[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Tor,security and web-usability - Sorry, now readable with line-breaks...
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: Tor,security and web-usability - Sorry, now readable with line-breaks...
- From: "Ringo Kamens" <2600denver@xxxxxxxxx>
- Date: Mon, 12 Jun 2006 19:28:54 -0700
- Delivered-to: archiver@seul.org
- Delivered-to: or-talk-outgoing@seul.org
- Delivered-to: or-talk@seul.org
- Delivery-date: Mon, 12 Jun 2006 22:29:07 -0400
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=Xs44Dv2aAcYszyfrIzmXf/vtKBYgCJe/hc7Qdauqz4fiE57xgemWodU0RV1VuwneM6wcHSCgGcB6RmR4k5q5YVUy6byB1CAmz7S0m+AhAfPM5rXZbHxWEyYQ+bKE+KrOHjT/TGZLXf009FYSDypTliMC3bmOFrEr7S8Kso1NXz4=
- In-reply-to: <m1Fpy4S-004ykuC@outside.256.com>
- References: <m1Fpy4S-004ykuC@outside.256.com>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
For non-script email, you could use safe-mail.net. The noscript extension for firefox kills flash. The operating system obsfucation through virtual machines is a waste of CPU power. Just spoof the information using something like privoxy. Besides, the OS isn't really that bad. You should be more concerned about getting a exploit embedded in a page that violates your security and uploads your hard drive to a remote server or a tempest-like attack.
On 6/12/06, abacus.01@xxxxxxxxxxxx <abacus.01@xxxxxxxxxxxx> wrote:
Hello,
first I want to say thanks for this great programme
and that you tolerate my Mac-security related
questions. I read that _javascript_ and Flash are bad
for Tor´s security provisions. Though
quitting _javascript_ is easy, I have not found the
appropriate way to quickly kill Flash, neither
in Firefox nor any other browser, most Flash-sites
show up on my OSX just fine even
without any Java.
Does that mean one theoretically had to deinstall
Flash before surfing with Tor?
The same question applies to Windows Media Player on
the Mac, this is not secure to surf
with, is it? Is a deinstallation also required before
achieving an acceptable security level?
The next question is related to these problems: if I
want to create an email-account with
any of the big free webbased mail-services I know, I
HAVE to switch Java and _javascript_
on, otherwise the configurations will fail. I
understand that configurating, e.g. Yahoo with
Tor enabled and the required Java/_javascript_ turned
on, renders Tor´s efforts null and
void. I could as well surf openly to Yahoo like say 10
years ago.
Does anybody know of a web-based mail-service, that
does not require Java/_javascript_
during configuration or use? Or do I have to accept
that I also have to use some remailer to
reduce traceability to a secure amount?
Finally, if I go to pages like
http://gemal.dk/browserspy/, I could really get
paranoid or
despair of security. While the useragent could be
partly be faked and randomly changed
with tools like Fabian Keil´s great uagen.pl , an
automatic Firefox-User-Agent-Generator,
the flash detection at
gemal.dk/browserspy/ e.g. still
reveals not only the Flash version but
also my Operating System and its version. This works
WITHOUT Java/_javascript_ enabled.
Given the fact, that more and more parts of the web
rely increasingly on Java/_javascript_
and multimedia enhanced features, are security related
efforts not really a rearguard
action?
Besides the problems of traceabilty that might result
for Tor if one uses Java/_javascript_,
could it be a reasonable strategy to add a layer of
obfuscation by employing second and
third operating systems via emulation (e.g. inside a
otherwise inaccessible truecrypt
partition (which is not yet feasible on the mac)?
Sorry, if this all sounds convoluted, I somehow just
want to appraise the scope of this
sisyphus task. Thanks in advance and all the best for
your work
Regards
----------
This message was sent from a MailNull anti-spam account. You can get
your free account and take control over your email by visiting the
following URL.
http://mailnull.com/