[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Confusion about TorButton, Noscript, etc.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 18/08/08 11:17, Karsten N. wrote:
> NoScript blocks other "dangerous content" like Java applets, flash,
> siverlight... too. And it discover cross site scripting. So I prefer
> NoScript and FoxyProxy.

Me too (FoxyProxy pattern matching rules!). I also use CS Lite,
Refcontrol and ForceHTTPS. But let's not pretend that this approach is
safer than Torbutton.

For instance, let's say you visit a site that match a pattern for using
Tor, but that the site contains an external object from another domain
that doesn't and thus will get a direct connection. Then you're screwed.
Apparently a fix for this is on the way: _all_ connections in a tab
whose url matches a certain patten will use the matched proxy. But this
was announced over a year ago, and AFAIK nothing has happened on that
front. It's marked as it will appear in version "?" in the road map, so
go figure.

In addition, Torbutton does all sorts of other stuff with Firefox that
otherwise could leak information or otherwise weaken anonymity. For
instance, a lot is done in order to separate Tor states, and especially
between Tor and non-Tor states, but you have none of that with
FoxyProxy. There's also options for disabling plugins like flash and
java, so the only edge NoScript might have is protecting against XSS, I
guess(?).

Of course, you might already know of the risks involved. IMHO, people
that don't feel that they know what they're doing ought to stick with
Torbutton. The others can consider the trade-offs in usability and
security between these two approaches. I bet there are many more than
those I've mentioned above.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkipZKMACgkQp8EswdDmSVgcSwCdHJPAdeCDM73YpJSH59rH+qs3
MbkAoKjFHiA6THmm8OotiFOIhE8Qh5Iz
=yqhj
-----END PGP SIGNATURE-----