On Tue, 2009-02-10 at 22:26 -0500, Nick Mathewson wrote: > On Tue, Feb 10, 2009 at 06:24:27PM -0500, Ted Smith wrote: > > On Tue, 2009-02-10 at 18:17 -0500, Ringo Kamens wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > It absolutely would. Here are some things TorButton defends against that > > > wouldn't be covered in your scenario: > > > > > > 1. Unauthenticated Updates > > > 2. CSS Tracking (I think it does anyways) > > > 3. Flash and auto-opening of files > > > 4. Browser referral and user-agent tracking > > > > > > Ringo > > > > > To be fair, though, 1, 3, and 4 could be configured away in default > > FireFox. Updates can be disabled, flash can be removed, files can be set > > to "ask", referrals can be disabled, and UA can be modified in firefox > > or in Privoxy. > > As Martin notes, privoxy won't modify your SSL connections for you. > > Torbutton protects against many other attacks that regular Firefox > configuration can't protect you against, too. See the Torbutton > design document at https://www.torproject.org/torbutton/design/ for a > more full list. > The only things I see in the "Adversary Attacks" section that could be an issue are fingerprinting attacks, and of course exploitation. What am I missing? And is there any way to get the benefits of Torbutton without any of the state-saving aspects? Like the previous poster, I have a separated Firefox profile I use for Tor, so separation of Tor and non-Tor state isn't an issue for me. What would it take to split off the filtering/hardening aspects of Torbutton from the state-watching part, and just have an independent anonymity-enhancing addon? I'd rather not trust one piece of software with all of my anonymity, so I want to keep my system separated the old-fashioned way, with plugins/cache/history/cookies/javascript that could be used against me. This way, even if Torbutton fails, I still have a modicum of safety against some attacks. My configuration passes the decloak engine test with flying colors, though I understand that's nowhere near comprehensive... ;)
Attachment:
signature.asc
Description: This is a digitally signed message part