[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Newbie's questions



-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

I have set up a rough HOWTO on having anonymous and non-anonymous
Firefox sessions co-exist (even though this itself is NOT recommended).
It is written for Windows, but mostly applies to any other operating
system. The HOWTO is here: http://www.cs.umn.edu/~eyv/anon-web.html
Any and all comments from the community are appreciated.
Thanks,
Eugene

Thus spake Michael Holstein:
>> (1) Does it mean that even when I visit unencrypted sites, nobody
>> would be able to tell what sites or pages I am requesting?
> 
> Correct. As long as you're also proxying the DNS via SOCKSv4, the only
> person that could "see" your traffic in the clear is the folks between
> the exit node and the destination.
> 
> However .. if you do something like access your (real) Yahoo mail,
> someone could connect that traffic with the "real" you .. because they
> could see your name in the HTTP traffic. Thus, it's unwise to leak the
> recipe to the secret sauce, and then go check your Hotmail account all
> in the same session.
> 
> You also need to be mindful of combining your "anonymous" and "regular"
> activities .. if, for example, you allow sites to set cookies and you
> visit two sites both using DoubleClick .. that cookie will connect the
> "real" you and the "tor" you. Same goes for any website that requires
> authentication (eg: Yahoo mail, etc.). Someone could check the logs and
> say "well, I see it was TOR this time, but yesterday it was Comcast".
> 
>> (2) Can the green line be cracked by intercepting the packets or headers?
> 
> An attack against AES that's more effective than bruteforce is not (yet)
> known, so I'd say "probably not", although TOR developers are clear to
> tell you it doesn't defend against a "global adversary" (eg:
> $3_letter_agencies).
> 
>> (3) I don't know where the encryption key is stored. Can it be stolen
>> if my pc is hacked?
> 
> The client key is in memory, so no .. unless you do something like
> suspend your laptop while TOR is running (thus writing it to disk).
> Also, it's possible to have the key written to swap accidently.
> 
> You can prevent both those problems with a "liveCD" distro that dosen't
> touch the hard disk. There are many such "internet privacy appliances",
> my personal favorite being the one based on OpenBSD (Anonym.OS).
> 
> Other general recommendations :
> 
> Firefox (dump cookies on exit, no cache, etc)
> NoScript plugin (no javascript)
> FlashBlock plugin (no flash)
> 
> Cheers,
> 
> Michael Holstein CISSP GCIA
> Cleveland State University

- --
Eugene Y. Vasserman
http://www.cs.umn.edu/~eyv/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF5Fbs4S3hfPlRZlkRA+qqAKCiUU8XfIFVzpU07mel8BRa16oOigCgjXxc
GQDldcI2/4z5YzDWBEjrBJs=
=MyMJ
-----END PGP SIGNATURE-----