[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Adblock Plus and Ghostery should be included in Tor bundle



For me, a more basic question is whether installing extensions from a fresh Tor installed is (sufficiently) safe....


Very real problem
see -
https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
watch the slides from 140 onward.  Firefox/thunderbird case study
detailing just this problem. 

E75A7CF4


On 2/12/2012 3:00 PM, Patrick Mézard wrote:
> Le 12/02/12 16:53, Brian Franklin a écrit :
>> Adblock Plus and Ghostery should be included in Tor bundle
>>
>> Two reasons
>>
>> 1. Privacy. Fairly obvious why we do this. Stopping ads and ad
>> tracking is consistent with the privacy mission of the Tor Project.
>>
>> 2. Network health. Congestion has always been a problem on Tor.
>> Installing these plugins to stop HTTP requests which don't help the
>> user reduces congestion on the network and speeds up page loads for
>> each user and everybody else. Browsers won't be slowed down loading
>> tons of ads and ad scripts and the network won't have to process many
>> requests for junk. I think we can save a ton of bandwidth by stopping
>> the junk requests.
> For me, a more basic question is whether installing extensions from a fresh Tor installed is (sufficiently) safe. I do not know the details of the process but it probably involves some HTTPS connections to addons.mozilla.org. If the exit node can perform MITM attacks on SSL you may end up installing something unwanted. Could the initial setup be made safer, for instance by storing digests of addons.mozilla.org certificate in Tor bundles at build time and *warn* if they do not match (like a specialized Certificate Patrol would do)? Is it already addressed in Firefox?
> --
> Patrick Mézard
> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk