Delivery-Date: Fri, 21 Aug 2015 01:50:05 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 6DAA91E104F;
	Fri, 21 Aug 2015 01:50:03 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 2322136EE7;
	Fri, 21 Aug 2015 05:49:55 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id E9C5C36EE1
 for <tor-talk@lists.torproject.org>; Fri, 21 Aug 2015 05:49:50 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 1bVEQiMjgoVj for <tor-talk@lists.torproject.org>;
 Fri, 21 Aug 2015 05:49:50 +0000 (UTC)
Received: from vincent.hireahit.com (vincent.hireahit.com [23.19.120.58])
 by eugeni.torproject.org (Postfix) with ESMTP id D55BD36ED4
 for <tor-talk@lists.torproject.org>; Fri, 21 Aug 2015 05:49:50 +0000 (UTC)
Received: from VINCENT.hireahit.com by hireahit.com (vincent.hireahit.com)
 (SecurityGateway 3.0.2) with ESMTP id SG002319553.MSG 
 for <tor-talk@lists.torproject.org>; Thu, 20 Aug 2015 22:44:34 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=hireahit.com;
 s=MD-20140321; t=1440135871; x=1440740671; q=dns/txt; h=Message-ID:
 Date:From:User-Agent:MIME-Version:To:Subject:References:
 In-Reply-To:Content-Type:Content-Transfer-Encoding; bh=vVbFMg2yE
 dKqsEBjb9CJWIv1kgq06CMKbVoicOYvwYQ=; b=vYvKOnfXaOIzHiSDaKQUScp/f
 /8FvwYwN/PqXt5rCEWHjyZKzeydfn3kY26aMivFZlx6mAEGGXRntGfx3T89fTVbp
 r1EXvccLjs5XZV2/AvP/caaSnqo4mzOLJp0nNhbE4jmMz852ALkn4px7djgHYMaX
 KRjiEtUQ0WYdWQV/Q0=
Received: from [x.x.x.x] ([184.68.44.226])
 by VINCENT.hireahit.com ([23.19.120.58])
 (Cipher TLSv1.2:AES-SHA:256) (MDaemon PRO v15.0.3) 
 with ESMTPSA id 43-md50000023259.msg for <tor-talk@lists.torproject.org>;
 Thu, 20 Aug 2015 22:44:30 -0700
X-MDRemoteIP: 184.68.44.226
X-MDArrival-Date: Thu, 20 Aug 2015 22:44:30 -0700
X-Authenticated-Sender: davew@hireahit.com
X-Return-Path: davew@hireahit.com
X-Envelope-From: davew@hireahit.com
X-MDaemon-Deliver-To: tor-talk@lists.torproject.org
Message-ID: <55D6BAB9.2060607@hireahit.com>
Date: Thu, 20 Aug 2015 22:44:25 -0700
From: Dave Warren <davew@hireahit.com>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64;
 rv:25.4) Gecko/20150524 FossaMail/25.1.5
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <2387491440131229@web8g.yandex.ru>
In-Reply-To: <2387491440131229@web8g.yandex.ru>
Subject: Re: [tor-talk] Request: Firefox extension/addon checking tutorial
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 2015-08-20 21:27, Cain Ungothep wrote:
>> Anybody care to make a peer-reviewed guide of how to check the
>> >extensions for leaks, cheats and other dirty tricks?
> I would say use the source, Lara.
>
> It's problematic, of course, since it requires an expert not only on
> programming, networking, privacy and security but also on Mozilla's
> extension architecture.  But really, I don't think there's any other
> way.

I doubt there are many people who are truly competent to check the 
source. You don't just need a programmer who checks to make sure the 
code does what they expect, but also that there aren't any corner cases 
where something does leak, just a little.

To be secure, one must also check the entirety of the Firefox source, 
since Firefox could easily have some behaviour which intentionally leaks 
when Tor is active (and possibly only when other conditions are met, to 
reduce the odds of anyone who isn't a target from observing any 
unexpected behaviour)

-- 
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

