speaking ...

[zxr250cc]

Well, I don't use TOR but I have used browsers with java script turned off and they work poorly on many sites that way. I guess I will just ignore this for the time being.

cheers,

[jiml8]

Installing privoxy in the chain with TOR will help a lot, if you know how to use privoxy, because privoxy will automatically remove a lot of scripting that meets certain criteria. You then can use noscript selectively to enable only those scripts you really need in order to view a site.

For myself, I have privoxy set up to be very restrictive and to remove a LOT of things. I also have it spoofing my browser ID and from time to time I change how it identifies my browser (and I use browser identifiers taken from my website logs to make sure I come up with real strings). My general policy is that I only allow the minimum necessary to view the site, and if that "minimum" gets too large, I don't need to view the site. If I really have to view the site, I then view it from an unsecured browser in a virtual machine that I NEVER browse with; I only view specific sites that I have to see for one reason or another.

I doubt I can guard myself adequately against NSA. Their resources are vast. But I'm probably pretty secure against everyone else.

As it happens, my security setup causes me trouble with this site. Usually, the time it takes me to write a message is sufficient for the site to no longer recognize my login. I have not investigated, but I suppose that is because the IP address seen for me changes as my TOR exit node changes from time to time. So I have acquired the habit of copying the entire message into the clipboard before submitting, so that when I get the login prompt, I can just log in, and paste the message into the reply box and promptly submit. If I don't do this, my post vanishes.