Ringo Kamens wrote:
> I agree, people are working on network-wide attacks (which is great)
> but the biggest and most obvious risk to user privacy/anonymity is
> scripts. Perhaps firefox and noscript should come bundled and
> configured?
> Ringo Kamens
How about lynx? Prompts on every cookie, no javascript, no flash, no
java. And with no images, much faster over tor.
Watson Ladd
>
> On 2/15/07, James Muir <jamuir@xxxxxxxxxxxxxxx> wrote:
>> Nick Mathewson wrote:
>> > On Sun, Feb 04, 2007 at 08:58:36PM -0800, Wesley Kenzie wrote:
>> >> I've got an initial version up now at
>> http://www.showmyip.com/torstatus/
>> -
>> >> feedback welcome! More content and links to come!
>> >
>> > As others have noted, this is really excellent, but there's way too
>> > much information there for it to be useful for unsophisticated users.
>> > There's no way that my dad, for example could tell that his window
>> > width and height identify him far more uniquely than do his User-Agent
>> > or his "DMA code".
>> >
>> > Maybe there should be some kind of "What I Learned" section at the
>> > top, with parts like:
>> >
>> > Javascript said: "Your IP is x.y.z.w".
>> > (Learn more about how to disable Javascript _here_.),
>> > Java said: "Your IP is x.y.z.w.":
>> > (Learn more about how to disable Java _here_.)
>> >
>> > That is, sort information by order of significance of disclosure, and
>> > for each piece of information, tell users what it means, how much it
>> > isolates them, and how to stop disclosing it.
>> >
>> > Also, is there some way to see, use, and distribute the source for
>> > these pages? As long as you operate them, yours will of course be
>> > most popular, but my free software instincts make me ask "what do we
>> > do if Wesley is unavailable for a while?"
>>
>> Along with having a web page which attempts to educate Tor users about
>> the dangers of executing Java, JavaScript, Flash, etc. in their
>> browsers, I think there also needs to be a stronger warning about this
>> on the main Tor web site (tor.eff.org). There is a warning on the wiki
>> but this is something that's important enough to promote to the main
>> page (and have translated).
>>
>> There are Java and Flash applets that, when run in a Tor user's browser,
>> will open non-proxied connections back to their originating web sites
>> and thus expose a user's real IP address. This is, I think, the most
>> serious threat to Tor users who don't disable these in their browsers --
>> never mind fingerprinting my machine by capturing my screen resolution,
>> etc. with JavaScript.
>>
>> The NoScript extension with FireFox works great -- it disables all
>> scripts and plugins. I hope people who really need anonymity are using
>> these. However, I expect that many are using IE. I don't run Windows,
>> but I would guess that there probably isn't an easy way to disable Flash
>> in IE. A clear warning with the Tor client installation instructions
>> might help new Tor users better protect their anonymity.
>>
>> -James
>>
>>
>