[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Introducing Torfox 3.0.10



Hi, 

I'm not seeing the benefit of Tor Fox since Tor Browser Bundle[1] and XB Browser[2] do the same thing your doing.  Why are you trying to recreate work that's been done already?
First off, you didn't even have the browser's proxy set to use Tor on port 9060, I had to set that myself. I noted that the Tor Fox homepage is set to use the Tor Fox search engine, which is uses Google results, and display's google ADs right on the top of the page.  I was able to get a real IP address from my deanonymizer that I've been working on. Further more, a few security issues exist with Tor Fox.

- Several URI's can be used to reveal your true IP address.
- All the plugins are still enable (Flash, Adobe Reader, etc..), which can lead to IP disclosure.
(I stopped my review after I found this out, because one could be really pwned with all plugins enabled.)

This leads me to think that you're trying to make a quick buck off of Google ADs while leaving Tor users exposed to security exploits of would-be evil doers or some hackers that just enjoy making a ruckus. So, if you are serious about securing Tor Fox then you need to install TorButton.  Mike Perry and others have worked hard on making TorButton secure from several different types of attacks and information leakage, hence why it is used and trusted by many.  You should have a look at the design document for Torbutton.

Feel free to review this, but I for one wouldn't use it.
My quick review can be found at:  http://www.janusvm.com/goldy/audits/TorFox_Audit_06_10_2009.rar



Best regards,

Kyle Williams


REFERENCES
[1]  https://www.torproject.org/torbrowser/
[2]  https://xerobank.com/download/xb-browser/


On Wed, Jun 10, 2009 at 3:31 PM, Tor Fox <torfox.org@gmail.com> wrote:
Jacob wrote: > Have you read the design document that Mike wrote about Torbutton? No, I've done a lot of that already but some of it I hadn't thought of. I'll make sure that Torfox offers at least those features. > rogue browser extensions that are often installed on Windows machines Ok, I'll make sure I disable those. > Why not use 9050? To not conflict with other running Tors? Right. > It is important to be able to build it and produce the same binary that you offer for download. The only thing missing is the icons. > I'm not sure what you mean when you say that it appeals to a different style of usage. Do you mean because it lacks a Torbutton logo, or that it lacks Vidalia? No, I mean that you can just forget Tor is even there. It's more like an appliance rather than an always-on service. It's less intrusive. > We do a lot to protect users with the Tor Browser Bundle (much of it is protection added by Torbutton), it would be a really good idea to make sure you're familiar with those things. I agree. > I look forward to reproducible builds! Don't forget the pgp signatures too. ;-) You can reproduce it right now, other than the icons.