[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: tor-browser bundle on XP



Jacob,

  XeroBank's network does not use tor whatsoever. Modern onion
  routing is not suitable for commercial anonymity.

  Perhaps the confusion is that our client software is not
  our network software, unlike Tor. xB Browser users do not
  create the XeroBank network. xB Browser only accesses other
  networks as a client.

  So you have this:

  [Browser] -> [Connection Client] -> [Network]

  In the instance of Tor, the connection client and the network
  are essentially the same. In the instance of XeroBank, the
  connection client for legacy users will be PuTTY/SSH to the XB1
  network, and for modern users the connection client will be
  OpenVPN/TLS to the XB2 network.

  Currently xB Browser lets the user select which anonymity
  network they want to use: Tor or XeroBank. This also means
  we could theoretically also add JAP or I2P in as well. It
  is also written to work with the Mozilla softwares, so it
  can easily run a News Reader, Chat client, Mail client,
  or any other in place of the Browser if one was motivated.

  It is somewhat agnostic of the network it connects to except
  for the threat models. Because Tor is vulnerable to exit node
  injection and MITM attacks, it employs a Tor-specific user.js
  option overlay which blocks out scripts and plugins and mime
  types, and RSA/MD5 SSL certificates. When connected to XeroBank's
  VPN the threat model is different so it behaves accordingly, allowing
  scripts, plugins, and mime types, but wiping out flash cookies,
  DOM objects, cookies, hidden registry plugins, and other homing
  badware. It also has a hybrid user option overlay, for the SSH
  connections because it knows there isn't injection/mitm risks
  but it also knows the VPN isn't catching all the traffic so it
  covers up java proxy settings in windows, and restricts scripts,
  and plugins etc at the option of the user, but it doesn't worry
  about RSA/MD5 SSL certificates.

  It was rewritten from scratch a couple years ago, and I don't
  think it has a single line of PortableApps code left in it.
  I think it would be safe to say this is nothing like the Torpark
  you remember.

Steve





Jacob Appelbaum wrote:
> Arrakis wrote:
>> Phobos et al,
>>
>>  xB Browser installs giving a user a choice of two modes.
>>  The first is Tor, the second is the XeroBank network. xB
>>  Browser is included in the XeroBank Installer bundle which
>>  includes xB VPN and xB Mail as well.
>>
>>  xB Browser, if Tor is installed, will just run Tor for it's
>>  connection client.
> 
> I think there's some confusion here. In a previous thread you suggested
> that XeroBank [0] doesn't use Tor. This is confusing because your
> "source" package contains a Tor binary:
> 
> /tmp/xb% 7z e XeroBank_Source.zip
> 
> /tmp/xb% find .|grep -i tor
> ./history.dat
> ./tor-resolve.exe
> ./localstore.rdf
> ./Tor
> ./torcircuitstatus.exe
> ./Torcircuitstatus
> ./torcircuitstatus.dll
> ./tor.exe
> ./TOR_user.js
> ./.autoreg
> ./formhistory.dat
> 
> It looks like Tor is included with your software.
> 
> Regards,
> Jacob
> 
> [0] http://archives.seul.org/or/talk/Dec-2008/msg00053.html
>