[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] r26134: {website} removed torbutton pages, moved 2 questions to general FAQ (# (in website/trunk: docs/en torbutton/en)
Author: moritz
Date: 2013-03-26 04:38:32 +0000 (Tue, 26 Mar 2013)
New Revision: 26134
Modified:
website/trunk/docs/en/faq.wml
website/trunk/torbutton/en/index.wml
website/trunk/torbutton/en/sidenav.wmi
website/trunk/torbutton/en/torbutton-faq.wml
website/trunk/torbutton/en/torbutton-options.wml
Log:
removed torbutton pages, moved 2 questions to general FAQ (#6567)
Modified: website/trunk/docs/en/faq.wml
===================================================================
--- website/trunk/docs/en/faq.wml 2013-03-25 22:48:25 UTC (rev 26133)
+++ website/trunk/docs/en/faq.wml 2013-03-26 04:38:32 UTC (rev 26134)
@@ -62,7 +62,7 @@
<li><a href="#TBBPolipo">I need an HTTP proxy. Where did Polipo
go?</a></li>
<li><a href="#TBBOtherExtensions">Can I install other Firefox
- extensions?</a></li>
+ extensions? Which extensions should I avoid using?</a></li>
<li><a href="#TBBJavaScriptEnabled">Why is NoScript configured to
allow JavaScript by default in the Tor Browser Bundle? Isn't that
unsafe?</a></li>
@@ -942,11 +942,44 @@
and other Flash-based sites?</a></h3>
<p>
-<a
-href="https://www.torproject.org/torbutton/torbutton-faq.html.
-en#noflash">Answer</a>
+YouTube and similar sites require third party browser plugins such as Flash.
+Plugins operate independently from Firefox and can perform
+activity on your computer that ruins your anonymity. This includes
+but is not limited to: <a href="http://decloak.net";>completely disregarding
+proxy settings</a>, querying your <a
+href="http://forums.sun.com/thread.jspa?threadID=5162138&messageID=9618376";>local
+IP address</a>, and <a
+href="http://epic.org/privacy/cookies/flash.html";>storing their own
+cookies</a>. It is possible to use a LiveCD solution such as
+or <a href="https://tails.boum.org/";>The Amnesic Incognito Live System</a> that creates a
+secure, transparent proxy to protect you from proxy bypass, however issues
+with local IP address discovery and Flash cookies still remain. </p>
+
+<p>
+<a href="https://www.youtube.com/html5";>YouTube offers experimental HTML5 video
+support</a> for many of their videos. You can use their Advanced Search to
+find HTML5 videos.
</p>
+<p>
+If you are not concerned about being tracked by these sites (and sites that
+try to unmask you by pretending to be them), and are unconcerned about your
+local censors potentially noticing you visit them, you can enable plugins by
+going into the Torbutton Preferences -> Security Settings
+tab and unchecking "Disable browser plugins (such as Flash)" box. If you do this
+without The Amnesic Incognito Live System or appropriate firewall
+rules, we strongly suggest you at least use <a
+href="https://addons.mozilla.org/en-US/firefox/addon/722";>NoScript</a> to <a
+href="http://noscript.net/features#contentblocking";>block plugins</a>. You do
+not need to use the NoScript per-domain permissions if you check the <b>Apply
+these restrictions to trusted sites too</b> option under the NoScript Plugins
+preference tab. In fact, with this setting you can even have NoScript allow
+Javascript globally, but still block all plugins until you click on their
+placeholders in a page. We also recommend <a
+href="https://addons.mozilla.org/en-US/firefox/addon/6623";>Better Privacy</a>
+in this case to help you clear your Flash cookies.
+</p>
+
<hr>
<a id="TBBSocksPort"></a>
@@ -1010,6 +1043,23 @@
its name).
</p>
+<p>
+Generally, extensions that require registration, and/or provide
+additional information about websites you are visiting, should be
+suspect.
+</p>
+
+<p>
+Extensions you might like include
+ <a href="https://addons.mozilla.org/firefox/addon/953";>RefControl</a> (referer spoofing),
+ <a href="https://addons.mozilla.org/firefox/addon/1474";>SafeCache</a>,
+ <a href="https://addons.mozilla.org/en-US/firefox/addon/6623";>Better Privacy</a>,
+ <a href="https://addons.mozilla.org/firefox/addon/1865";>AdBlock Plus</a> (EasyPrivacy+EasyList),
+ <a href="https://addons.mozilla.org/firefox/addon/82";>Cookie Culler</a>,
+ <a href="https://addons.mozilla.org/en-US/firefox/addon/9727/";>Request Policy</a> and
+ <a href="https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/";>Certificate Patrol</a>.
+</p>
+
<hr>
<a id="TBBJavaScriptEnabled"></a>
Modified: website/trunk/torbutton/en/index.wml
===================================================================
--- website/trunk/torbutton/en/index.wml 2013-03-25 22:48:25 UTC (rev 26133)
+++ website/trunk/torbutton/en/index.wml 2013-03-26 04:38:32 UTC (rev 26134)
@@ -99,37 +99,10 @@
have enough developer resources to keep up with the accelerated
Firefox release schedule, the toggle model of Torbutton is <a
href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton";>no
- longer recommended</a>. <b>Users should be using Tor Browser Bundle,
+ longer supported</a>. <b>Users should be using Tor Browser Bundle,
not installing Torbutton themselves.</b>
</p>
- <br/><br/>
- <strong>Current stable version:</strong><version-torbutton><br/>
- <strong>Current alpha version:</strong><version-torbutton-alpha><br/>
- <br/>
- <strong>Maintainer:</strong> Mike Perry<br/>
- <br/>
- <strong>Expert Install (Stable):</strong> Click to <a
- href="https://www.torproject.org/dist/torbutton/torbutton-current.xpi";
- hash="<version-hash-torbutton>" onclick="return
- install(event);">install from this website</a>. Verify the <a href="https://www.torproject.org/dist/torbutton/torbutton-current.xpi.asc";>signature</a>.<br/>
-<!--
- <strong>Expert Install (Alpha):</strong> Click to
- <a href="https://www.torproject.org/dist/torbutton/torbutton-current-alpha.xpi";
- hash="<version-hash-torbutton-alpha>"
- onclick="return install(event);">install from this website</a>
- <br/>
- -->
-<!--
- <strong>English Google Search:</strong>
- Google search plugins for
- <a href="/jsreq.html" title="Ref: 14938 (googleCA)"
- onClick="addOpenSearch('GoogleCanada','ico','General','14937','g');return false">Google CA</a>, and
- <a href="/jsreq.html" title="Ref: 14938 (googleCA)"
- onClick="addOpenSearch('googleuk_web','png','General','14445','g');return false">Google UK</a>.
- <br/>
- -->
- <strong>Past Releases:</strong> <a href="https://archive.torproject.org/tor-package-archive/torbutton/";>Tor Archive</a><br/>
<strong>Developer Documentation:</strong> <a href="en/design/index.html.en">Torbutton Design Document</a> and <a href="en/design/MozillaBrownBag.pdf">Slides (Not actively updated)</a><br/>
<strong>Source:</strong> You can <a
@@ -137,8 +110,8 @@
repository</a> or simply unzip the xpi.
<br/>
<strong>Bug Reports:</strong> <a href="https://trac.torproject.org/projects/tor/report/14";>Torproject Bug Tracker</a><br/>
- <strong>Documents:</strong> <b>[</b> <a href="<page torbutton/torbutton-faq>">FAQ</a> <b>|</b>
- <a href="<page torbutton/torbutton-options>">Torbutton options</a> <b>|</b>
+ <strong>Documents:</strong>
+ <b>[</b>
<a href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/CHANGELOG";>changelog</a> <b>|</b>
<a href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/LICENSE";>license</a> <b>|</b>
<a href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/CREDITS";>credits</a> <b>]</b>
Modified: website/trunk/torbutton/en/sidenav.wmi
===================================================================
--- website/trunk/torbutton/en/sidenav.wmi 2013-03-25 22:48:25 UTC (rev 26133)
+++ website/trunk/torbutton/en/sidenav.wmi 2013-03-26 04:38:32 UTC (rev 26134)
@@ -1,36 +1,110 @@
-#!/usr/bin/wml
-
## translation metadata
# Revision: $Revision$
# Translation-Priority: 2-medium
-# this structure defines the side nav bar for the /torbutton pages
+# this structure defines the side nav bar for the /docs pages
# and is the input for include/side.wmi
# fields:
#
-# name - the $WML_SRC_BASENAME of the file. It should uniquely identify the
-# page because at build-time it is used to determine what view of the
-# navigation menu to generate
-#
# url - the path to the wml page, as used the the <page> tag. This tag ensures
# that links will point to the current language if supported, and alternately
# the english version
#
# txt - the link text to be displayed. Different translations will
# need to supply alternate txt
-
+
<:
my $sidenav;
$sidenav = [
- {'url' => 'torbutton/index',
- 'txt' => 'Torbutton',
- 'subelements' => [
- {'url' => 'torbutton/torbutton-options',
- 'txt' => 'Torbutton Options',
- },
- {'url' => 'torbutton/torbutton-faq',
- 'txt' => 'Torbutton FAQ',
- }]
- }]
+ {'url' => 'docs/documentation',
+ 'txt' => 'Documentation Overview',
+ },
+ {
+ 'url' => 'docs/installguide',
+ 'txt' => 'Installation Guides',
+ 'subelements' => [
+ {'url' => 'docs/tor-doc-windows',
+ 'txt' => 'Installing on Windows',
+ },
+ {'url' => 'docs/tor-doc-unix',
+ 'txt' => 'Installing on Linux/BSD/Unix',
+ },
+ {'url' => 'docs/debian',
+ 'txt' => 'Installing Tor on Debian/Ubuntu',
+ },
+ {'url' => 'docs/debian-vidalia',
+ 'txt' => 'Installing Vidalia on Debian/Ubuntu',
+ },
+ {'url' => 'docs/tor-doc-osx',
+ 'txt' => 'Installing Tor on Mac OS X',
+ },
+ {'url' => 'docs/android',
+ 'txt' => 'Installing Tor on Android',
+ },
+ {'url' => 'docs/N900',
+ 'txt' => 'Installing Tor on Maemo/N900',
+ },
+ {'url' => 'docs/verifying-signatures',
+ 'txt' => 'Verify our GPG signatures',
+ }],
+ },
+ {'url' => 'docs/manual',
+ 'txt' => 'Manuals',
+ 'subelements' => [
+ {
+ 'url' => 'docs/short-user-manual',
+ 'txt' => 'Short User Manual',
+ },
+ {'url' => 'docs/tor-relay-debian',
+ 'txt' => 'Configuring a Relay manually',
+ },
+ {'url' => 'docs/tor-doc-relay',
+ 'txt' => 'Configuring a Relay graphically',
+ },
+ {'url' => 'docs/tor-hidden-service',
+ 'txt' => 'Configuring a Hidden Service',
+ },
+ {'url' => 'docs/bridges',
+ 'txt' => 'Configuring a Bridge Relay',
+ },
+ {'url' => 'docs/running-a-mirror',
+ 'txt' => 'Configuring a Mirror',
+ },
+ {'url' => 'docs/tor-manual',
+ 'txt' => 'Tor -stable Manual',
+ },
+ {'url' => 'docs/tor-manual-dev',
+ 'txt' => 'Tor -alpha Manual',
+ },
+ {'url' => 'docs/proxychain',
+ 'txt' => 'Configuring Tor to use a Proxy Server',
+ },
+ {'url' => '<doxygen>',
+ 'txt' => 'Doxygen output from Tor codebase',
+ }]
+ },
+ {
+ 'url' => '<wiki>',
+ 'txt' => 'Tor Wiki',
+ },
+ {'url' => 'docs/faq',
+ 'txt' => 'General FAQ',
+ },
+ {'url' => 'torbutton/torbutton-faq',
+ 'txt' => 'Torbutton FAQ',
+ },
+ {'url' => 'docs/faq-abuse',
+ 'txt' => 'Abuse FAQ',
+ },
+ {'url' => 'docs/trademark-faq',
+ 'txt' => 'Trademark FAQ',
+ },
+ {'url' => 'eff/tor-legal-faq',
+ 'txt' => 'Tor Legal FAQ',
+ },
+ {'url' => 'eff/tor-dmca-response',
+ 'txt' => 'Tor DMCA Response',
+ },
+ ];
:>
Modified: website/trunk/torbutton/en/torbutton-faq.wml
===================================================================
--- website/trunk/torbutton/en/torbutton-faq.wml 2013-03-25 22:48:25 UTC (rev 26133)
+++ website/trunk/torbutton/en/torbutton-faq.wml 2013-03-26 04:38:32 UTC (rev 26134)
@@ -11,273 +11,28 @@
</div>
<div id="maincol">
<!-- PUT CONTENT AFTER THIS TAG -->
-
- <h2>Torbutton FAQ</h2>
+
+ <h2>Torbutton</h2>
<hr>
-
- <h3>Questions</h3>
- <br>
- <ul>
- <li><a href="<page torbutton/torbutton-faq>#noflash">I can't view videos on YouTube and other flash-based sites. Why?</a></li>
- <li><a href="<page torbutton/torbutton-faq>#oldtorbutton">Torbutton sure seems to do a lot of things, some of which I find annoying. Can't I just use the old version?</a></li>
- <li><a href="<page torbutton/torbutton-faq>#noautocomplete">When I use Tor, Firefox is no longer filling in logins/search boxes for me. Why?</a></li>
- <li><a href="<page torbutton/torbutton-faq>#thunderbird">What about Thunderbird support? I see a page, but it is the wrong version?</a></li>
- <li><a href="<page torbutton/torbutton-faq>#extensionconflicts">Which Firefox extensions should I avoid using?</a></li>
- <li><a href="<page torbutton/torbutton-faq>#recommendedextensions">Which Firefox extensions do you recommend?</a></li>
- <li><a href="<page torbutton/torbutton-faq>#securityissues">Are there any other issues I should be concerned about?</a></li>
- </ul>
- <br>
-
- <a id="noflash"></a>
- <strong><a class="anchor" href="#noflash">I can't view videos on YouTube and
- other Flash-based sites. Why?</a></strong>
-
+
<p>
- YouTube and similar sites require third party browser plugins such as Flash.
- Plugins operate independently from Firefox and can perform
- activity on your computer that ruins your anonymity. This includes
- but is not limited to: <a href="http://decloak.net";>completely disregarding
- proxy settings</a>, querying your <a
- href="http://forums.sun.com/thread.jspa?threadID=5162138&messageID=9618376";>local
- IP address</a>, and <a
- href="http://epic.org/privacy/cookies/flash.html";>storing their own
- cookies</a>. It is possible to use a LiveCD solution such as
- or <a href="https://tails.boum.org/";>The Amnesic Incognito Live System</a> that creates a
- secure, transparent proxy to protect you from proxy bypass, however issues
- with local IP address discovery and Flash cookies still remain. </p>
-
- <p>
- If you are not concerned about being tracked by these sites (and sites that
- try to unmask you by pretending to be them), and are unconcerned about your
- local censors potentially noticing you visit them, you can enable plugins by
- going into the Torbutton Preferences->Security Settings
- tab and unchecking "Disable browser plugins (such as Flash)" box. If you do this
- without The Amnesic Incognito Live System or appropriate firewall
- rules, we strongly suggest you at least use <a
- href="https://addons.mozilla.org/en-US/firefox/addon/722";>NoScript</a> to <a
- href="http://noscript.net/features#contentblocking";>block plugins</a>. You do
- not need to use the NoScript per-domain permissions if you check the <b>Apply
- these restrictions to trusted sites too</b> option under the NoScript Plugins
- preference tab. In fact, with this setting you can even have NoScript allow
- Javascript globally, but still block all plugins until you click on their
- placeholders in a page. We also recommend <a
- href="https://addons.mozilla.org/en-US/firefox/addon/6623";>Better Privacy</a>
- in this case to help you clear your Flash cookies.
+ Torbutton is the component in <a href="<page projects/torbrowser>">Tor
+ Browser Bundle</a> that takes care of application-level
+ security and privacy concerns in Firefox. To keep you safe,
+ Torbutton disables many types of active content.
</p>
-
- <a id="oldtorbutton"></a>
- <strong><a class="anchor" href="#oldtorbutton">Torbutton sure seems to do a lot of things, some of which I find
- annoying. Can't I just use the old version?</a></strong>
-
+
<p>
-
- <b>No.</b> Use of the old version, or any other vanilla proxy changer
- (including FoxyProxy -- see below) without Torbutton is actively discouraged.
- Seriously. Using a vanilla proxy switcher by itself is so insecure that you are
- not only just wasting your time, you are also actually endangering yourself.
- <b>Simply do not use Tor</b> and you will have the same (and in some cases,
- better) security. For more information on the types of attacks you are exposed
- to with a "homegrown" solution, please see <a
- href="design/index.html.en#adversary">The Torbutton
- Adversary Model</a>, in particular the <a
- href="design/index.html.en#attacks">Adversary
- Capabilities - Attacks</a> subsection. If there are any specific Torbutton
- behaviors that you do not like, please file a bug on <a
- href="https://trac.torproject.org/projects/tor/report/14";>the
- bug tracker.</a> Most of Torbutton's security features can also be disabled via
- its preferences, if you think you have your own protection for those specific
- cases.
-
+ Now that the <a href="<page projects/torbrowser>">Tor Browser
+ Bundle</a> includes a patched version of Firefox, and because we don't
+ have enough developer resources to keep up with the accelerated
+ Firefox release schedule, the toggle model of Torbutton is <a
+ href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton";>no
+ longer supported</a>. <b>Users should be using Tor Browser Bundle,
+ not installing Torbutton themselves.</b>
</p>
-
- <a id="noautocomplete"></a>
- <strong><a class="anchor" href="#noautocomplete">When I use Tor, Firefox is no longer filling in logins/search boxes
- for me. Why?</a></strong>
-
- <p>
- Currently, this is tied to the "<b>Block history writes during Tor</b>"
- setting. If you have enabled that setting, all formfill functionality (both
- saving and reading) is disabled. If this bothers you, you can uncheck that
- option, but both history and forms will be saved. To prevent history
- disclosure attacks via Non-Tor usage, it is recommended you disable Non-Tor
- history reads if you allow history writing during Tor.
- </p>
-
- <a id="thunderbird"></a>
- <strong><a class="anchor" href="#thunderbird">What about Thunderbird support? I see a page, but it is the wrong
- version?</a></strong>
-
- <p>
- The Tor plugin for Thunderbird is called <a href="https://trac.torproject.org/projects/tor/wiki/torbirdy";>
- TorBirdy</a>.
- </p>
-
- <a id="extensionconflicts"></a>
- <strong><a class="anchor" href="#extensionconflicts">Which Firefox extensions should I avoid using?</a></strong>
-
- <p>
- This is a tough one. There are thousands of Firefox extensions: making a
- complete list of ones that are bad for anonymity is near impossible. However,
- here are a few examples that should get you started as to what sorts of
- behavior are dangerous.
- </p>
-
- <ol>
- <li>StumbleUpon, et al
- <p>
- These extensions will send all sorts of information about the websites you
- visit to the stumbleupon servers, and correlate this information with a
- unique identifier. This is obviously terrible for your anonymity.
- More generally, any sort of extension that requires registration, or even
- extensions that provide information about websites you visit should be
- suspect.
- </p></li>
- <li>FoxyProxy
- <p>
- While FoxyProxy is a nice idea in theory, in practice it is impossible to
- configure securely for Tor usage without Torbutton. Like all vanilla third
- party proxy plugins, the main risks are <a
- href="http://www.decloak.net/";>plugin leakage</a>
- and <a href="http://ha.ckers.org/weird/CSS-history.cgi";>history
- disclosure</a>, followed closely by cookie theft by exit nodes and tracking by
- adservers (see the <a href="design/index.html.en#adversary">Torbutton Adversary
- Model</a> for more information). However, with Torbutton installed in tandem
- and always enabled, it is possible to configure FoxyProxy securely (though it
- is tricky). Since FoxyProxy's 'Patterns' mode only applies to specific urls,
- and not to an entire tab, setting FoxyProxy to only send specific sites
- through Tor will still allow adservers (whose hosts don't match your filters) to learn your real IP. Worse, when
- sites use offsite logging services such as Google Analytics, you will
- still end up in their logs with your real IP. Malicious exit nodes can also
- cooperate with sites to inject images into pages that bypass your filters.
- Setting FoxyProxy to only send certain URLs via Non-Tor is much more secure in
- this regard, but be very careful with the filters you allow. For example,
- something as simple as allowing *google* to go via Non-Tor will still cause you to end up
- in all the logs of all websites that use Google Analytics! See
- <a href="http://foxyproxy.mozdev.org/faq.html#privacy-01";>this question</a> on
- the FoxyProxy FAQ for more information.
- </p></li>
- </ol>
-
- <a id="recommendedextensions"></a>
- <strong><a class="anchor" href="#recommendedextensions">Which Firefox extensions do you recommend?</a></strong>
- <ol>
- <li><a href="https://addons.mozilla.org/firefox/addon/953";>RefControl</a>
- <p>
- Mentioned above, this extension allows more fine-grained referrer spoofing
- than Torbutton currently provides. It should break less sites than Torbutton's
- referrer spoofing option.</p></li>
-
- <li><a href="https://addons.mozilla.org/firefox/addon/1474";>SafeCache</a>
- <p>
- If you use Tor excessively, and rarely disable it, you probably want to
- install this extension to minimize the ability of sites to store long term
- identifiers in your cache. This extension applies same origin policy to the
- cache, so that elements are retrieved from the cache only if they are fetched
- from a document in the same origin domain as the cached element.
- </p></li>
-
- <li><a href="https://addons.mozilla.org/en-US/firefox/addon/6623";>Better
- Privacy</a>
- <p>
-
- Better Privacy is an excellent extension that protects you from cookies used
- by Flash applications, which often persist forever and are not clearable via
- normal Firefox "Private Data" clearing. Flash and all other plugins are
- disabled by Torbutton by default, but if you are interested in privacy, you
- may want this extension to allow you to inspect and automatically clear your
- Flash cookies for your Non-Tor usage.
-
- </p>
- </li>
- <li><a href="https://addons.mozilla.org/firefox/addon/1865";>AdBlock Plus</a>
- <p>
-
- AdBlock Plus is an excellent addon for removing annoying, privacy-invading,
- and <a
- href="http://www.wired.com/techbiz/media/news/2007/11/doubleclick";>malware-distributing</a>
- advertisements from the web. It provides
- <a href="http://adblockplus.org/en/subscriptions";>subscriptions</a> that are
- continually updated to catch the latest efforts of ad networks to circumvent
- these filters. I recommend the EasyPrivacy+EasyList combination filter
- subscription in the Miscellaneous section of the subscriptions page.
-
- </p>
- </li>
- <li><a href="https://addons.mozilla.org/firefox/addon/82";>Cookie Culler</a>
- <p>
-
- Cookie Culler is a handy extension to give quick access to the cookie manager
- in Firefox. It also provides the ability to protect certain cookies from
- deletion, but unfortunately, this behavior does not integrate well with Torbutton.
-
- </p>
- </li>
-
- <li><a href="https://addons.mozilla.org/en-US/firefox/addon/722";>NoScript</a>
- <p>
- Torbutton currently mitigates all known anonymity issues with Javascript.
- However, if you are concerned about Javascript exploits against your browser
- or against websites you are logged in to, you may want to use NoScript. It
- provides the ability to allow Javascript only for particular websites
- and also provides mechanisms to force HTTPS urls for sites with
- <a href="http://fscked.org/category/tags/insecurecookies";>insecure
- cookies</a>.<br>
-
- It can be difficult to configure such that the most sites will work
- properly though. In particular, you want to make sure you do not remove
- the Javascript whitelist for
- addons.mozilla.org, as extensions are downloaded via http and verified by
- javascript from the https page.
-
- </p></li>
- <li><a href="https://addons.mozilla.org/en-US/firefox/addon/9727/";>Request
- Policy</a>
- <p>
-
- Request Policy is similar to NoScript in that it requires that you configure
- which sites are allowed to load content from other domains. It can be very
- difficult for novice users to configure properly, but it does provide a good
- deal of protection against ads, injected content, and cross-site request
- forgery attacks.
-
- </p>
- </li>
-
- </ol>
-
- <a id="securityissues"></a>
- <strong><a class="anchor" href="#securityissues">Are there any other issues I should be concerned about?</a></strong>
-
- <p>
- There are a few known security issues with Torbutton (all of which are due to
- <a href="design/index.html.en#FirefoxBugs">unfixed
- Firefox security bugs</a>). The most important for anonymity is that it is
- possible to unmask the javascript hooks that wrap the Date object to conceal
- your timezone in Firefox 2, and the timezone masking code does not work at all
- on Firefox 3. We are working with the Firefox team to fix one of <a
- href="https://bugzilla.mozilla.org/show_bug.cgi?id=392274";>Bug 399274</a> or
- <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=419598";>Bug 419598</a>
- to address this. In the meantime, it is possible to set the <b>TZ</b>
- environment variable to <b>UTC</b> to cause the browser to use UTC as your
- timezone. Under Linux, you can add an <b>export TZ=UTC</b> to the
- /usr/bin/firefox script, or edit your system bashrc to do the same. Under
- Windows, you can set either a <a
- href="http://support.microsoft.com/kb/310519";>User or System Environment
- Variable</a> for TZ via My Computer's properties. In MacOS, the situation is
- <a
- href="http://developer.apple.com/documentation/MacOSX/Conceptual/BPRuntimeConfig/Articles/EnvironmentVars.html#//apple_ref/doc/uid/20002093-BCIJIJBH";>a
- lot more complicated</a>, unfortunately.
- </p>
-
- <p>
- In addition, RSS readers such as Firefox Livemarks can perform
- periodic fetches. Due to <a
- href="https://bugzilla.mozilla.org/show_bug.cgi?id=436250";>Firefox Bug
- 436250</a>, there is no way to disable Livemark fetches during Tor. This can
- be a problem if you have a lot of custom Livemark urls that can give away
- information about your identity.
- </p>
- </div>
+
+ </div>
<!-- END MAINCOL -->
<div id = "sidecol">
#include "side.wmi"
Modified: website/trunk/torbutton/en/torbutton-options.wml
===================================================================
--- website/trunk/torbutton/en/torbutton-options.wml 2013-03-25 22:48:25 UTC (rev 26133)
+++ website/trunk/torbutton/en/torbutton-options.wml 2013-03-26 04:38:32 UTC (rev 26134)
@@ -11,257 +11,27 @@
</div>
<div id="maincol">
<!-- PUT CONTENT AFTER THIS TAG -->
-
- <h2>Torbutton Options</h2>
+
+ <h2>Torbutton</h2>
<hr>
-
- <p>Torbutton 1.2.0 adds several new security features to protect your
- anonymity from all the major threats we know about. The defaults should be
- fine (and safest!) for most people, but in case you are the tweaker type,
- or if you prefer to try to outsource some options to more flexible extensions,
- here is the complete list. (In an ideal world, these descriptions should all be
- tooltips in the extension itself, but Firefox bugs <a
- href="https://bugzilla.mozilla.org/show_bug.cgi?id=45375";>45375</a> and <a
- href="https://bugzilla.mozilla.org/show_bug.cgi?id=218223";>218223</a> currently
- prevent this.)</p>
-
- <ul>
- <li>Disable plugins on Tor Usage (crucial)<p>
-
- This option is key to Tor security. Plugins perform their own networking
- independent of the browser, and many plugins only partially obey even their own
- proxy settings.
- </p></li>
- <li>Isolate Dynamic Content to Tor State (crucial)<p>
-
- Another crucial option, this setting causes the plugin to disable Javascript
- on tabs that are loaded during a Tor state different than the current one,
- to prevent delayed fetches of injected URLs that contain unique identifiers,
- and to prevent meta-refresh tags from revealing your IP when you turn off
- Tor. It also prevents all fetches from tabs loaded with an opposite Tor
- state. This serves to block non-Javascript dynamic content such as CSS
- popups from revealing your IP address if you disable Tor.
- </p></li>
- <li>Hook Dangerous Javascript (crucial)<p>
-
- This setting enables the Javascript hooking code. Javascript is injected into
- pages to hook the Date object to mask your timezone, and to hook the navigator
- object to mask OS and user agent properties not handled by the standard
- Firefox user agent override settings.
- </p></li>
- <li>Resize window dimensions to multiples of 50px on toggle (recommended)<p>
-
- To cut down on the amount of state available to fingerprint users uniquely,
- this pref causes windows to be resized to a multiple of 50 pixels on each
- side when Tor is enabled and pages are loaded.
- </p></li>
- <li>Disable Updates During Tor (recommended)<p>
-
- Under Firefox 2, many extension authors did not update their extensions from
- SSL-enabled websites. It is possible for malicious Tor nodes to hijack these extensions and replace them with malicious ones, or add malicious code to
- existing extensions. Since Firefox 3 now enforces encrypted and/or
- authenticated updates, this setting is no longer as important as it once
- was (though updates do leak information about which extensions you have, it is
- fairly infrequent).
- </p></li>
- <li>Disable Search Suggestions during Tor (optional)<p>
-
- This optional setting governs if you get Google search suggestions during Tor
- usage. Since no cookie is transmitted during search suggestions, this is a
- relatively benign behavior.
- </p></li>
- <li>Block Livemarks updates during Tor usage (recommended)<p>
-
- This setting causes Torbutton to disable your <a
- href="http://www.mozilla.com/firefox/livebookmarks.html";>Live bookmark</a>
- updates. Since most people use Live bookmarks for RSS feeds from their blog,
- their friends' blogs, the wikipedia page they edit, and other such things,
- these updates probably should not happen over Tor. This feature takes effect
- in Firefox 3.5 and above only.
-
- </p></li>
- <li>Block Tor/Non-Tor access to network from file:// urls (recommended)<p>
-
- These settings prevent local html documents from transmitting local files to
- arbitrary websites <a href="http://www.gnucitizen.org/blog/content-disposition-hacking/";>under Firefox 2</a>. Since exit nodes can insert headers that
- force the browser to save arbitrary pages locally (and also inject script into
- arbitrary html files you save to disk via Tor), it is probably a good idea to
- leave this setting on.
- </p></li>
- <li>Close all Non-Tor/Tor windows and tabs on toggle (optional)<p>
-
- These two settings allow you to obtain a greater degree of assurance that
- after you toggle out of Tor, the pages are really gone and can't perform any
- extra network activity. Currently, there is no known way that pages can still
- perform activity after toggle, but these options exist as a backup measure
- just in case a flaw is discovered. They can also serve as a handy 'Boss
- Button' feature for clearing all Tor browsing off your screen in a hurry.
- </p></li>
- <li>Isolate access to history navigation to Tor state (crucial)<p>
-
- This setting prevents both Javascript and accidental user clicks from causing
- the session history to load pages that were fetched in a different Tor state
- than the current one. Since this can be used to correlate Tor and Non-Tor
- activity and thus determine your IP address, it is marked as a crucial
- setting.
- </p></li>
- <li>Block History Reads during Tor (crucial)<p>
-
- Based on code contributed by <a href="http://www.collinjackson.com/";>Collin
- Jackson</a>, when enabled and Tor is enabled, this setting prevents the
- rendering engine from knowing if certain links were visited. This mechanism
- defeats all document-based history disclosure attacks, including CSS-only
- attacks.
- </p></li>
- <li>Block History Reads during Non-Tor (recommended)<p>
-
- This setting accomplishes the same but for your Non-Tor activity.
- </p></li>
- <li>Block History Writes during Tor (recommended)<p>
-
- This setting prevents the rendering engine from recording visited URLs, and
- also disables download manager history. Note that if you allow writing of Tor history,
- it is recommended that you disable non-Tor history reads, since malicious
- websites you visit without Tor can query your history for .onion sites and
- other history recorded during Tor usage (such as Google queries).
- </p></li>
- <li>Block History Writes during Non-Tor (optional)<p>
-
- This setting also disables recording any history information during Non-Tor
- usage.
- </p></li>
- <li>Clear History During Tor Toggle (optional)<p>
-
- This is an alternate setting to use instead of (or in addition to) blocking
- history reads or writes.
- </p></li>
- <li>Block Password+Form saving during Tor/Non-Tor<p>
-
- These options govern if the browser writes your passwords and search
- submissions to disk for the given state.
- </p></li>
- <li>Block Tor disk cache and clear all cache on Tor Toggle<p>
-
- Since the browser cache can be leveraged to store unique identifiers, cache
- must not persist across Tor sessions. This option keeps the memory cache active
- during Tor usage for performance, but blocks disk access for caching.
- </p></li>
- <li>Block disk and memory cache during Tor<p>
-
- This setting entirely blocks the cache during Tor, but preserves it for
- Non-Tor usage.
- </p></li>
- <li>Clear Cookies on Tor Toggle<p>
-
- Fully clears all cookies on Tor toggle.
- </p></li>
- <li>Store Non-Tor cookies in a protected jar<p>
-
- This option stores your persistent Non-Tor cookies in a special cookie jar
- file, in case you wish to preserve some cookies. Based on code contributed
- by <a href="http://www.collinjackson.com/";>Collin Jackson</a>. It is
- compatible with third party extensions that you use to manage your Non-Tor
- cookies. Your Tor cookies will be cleared on toggle, of course.
- </p></li>
- <li>Store both Non-Tor and Tor cookies in a protected jar (dangerous)<p>
-
- This option stores your persistent Tor and Non-Tor cookies
- separate cookie jar files. Note that it is a bad idea to keep Tor
- cookies around for any length of time, as they can be retrieved by exit
- nodes that inject spoofed forms into plaintext pages you fetch.
- </p></li>
- <li>Manage My Own Cookies (dangerous)<p>
-
- This setting allows you to manage your own cookies with an alternate
- extension, such as <a href="https://addons.mozilla.org/firefox/addon/82";>CookieCuller</a>. Note that this is particularly dangerous,
- since malicious exit nodes can spoof document elements that appear to be from
- sites you have preserved cookies for (and can then do things like fetch your
- entire gmail inbox, even if you were not using gmail or visiting any google
- pages at the time!).
- </p></li>
- <li>Do not write Tor/Non-Tor cookies to disk<p>
-
- These settings prevent Firefox from writing any cookies to disk during the
- corresponding Tor state. If cookie jars are enabled, those jars will
- exist in memory only, and will be cleared when Firefox exits.
- </p></li>
- <li>Disable DOM Storage during Tor usage (crucial)<p>
-
- Firefox has recently added the ability to store additional state and
- identifiers in persistent tables, called <a
- href="http://developer.mozilla.org/docs/DOM:Storage";>DOM Storage</a>.
- Obviously this can compromise your anonymity if stored content can be
- fetched across Tor-state.
- </p></li>
- <li>Clear HTTP auth sessions (recommended)<p>
-
- HTTP authentication credentials can be probed by exit nodes and used to both confirm that you visit a certain site that uses HTTP auth, and also impersonate you on this site.
- </p></li>
- <li>Clear cookies on Tor/Non-Tor shutdown<p>
-
- These settings install a shutdown handler to clear cookies on Tor
- and/or Non-Tor browser shutdown. It is independent of your Clear Private Data
- settings, and does in fact clear the corresponding cookie jars.
- </p></li>
- <li>Prevent session store from saving Tor-loaded tabs (recommended)<p>
-
- This option augments the session store to prevent it from writing out
- Tor-loaded tabs to disk. Unfortunately, this also disables your ability to
- undo closed tabs. The reason why this setting is recommended is because
- after a session crash, your browser will be in an undefined Tor state, and
- can potentially load a bunch of Tor tabs without Tor. The following option
- is another alternative to protect against this.
- </p></li>
- <li>On normal startup, set state to: Tor, Non-Tor, Shutdown State<p>
-
- This setting allows you to choose which Tor state you want the browser to
- start in normally: Tor, Non-Tor, or whatever state the browser shut down in.
- </p></li>
- <li>On crash recovery or session restored startup, restore via: Tor, Non-Tor<p>
-
- When Firefox crashes, the Tor state upon restart usually is completely
- random, and depending on your choice for the above option, may load
- a bunch of tabs in the wrong state. This setting allows you to choose
- which state the crashed session should always be restored in to.
- </p></li>
- <li>Prevent session store from saving Non-Tor/Tor-loaded tabs<p>
-
- These two settings allow you to control what the Firefox Session Store
- writes to disk. Since the session store state is used to automatically
- load websites after a crash or upgrade, it is advisable not to allow
- Tor tabs to be written to disk, or they may get loaded in Non-Tor
- after a crash (or the reverse, depending upon the crash recovery setting,
- of course).
- </p></li>
- <li>Set user agent during Tor usage (crucial)<p>
-
- User agent masking is done with the idea of making all Tor users appear
- uniform. A recent Firefox 2.0.0.4 Windows build was chosen to mimic for this
- string and supporting navigator.* properties, and this version will remain the
- same for all TorButton versions until such time as specific incompatibility
- issues are demonstrated. Uniformity of this value is obviously very important
- to anonymity. Note that for this option to have full effectiveness, the user
- must also allow Hook Dangerous Javascript ensure that the navigator.*
- properties are reset correctly. The browser does not set some of them via the
- exposed user agent override preferences.
- </p></li>
- <li>Spoof US English Browser<p>
-
- This option causes Firefox to send http headers as if it were an English
- browser. Useful for internationalized users.
- </p></li>
- <li>Don't send referrer during Tor Usage<p>
-
- This option disables the referrer header, preventing sites from determining
- where you came from to visit them. This can break some sites, however. <a
- href="http://www.digg.com";>Digg</a> in particular seemed to be broken by this.
- A more streamlined, less intrusive version of this option should be available
- eventually. In the meantime, <a
- href="https://addons.mozilla.org/firefox/addon/953";>RefControl</a> can
- provide this functionality via a default option of <b>Forge</b>.
- </p></li>
- </ul>
- </div>
+
+ <p>
+ Torbutton is the component in <a href="<page projects/torbrowser>">Tor
+ Browser Bundle</a> that takes care of application-level
+ security and privacy concerns in Firefox. To keep you safe,
+ Torbutton disables many types of active content.
+ </p>
+
+ <p>
+ Now that the <a href="<page projects/torbrowser>">Tor Browser
+ Bundle</a> includes a patched version of Firefox, and because we don't
+ have enough developer resources to keep up with the accelerated
+ Firefox release schedule, the toggle model of Torbutton is <a
+ href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton";>no
+ longer supported</a>. <b>Users should be using Tor Browser Bundle,
+ not installing Torbutton themselves.</b>
+ </p>
+ </div>
<!-- END MAINCOL -->
<div id = "sidecol">
#include "side.wmi"
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits