[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Firefox and Tor? Forget about it!!



>  http://secunia.com/advisories/37699/

All fixed in FF 3.5.6.

>  I want something less bloated like Dillo:

I won't suggest anything. But there should be a browser that is
well developed/maintained and usable by the populous
that puts security first. Now 'populous' may prevent that but
surely finance/health/etc corporations might want a more
secure browser for internal deployment. OpenBSD and even
FreeBSD have fit that niche and balance fairly well.

>  a bootable Live CD with focus on privacy related software.

Sandboxing and well configured setups are always a good thing.
Tor's sole purpose is to prevent the real source of TCP packets
from being discovered. And to provide similarly hidden services.

Everything you are able to put through Tor is 'safe' in respect
to the purpose of Tor. Outside of what Tor offers, it is up to the
user to figure out and know how to manage their own security practices.

> Firefox's issues with tor usage and how many soft spots could
> be considered possible or future vectors

All apps have and will have flaws. If you don't trust FF/them to:
- Punt everything through Tor... sandbox them.
- Resist attacks that would give access to your system... don't put
sensitive stuff on that system.
- Resist attacks that would disclose browser state, steal sessions,
etc... use single purpose sessions.

Layer your security so you don't have that problem. If you can't run
FF with java/js/flash/images all enabled and feel safe about it,
you're not doing it right.


>  whether or not this is a proper direction to go on or if Dillo's audience
> is limited and doesn't receive enough testing to warrant switching to Dillo.

FF is the current defacto mass market browser, outside of IE and Mac.
Tor is best served by focusing on enhancements/bundles for that.

You've managed to put together a workable bundle. Put it
out there and see what happens. Who knows :)
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/