[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: e-mail and anonymity



Enabling _javascript_ and cookies for everything is dangerous to anonymity, but doing that selectively is much less so. Cookies are recommended against because they, by definition, store something along with the user - meaning that even if the tor IP changes, the cookie can be used to connect it to the old one. This isn't an issue for a webmail system anyway, where you have a username that does a perfectly good job of connecting you to your old traffic already (and if you were trying to avoid that, you'd be using a new account, and thus a different cookie). Google, for example, uses cookies to help track users through IP changes, which can easily become dangerous if you use both Tor and non-Tor google in the same browser.

_javascript_'s only real danger to anonymity is exploits (i.e. if some _javascript_ traffic went outside the proxy, or if it helped compromise the browser), but it is worth noting that _javascript_ can also change the content of the page you're viewing. If you have a bad exit node that inserts fake _javascript_ into pages (it's happened), you won't have a real way to know the difference.

In theory, _javascript_ could also be of use in certain timing or latency attacks to discover a client's circuit (by generating large amounts of constant traffic), but that's not hard to do without _javascript_.

You should be fine enabling _javascript_ and cookies for specific sites that require it - although you should try to use SSL there if at all possible.

- John Brooks

On Sat, Aug 16, 2008 at 9:56 AM, Charles.F <Charles.f@xxxxxxxx> wrote:
Hi,

I am not shure I understand very well how mailing lists like this works, so correct me if I don't do it the way it should be.
I'm just gonna ask my question here, right ? :

If one wants to be anonymous when sending an receiving mails, one should use privoxy and tor on his browser and also disable Java, _javascript_, cookies and so on. 
Any webmail I tried to subscibe to couldn't work without either _javascript_ or Cookies enabled so I suppose webmails needs _javascript_ and/or Cookies enabled to work properly, am I right ? 
In that case, one can't be sure of its anonymity (as cookies or _javascript_ are enabled) when one send or receive mails... 

I hope my question is clear and sorry if the answer is obvious or if I didn't send it to the right e-mail address

Thanks