[ overboard / sfw / alt / cytube] [ leftypol / b / WRK / hobby / tech / edu / ga / ent / music / 777 / posad / i / a / R9K / dead ] [ meta ]

/tech/ - Technology

"Technology reveals the active relation of man to nature"
Name
Email
Subject
Comment
Captcha
Tor Only

Flag
File
Embed
Password (For file deletion.)

Matrix   IRC Chat   Mumble   Telegram   Discord


File: 1695969625698.jpg ( 29.81 KB , 800x592 , crushedicemachine.jpg )

 No.12496

Backstory:
I became suspicious about the path NoScript is taking when devs decided that users are not allowed to block JS on addons.mozilla.org anymore.
I did not care much because I'm using Third-Party Request Blocker which not only lets you block JS but also incorporates the functionality of the great but sadly abandoned RequestPolicy addon, as well as some neat options like automatic redirect to archive.org in case the user encounters a CloudFlare-encumbered website.

However, I just noticed that Tor Browser doesn't allow you to disable/remove NoScript anymore.
Being a skilled conspiracy expert, this strongly rustled my jimmies.
Why the fuck are we forced to give a monopoly position to this useless piece of shit addon?

Well, maybe because addons are a great way to inject JavaScript and potentially use one of a gazillion JS engine vulnerabilities to expose the user's clearnet IP.
https://www.invicti.com/blog/web-security/noscript-vulnerability-tor-browser/

Let's not forget that TBB devs once before joined forces with the FBI and changed NoScript settings to allow all scripts by default so thousands of people using legit non-pedo services like TorMail could get hacked and identified using a JS exploit:
https://www.wired.com/2013/09/freedom-hosting-fbi/

So, what do?
Easy-peasy, I'll just find the extension and remove the file, right?
Wrong, as Tor Browser automatically reinstalls NoScript on startup. It seems (((someone))) has a strong interest to keep this addon around.

<How to actually remove NoScript:

Overwrite the file and remove write permissions:
cd tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default/extensions
grep -R -i noscript
grep: {73a6fe31-595d-460b-a920-fcc0f8843232}.xpi: binary file matches
echo -n '' > "{73a..."
chmod ugo-rw "{73a..."

…and hope they don't change permissions back at some point -.-

<Please note that shitty NoScript is still better than shitty JavaScript, so make sure you continue to block scripts.
>>

 No.12498

Fun fact:
I can't even complain to Tor devs about this decision because their git hosting software FUCKING REQUIRES JAVASCRIPT TO EVEN VIEW THE DISCUSSION:
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41598
>>

 No.12569

>>12496
>…and hope they don't change permissions back at some point -.-
After the next update NoScript was back.
Maybe chown root the extensions folder?
>>

 No.12571

I didn't even know this happened.
Can't well tell them how gay this is? Tor is open source.
>>

 No.12572

>>12496
I remember reading about people proposing ideas to make a java-syntax compatible replacement-script with dramatically reduced functionality but also much greater security. Something that was supposed to work for the basic stuff that most websites use.

Anybody know what happened to that, maybe that would be useful for this.

If you cared about security, you wouldn't add java-script and then add another program ontop of it to disable it.
>>

 No.12573

>>12569
>Maybe chown root the extensions folder?
I tried chmod u-w on the extensions folder, this resulted in TBB starting up but when I tried to open a website it just kept re-downloading the page over and over but it never displayed it.

>>12571
>Tor is open source.
I tried to compile TBB once but couldn't figure out how to do it. Maybe I'll try again.

And it seems they are rewriting the Tor daemon in Rust.
https://blog.torproject.org/arti_119_released/

Compiling Rust requires tons of free disk space (like 10+GB) and half a day on a mediocre multi-core machine.
Problem, gentoo users?

>>12572
>I remember reading about people proposing ideas to make a java-syntax compatible replacement-script with dramatically reduced functionality
If it is turing-complete it is potentially vulnerable. Something to do with P=NP and the halting problem.
Anything else I think you can already do with html and css.
See https://codepen.io/mcShane/pen/zYmdrzP for example.

>If you cared about security, you wouldn't add java-script and then add another program ontop of it to disable it.

Indeed. But their focus probably lies on anonymity more than security.
>>

 No.12574

>>12573
>If it is turing-complete it is potentially vulnerable.
A solution for websites that need JS for whatever reason would be to distribute gpg-signed browser extensions. At least that way the code can be audited.
But if your site requires JS, it might be worth considering to release it as software instead…
>>

 No.12709

Last time my TBB updated, it didn't reinstall NoScript.
So it seems someone got through to the devs. Let's hope it stays that way.
>>

 No.12728

>>12496
>Well, maybe because addons are a great way to inject JavaScript and potentially use one of a gazillion JS engine vulnerabilities to expose the user's clearnet IP.
If you can be deanonymized with javascript then the noscript extension is really not the problem. If you don't know how to configure a tor-only firewall then use a system like tails or whonix which does it for you.

>Let's not forget that TBB devs once before joined forces with the FBI and changed NoScript settings

<ctrl-f noscript
<Phrase not found.
If you feel the need to lie that means you can't even convince yourself with this argument.

>It seems (((someone))) has a strong interest to keep this addon around.

The whole point of tor browser is to protect non-technical users who have a tenancy to fuck things up by accident. If they were malicious they would hide backdoor code in the browser itself not an extension you can just delete.

Unique IPs: 3

[Return][Catalog][Top][Home][Post a Reply]
Delete Post [ ]
[ overboard / sfw / alt / cytube] [ leftypol / b / WRK / hobby / tech / edu / ga / ent / music / 777 / posad / i / a / R9K / dead ] [ meta ]
ReturnCatalogTopBottomHome