[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: suggestion for 'is my installation of tor working?' page



Nick Mathewson wrote:
On Sun, Feb 04, 2007 at 08:58:36PM -0800, Wesley Kenzie wrote:
I've got an initial version up now at http://www.showmyip.com/torstatus/ -
feedback welcome!  More content and links to come!

As others have noted, this is really excellent, but there's way too much information there for it to be useful for unsophisticated users. There's no way that my dad, for example could tell that his window width and height identify him far more uniquely than do his User-Agent or his "DMA code".

Maybe there should be some kind of "What I Learned" section at the
top, with parts like:

  Javascript said:   "Your IP is x.y.z.w".
     (Learn more about how to disable Javascript _here_.),
  Java said: "Your IP is x.y.z.w.":
     (Learn more about how to disable Java _here_.)

That is, sort information by order of significance of disclosure, and
for each piece of information, tell users what it means, how much it
isolates them, and how to stop disclosing it.

Also, is there some way to see, use, and distribute the source for
these pages?  As long as you operate them, yours will of course be
most popular, but my free software instincts make me ask "what do we
do if Wesley is unavailable for a while?"

Along with having a web page which attempts to educate Tor users about the dangers of executing Java, JavaScript, Flash, etc. in their browsers, I think there also needs to be a stronger warning about this on the main Tor web site (tor.eff.org). There is a warning on the wiki but this is something that's important enough to promote to the main page (and have translated).


There are Java and Flash applets that, when run in a Tor user's browser, will open non-proxied connections back to their originating web sites and thus expose a user's real IP address. This is, I think, the most serious threat to Tor users who don't disable these in their browsers -- never mind fingerprinting my machine by capturing my screen resolution, etc. with JavaScript.

The NoScript extension with FireFox works great -- it disables all scripts and plugins. I hope people who really need anonymity are using these. However, I expect that many are using IE. I don't run Windows, but I would guess that there probably isn't an easy way to disable Flash in IE. A clear warning with the Tor client installation instructions might help new Tor users better protect their anonymity.

-James