Unless already being done, a regular security audit of NoScript code is still needed.įor already a long time I get the impression that as soon as an exit, entry or also middle node from United Kingdom is taking part, I experience problems with Tor connections. Or something like this: Ī couple of years ago or so, one of the Tor developers replied in this blog that NoScript has not been audited due to lack of resources / low priority / whatever. One can download and look at the code all day long and still miss something like an allowance for a certain dynamic encrypted advertisement/backdoor frame. The original subject here is a lack of the security review, and not a lack of the published source code. You introduced the "Red Herring" fallacy. >The whole source code is publicly available in every each XPI. >The NoScript extension contains the source code. > Whom ever told you that is spreading false information > or continue assuming it's OK for anonymity?" > "Can you trust without the code review? Is anyone going to audit it, It's been like that for ever, since the very first version." "You can examine and/or modify it by unzipping the XPI and the JAR inside, and "building" it back by rezipping both. "You've got it on your hard disk right now, if you're a NoScript user, otheriwise you can download it here." "This topic was about the availability of a public version-controlled repository, not about the availability of the source code or the validity of its GPL, which is not "a claim", but the license NoScript is released under not just on AMO or my website, but in several GNU Linux distributions including the source-only Gentoo." The whole source code is publicly available in every each XPI. The NoScript extension contains the source code. Whom ever told you that is spreading false information > "Can you trust without the code review? Is anyone going to audit it, or continue assuming it's OK for anonymity?" UMatrix as an alternative, per Rise-up advice? It may not have the whatever "ClearClick" defense, but is more open and seems to have a better reputation. Or is it perhaps an agenda? Yes, low priority, not enough people/time, etc. Various agencies probably delight in the TorBrowser community using this mysterious NoScript for so long. Was it in the past AdBlock's blog - an article about the NoScript's malicious and deceptive operation in the past?Ĭan you trust it without the code review? Is anyone going to audit it, or continue assuming it's OK for anonymity? One weird ID value is said to be user-assigned, yet I didn't set it. You'll see some exception URLs, some local directory/file paths, some unique IDs. Just open the advanced (about:config) settings in TorBrowser/Firefox and do a search on the word "NoScipt". NoScript: how long will it be pushed up our throats by the various anonymity products like Tor Browser, Tails, etc.?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |