NoScript white-list consisting of only https domains would be a better default and still offer a reasonable user-experience. Add the lack of auto updating (all you get is a warning/notice on the default homepage) and I'm sure a good portion of Tor users is vulnerable because of this decision. The window of several days between the upstream release of security patches for Firefox and TBB releases doesn't help. Every JavaScript related code execution vulnerability can be used not only to fully compromise browser sessions, saved cookies, history and passwords but your entire user account on your OS, all files and most importantly, your IP address!
Of course it's the wrong decision, especially since Firefox doesn't do sandboxing like Chrome, IE and now Safari. It has been brought up before but the developers think it's a good idea.
Same with the Linux bundle since several versions.
0 kommentar(er)
