Ringo Kamens wrote: > I agree, people are working on network-wide attacks (which is great) > but the biggest and most obvious risk to user privacy/anonymity is > scripts. Perhaps firefox and noscript should come bundled and > configured? > Ringo Kamens How about lynx? Prompts on every cookie, no javascript, no flash, no java. And with no images, much faster over tor. Watson Ladd > > On 2/15/07, James Muir <jamuir@xxxxxxxxxxxxxxx> wrote: >> Nick Mathewson wrote: >> > On Sun, Feb 04, 2007 at 08:58:36PM -0800, Wesley Kenzie wrote: >> >> I've got an initial version up now at >> http://www.showmyip.com/torstatus/ >> - >> >> feedback welcome! More content and links to come! >> > >> > As others have noted, this is really excellent, but there's way too >> > much information there for it to be useful for unsophisticated users. >> > There's no way that my dad, for example could tell that his window >> > width and height identify him far more uniquely than do his User-Agent >> > or his "DMA code". >> > >> > Maybe there should be some kind of "What I Learned" section at the >> > top, with parts like: >> > >> > Javascript said: "Your IP is x.y.z.w". >> > (Learn more about how to disable Javascript _here_.), >> > Java said: "Your IP is x.y.z.w.": >> > (Learn more about how to disable Java _here_.) >> > >> > That is, sort information by order of significance of disclosure, and >> > for each piece of information, tell users what it means, how much it >> > isolates them, and how to stop disclosing it. >> > >> > Also, is there some way to see, use, and distribute the source for >> > these pages? As long as you operate them, yours will of course be >> > most popular, but my free software instincts make me ask "what do we >> > do if Wesley is unavailable for a while?" >> >> Along with having a web page which attempts to educate Tor users about >> the dangers of executing Java, JavaScript, Flash, etc. in their >> browsers, I think there also needs to be a stronger warning about this >> on the main Tor web site (tor.eff.org). There is a warning on the wiki >> but this is something that's important enough to promote to the main >> page (and have translated). >> >> There are Java and Flash applets that, when run in a Tor user's browser, >> will open non-proxied connections back to their originating web sites >> and thus expose a user's real IP address. This is, I think, the most >> serious threat to Tor users who don't disable these in their browsers -- >> never mind fingerprinting my machine by capturing my screen resolution, >> etc. with JavaScript. >> >> The NoScript extension with FireFox works great -- it disables all >> scripts and plugins. I hope people who really need anonymity are using >> these. However, I expect that many are using IE. I don't run Windows, >> but I would guess that there probably isn't an easy way to disable Flash >> in IE. A clear warning with the Tor client installation instructions >> might help new Tor users better protect their anonymity. >> >> -James >> >> >
Attachment:
signature.asc
Description: OpenPGP digital signature