[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Firefox through Tor

Hash: RIPEMD160
Mike Perry wrote:
> Thus spake Eric H. Jung (eric.jung@xxxxxxxxx):
>> Hello Michaels,
>> I apologize for the delayed reply. Please don't interpret the
>> delay as a lack of interest--it surely isn't.
>> Quoting Mike Perry:
>>> Just clearing cookies every time there is a switch is not
>>> enough if there is an automatic Tor filter in place. The
>>> problem is that yahoo can custom-generate its links to
>>> DoubleClick so they encode your email address (dunno if they do
>>> do this, but I'm sure some sites and ad parters do). Therefore
>>> identifiying information is sent independent of the cookie."
>> I hope you'll both agree there's nothing FoxyProxy can do about
>> this. Unless you have a striking relevation which could solve the
>> problem programmatically, I'm just going to add this to the
>> FoxyProxy FAQ as a "be careful" warning in an attempt to educate.
> Depending on the flexibility of XPCOM, it should be possible to
> solve this problem programatically (but it is error-prone).
> I probably should summarize everything from this thread again just
> so you have it all in one place:
> The way to solve the problem is to make sure that all embedded
> object links are in fact loaded through the active proxy for the
> parent tab/page. This includes frames, iframes, css, js, images,
> java, flash, and other misc plugin objects. Probably some other
> stuff too.
> So long as the 'evil' link-object is loaded through Tor, the
> problem is solved. The assumption is that the information encoded
> in the link isn't compromising by itself, but that the danger is
> that the browser will autoload the link in the clear and thus your
> real IP will be in that server's logs associating you with your
> Torrified email account.
> Also, because of accidental clicks, phishing attacks, and referrer
> urls, user followed links should also be protected. Pretty much
> anything the user follows from a protected, proxied page should
> inherit that page's proxy settings (including links followed by
> opening them in a new tab/window).
> Lastly, as Michael pointed out, you have to clear all cookies
> everytime a proxy switch is done (mega bonus points for a mechanism
> to protect certain cookies from deletion a-la
> http://cookieculler.mozdev.org/). If you do not do this, a cookie
> accessed from an ad banner displayed while you are visiting a site
> in the clear can be transmitted again when you access your email
> account through Tor, thus ruining your pseudonymity against an
> adversary with access to the ad server's data (assume everyone).
> The reverse is also possible, so cookies have to be cleared in each
> direction of the switch.
> Even with all these countermeasures, the type of filter where you
> specify only untrusted/Tor sites is error prone and should carry
> heavy warnings for people who truly need anonymity, and needs to be
> tested heavily by vigilant people with a wide variety of usage
> habits.
> I do think that it should be possible to build such a filter
> though. And it would be very very nice to have.
>> I forgot to mention that if a URL doesn't match any patterns
>> defined in FoxyProxy, FoxyProxy *does not* default to a direct
>> connection. Instead, it defaults to the whatever proxy (if any)
>> has been defined in Firefox's Connection Settings.
>> By defining Tor as the proxy in Firefox's Connection Settings,
>> Tor is used as a "catch-all" for non-matches.
>> I'll shortly be adding blacklist capability to FoxyProxy (it
>> already has whitelist ability). That, in conjunction, with the
>> above "catch-all", should provide enough ingredients to come up
>> with some safe recipe for some of the problems both of you
>> describe, no?
> Yes, inverting the filter so that you list only sites that you
> trust to connect to in the clear is a much safer option (and much
> easier to implement!), but my guess is that it will be much less
> popular than the ability to specify the sites you only want to
> visit through Tor (ie gmail/yahoo/.onion). There in lies the
> dillemma.
what about changing the proxy program so it always runs through
privoxy, and having foxyproxy switch the upstream proxy to none or
tor. this solves the problem of identifiable information from the
beginning because it strips most of the identifiable stuff. you don't
even see those evil spy-cookie producing ads with privoxy. if there is
any simple way to make it possible to quickly switch privoxy to and
from tor that would strengthen the anonymity a lot.
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org