Author Topic: Blocking JavaScript protects Tor Browser against Firefox-holes  (Read 1392 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33582
  • malware fighter
Users that used JavaScript blocking in Tor browsers were not vulnerable and protected against the new Firefox zero-day.
Whenever you use Tor browser update to version https://blog.torproject.org/new-release-tor-browser-852 
that has been patched against this zero-day leakage.

Opera always had the right solution as where you could enable/disable javascript per site and in an easy manner.

The best ways of blocking JavaScript inside browsers is NoScript for Tor (firefox-Tor) and uMatrix for other browsers.
Block all javascript (certainly all 3rd party javascript) and allow the primary scripts as needed to let the website function normally.
Toggling NoScript and uMatrix does not need rocket-science insights, any power user and browser savvy person can learn this.

It is a great way of protection inside the browser and works flawlessly against old, present and new JavaScript threats in the browser,
even those that we do not know of as yet and will come to pester us in the future.

It is a pity that alerted website lists differ, Bitdefender's, DrWeb's and avast's all are complementary.
And some nasty adware, like Admob from Amazon is only flagged by DrWeb's like the other av solutions ignore.
Info credits go to luntrus on Security dot nl.

Polonus of course works the Suspicious Site Reporter extension in the browser to add questionable sites to Google Safebrowsing Repositories, so helping the user community to be better protected against such sites to shun.

This apart from my reporting in the virus and worms and the constant linting and providing recommendations to come to a more secure website landscape, helping towards implementing best policies, better settings, configuration and retiring vulnerable jQuery script
and javascript errors as such. We finally must fiond a way together to steer away from the utterly insecure Swiss cheese infrastructure we now so often meet on the Interwebz.

So keep those Javascript vizors down, folks

polonus


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33582
  • malware fighter
Re: Blocking JavaScript protects Tor Browser against Firefox-holes
« Reply #1 on: June 20, 2019, 10:17:36 PM »
Coinbase was actively attacked recently through these zero-days:
https://twitter.com/SecurityGuyPhil/status/1141466335592869888

So update your firefox browser, while you know you'd always should fully update, upgrade and patch.
Always, your very OS and all of your data may depend on it.
Still a lot of folks do not seem to bother. That is not good, not good at all, but alas.

pol

P.S. There were two zero days and the tor browser yet has to be patched against the second one.
« Last Edit: June 21, 2019, 09:10:54 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33582
  • malware fighter
Re: Blocking JavaScript protects Tor Browser against Firefox-holes
« Reply #2 on: June 21, 2019, 06:49:33 PM »
Contrary to what many may believe, it is possible to remove NoScript from Tor browser and install uMatrix.

uMatrix is somewhat easier to handle and toggle than NoScript is.
As a general rule block the global (option *) as much as possible (upper line 'all'),
per site one could just give in what can access and what not.
This could be seen as a best policy to get maximum security in an easy way through the use of the uMatrix extension.

Additionally install Bluhell firewall (recently updated again) and working the Interwebz becomes quite more secure,
just more pleasant and also can be performed  in a more privacy friendly manner.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33582
  • malware fighter
Re: Blocking JavaScript protects Tor Browser against Firefox-holes
« Reply #3 on: June 23, 2019, 01:50:41 PM »
I am now behind psiphon circumvention system.
Only thing to make sure is that you get it from an authentic source.
Psiphon is a circumvention tool from Psiphon Inc. that utilizes VPN, SSH
and HTTP Proxy technology to provide you with uncensored access to Internet content.
You are connected through the ports like VPN 1723 & SSH 22 which are not monitored.
In some countries like Turkey etc. such VPN apps are illegal.

polonus

P.S. When I check DNS with psiphon enabled via DNSQuerySniffer, I only see api.adguard.com & microsoft telemetry dns
or widget-mediator.zopim.com -> https://whotracks.me/trackers/mediator.media.html & https://whotracks.me/trackers/zopim.html

Also have a hunch google development is somehow involved with psiphon

Damian
« Last Edit: June 23, 2019, 02:52:54 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!