Re: New Torbutton (1.1.4-alpha)

[Roger Dingledine <arma@xxxxxxx>]

On Mon, Jul 09, 2007 at 02:16:55AM -0700, Mike Perry wrote:
> As some of you know, I've been working on a security-enhanced version
> of Torbutton to handle all sorts of anonymity vulnerabilities present
> in a standard Firefox configuration (see the big fat warning on
> http://tor.eff.org/download.html.en - the goal is to make all that
> text irrelevant).

Hi Mike,

Looks like great progress. One question though -- one of the warnings on
that page that bothers me is "Consider removing extensions that look up
more information about the websites you type in (like Google toolbar),
as they may bypass Tor and/or broadcast sensitive information." Is
this one of the warnings that we're going to have to keep (along with
"you need to send your traffic through Tor for Tor to have any prayer of
helping you" and "don't send plaintext passwords over the Internet"), or
is there something we can do about other extensions doing local resolves?

> The extension itself, and more information on the individual
> features/options are available at the horrifyingly stoic homepage:
> http://torbutton.torproject.org/dev/

I really like your "Description of Options" section of this page. I
recognize they can't be tooltips yet -- are those Firefox bugs going
to be fixed soon, or should we think about adding a "Help" window to
Torbutton to explain what all these things are for people who can't get
to the website?

(I'm not so enthusiastic about your use of javascript on the webpage
though. ;)

Now the obligatory usability bug report: if I choose "I will manually
manage my cookies" in the Cookies window, what does that mean for the
choices in the Shutdown window?

--Roger