[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Privacy Badger

> On Fri, Aug 28, 2015 at 08:05:17PM -0700, Mike Perry wrote:
> > Garrett Robinson:
> > > On 8/28/15 7:01 PM, Mike Perry wrote:
> > > > sg.info@xxxxxxxxxxxxxxxxxxx:
> > > >> Hi guys and girls, are there security issues using the privacy
> > > >> badger from eff.org with the tor browser ?  Or: Is there are a
> > > >> need to use privacy badger or is this utility dispensable ?
> > > > 
> > > > The filters in use by Privacy Badger are fingerprintable - it is
> > > > possible for sites to determine that you have it installed.
> > > 
> > > Since Privacy Badger uses a learning heuristic based on the sites
> > > you visit, it actually might possible for it to leak information
> > > about your browsing history too.
> > 
> > Yikes! I didn't know this. This is especially bad, especially if
> > Privacy Badger has custom storage mechanisms for this that aren't
> > cleared regularly (which you touch on below). It may also result in
> > browsing history leaking to disk, which wouldn't normally happen in
> > the default Tor Browser.
> Mike, I'm interesting, You personaly are using some adblockers or
> Noscript in Your everyday webserfing?

I "eat my own dog food" as the saying goes. I almost exclusively use Tor
Browser. I do not use any additional addons other than the default
(which includes NoScript). I do not use an adblocker.

I tend to use the Medium-High Security Slider level most of the time
(which among other things blocks Javascript for all non-https pages) so
I occasionally need to tell NoScript to allow scripts on http sites.
Thankfully, more and more sites appear to be either moving to https, or
ensuring that they work without Javascript. I use the default Tor
Browser NoScript settings.

There was a time when I used to do some things over non-Tor (like
watching Hulu), but since the loss of a reliable and regularly updated
flash player on Linux, I quit doing that. Since I managed to break that
habit, I'm unlikely to start doing it again, even if the DRM EME shit
ends up being supported by Hulu/Netflix/whatever.

I also don't think the current EME implementations are specified well
enough to be sure that the closed-source components are properly
sandboxed against insecurities and/or malicious operation. Mozilla's
implementation of EME came close, but until the sandbox itself can be
built reproducibly, it is really hard to say what is in the binaries
that Mozilla is giving us (especially when a new one arrives every
couple weeks). So for now at least, there appear to be only two choices:
live free, or die! ;)

Mike Perry

Attachment: signature.asc
Description: Digital signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to