Delivery-Date: Sun, 10 Apr 2016 17:33:24 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id BB2A41E039E;
	Sun, 10 Apr 2016 17:33:22 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 010A73A5F8;
	Sun, 10 Apr 2016 21:33:16 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 07DB13A2B2
 for <tor-talk@lists.torproject.org>; Sun, 10 Apr 2016 21:33:12 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id WZsLV4PxpjyZ for <tor-talk@lists.torproject.org>;
 Sun, 10 Apr 2016 21:33:11 +0000 (UTC)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com
 [IPv6:2607:f8b0:400d:c09::235])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id DF7CD39BC0
 for <tor-talk@lists.torproject.org>; Sun, 10 Apr 2016 21:33:11 +0000 (UTC)
Received: by mail-qk0-x235.google.com with SMTP id o6so63610503qkc.2
 for <tor-talk@lists.torproject.org>; Sun, 10 Apr 2016 14:33:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=message-id:date:from:to:subject:in-reply-to:references:mime-version
 :content-transfer-encoding;
 bh=cevAN39vmvLIbnIn8+vlHwWGsPBjhAjyjiLLqeyQNXo=;
 b=P2LS9ZWS4afbdlmqtcZtCx8Pf7g3lfRyX/lUUpR9QAthYLqjgDqHloAksYX6juuXhV
 coI8E0//m8E4uSw4qtHhToT8oFCUzBJB92H98hcZtvIzSL6E5JaKZCOsG7keGJDnfPpT
 mWKnn4hY84/WOCRCJM5LVwFiu0bTiPw0/MqqURxsUHDPSMc+lTOxlst9Uy8Pj7PPj+nk
 Pzbr/RRpLypn0lO5lC59uqG6dhpyXpkJx8DDBtIwqfKn1ODTGSpnfra9OJmTN0mSDi3d
 GgsFA76yeU/D+gJp40J08SSu026UI6bb6QZ8LwfwMgo5STvHNuJtR+yHEDPPw6Y9NB/J
 Wtcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:message-id:date:from:to:subject:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=cevAN39vmvLIbnIn8+vlHwWGsPBjhAjyjiLLqeyQNXo=;
 b=PVixqYUrs7JnVhUAEQSk9myW90TUHqtKBMMVaPvql6MaCfxGElWE8FB5NfVMMs3Oac
 djs60Ej6jsrG5aOv2s2G4WX5J+BZ4gqFu0dNjGzRkyd7NH7DtwlXUshBwzDEcrKji4Ds
 1m1gEafUOasZBN6aHaUQFUPwNP2m5HHJJY+QG1l90ba3FOXdkJ7DIikzVjzEV9GxSsI9
 Brn1hTVfhclk53gR7RdeHS7U/bZnyh4Ufd8CKkLGV7p6U0uE4f5iKOi2BU5BxjEjpa87
 W8Emc6m9UrIQgRnW75BWqeLSfQS9uUB3nKNmbqDsJd38KpUOeGbSzn0wqx39utLeviFY
 aeTg==
X-Gm-Message-State: AD7BkJJvzxV539B9wSbMPVrL6OB4T67CdbGylySHJYtIqSGz9s3SBp4nYy3qWEuEAiZk8A==
X-Received: by 10.55.78.84 with SMTP id c81mr24746615qkb.85.1460323989332;
 Sun, 10 Apr 2016 14:33:09 -0700 (PDT)
Received: from localhost (host3.186-124-150.telecom.net.ar. [186.124.150.3])
 by smtp.gmail.com with ESMTPSA id g102sm1310290qge.1.2016.04.10.14.33.07
 for <tor-talk@lists.torproject.org>
 (version=TLSv1/SSLv3 cipher=OTHER);
 Sun, 10 Apr 2016 14:33:08 -0700 (PDT)
Message-ID: <570ac694.ef5e8c0a.ddc81.4e27@mx.google.com>
Date: Sun, 10 Apr 2016 18:33:07 -0300
From: juan <juan.g71@gmail.com>
To: tor-talk@lists.torproject.org
In-Reply-To: <570AC1CD.9070901@gmx.com>
References: <loom.20160410T123224-381@post.gmane.org>
 <570AC1CD.9070901@gmx.com>
X-Mailer: Claws Mail 3.7.10 (GTK+ 2.24.10; i486-slitaz-linux-gnu)
Mime-Version: 1.0
Subject: Re: [tor-talk] web browser add-on extensions vulnerabilities
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On Sun, 10 Apr 2016 16:12:45 -0500
Joe Btfsplk <joebtfsplk@gmx.com> wrote:

> On 4/10/2016 5:36 AM, jb wrote:
> > Tor Browser users:
> >
> > NoScript and other popular Firefox add-ons open millions to new
> > attack
> > http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/
> >
> > TB supplies default extensions, from which two are TB project's own
> > and should be subjected to an extension review process like those
> > vetted by Mozilla.
> >
> > The researchers provide a CROSSFIRE tool to analyze them.
> > Google search:
> > CrossFire: An Analysis of Firefox Extension-Reuse
> >
> > Of course, one more reason to be careful about using add-ons in TB.
> > jb
> >
>  From same page:
> "Nine of the top 10 most popular Firefox add-ons contain exploitable 
> vulnerabilities."



	translation : mozilla's 'sandboxing' system is a piece of shit
	and/or purposely sabotaged. 





> "Besides NoScript, Video DownloadHelper, Firebug, Greasemonkey, and 
> FlashGot Mass Down all contained bugs that made it possible for the 
> malicious add-on to execute malicious code. Many of those apps, and
> many others analyzed in the study, also made it possible to steal
> browser cookies, control or access a computer's file system, or to
> open webpages to sites of an attacker's choosing."

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

