[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Introducing Torfox 3.0.10

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Introducing Torfox 3.0.10
From: Jacob Appelbaum <jacob@xxxxxxxxxxxxx>
Date: Thu, 11 Jun 2009 17:24:30 -0700
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Thu, 11 Jun 2009 20:24:36 -0400
In-reply-to: <caf3f87f0906111637o3c940ec7ja6d40402ba28d5d9@xxxxxxxxxxxxxx>
Openpgp: id=9D0FACE4; url=http://www.appelbaum.net/gpg.asc
References: <caf3f87f0906091818u2dfc9844k3676a56e83beefa1@xxxxxxxxxxxxxx> <4A2F45D4.70706@xxxxxxxxxxxxx> <caf3f87f0906092336j23ff0461i8f60b90f3140b8d5@xxxxxxxxxxxxxx> <4A2FE3AD.1010900@xxxxxxxxxxxxx> <caf3f87f0906101531y3b317671m96aede10e2790a35@xxxxxxxxxxxxxx> <21f144250906111603m64b41bdet5991692d92ddc645@xxxxxxxxxxxxxx> <caf3f87f0906111637o3c940ec7ja6d40402ba28d5d9@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mozilla-Thunderbird 2.0.0.19 (X11/20090103)

Tor Fox wrote:
> Kyle wrote:
>> I'm not seeing the benefit of Tor Fox since Tor Browser Bundle[1] and XB
> Browser[2] do the same thing your doing.  Why are you trying to recreate
> work that's been done already?
> 
> It doesn't work exactly the same.
> 

This is an understatement. :-)

>> First off, you didn't even have the browser's proxy set to use Tor on port
> 9060, I had to set that myself.
> 
> You don't need to set the proxy. I've made changes at the socket level to
> Firefox so that it always uses Tor.
> 

What happens when you leave plugins enabled, they respect proxy
connections and then it is unset? Do you really ensure that all binary
blobs cannot make sockets? I'm not sure how to do that. Perhaps the way
that you hooked the sockets, it's entirely possible?

>> I noted that the Tor Fox homepage is set to use the Tor Fox search engine,
> which is uses Google results, and display's google ADs right on the top of
> the page.  I was able to get a real IP address from my deanonymizer that
> I've been working on. Further more, a few security issues exist with Tor
> Fox.
> 

Sounds like that socket hooking isn't working out. :-(

> This is an initial release. I've been reading up on Torbutton and have
> already added most of the features he's done. Also, there are a few things
> he can't do because he has to wait for Firefox developers to fix some bugs.
> I don't have that problem.
> 

Well, you have a few problems. You have his issues (until you patch
them; did you?) with Firefox. You also have his issues with content. You
should consider using his plugin even if you believe his proxy setup is
not needed.

>> This leads me to think that you're trying to make a quick buck off of
> Google ADs while leaving Tor users exposed to security exploits of would-be
> evil doers or some hackers that just enjoy making a ruckus.
> 
> The Google ads will never cover the hosting fees for the Tor relays I'm
> running so I'm not making any profit. Also, this is not finished software by
> far. It's the very first release so I think you're judging a little too
> hasty. This is more of a proof of concept than anything else. If you read my
> first post you will see that I'm not even sure there is enough interest in
> this to keep developing it full time. I'm going to give it a few months and
> see if it goes anywhere.

Wow, seriously? That's a joke right? Is Kyle incorrect?

I think it's pretty unethical to explicitly make money by using a
_tracking_ technology to profit from users who _explicitly_ do not want
to be tracked. Also, to not disclose this information until someone
discovers it is bad. To justify it with your accounting of costs and
fees is probably the only way to take that from bad to worse.

Transparency is perhaps most important to me in this case. I understand
offsetting costs of hosting but not at the expense of users who
explicitly do not want it. :-(

How will you ensure that TorFox users are protected? Will you? How will
you ensure this when your interests (as you stated) are fiscally aligned
against your users? That does not bode well. :-(

> 
>> So, if you are serious about securing Tor Fox then you need to install
> TorButton.  Mike Perry and others have worked hard on making TorButton
> secure from several different types of attacks and information leakage,
> hence why it is used and trusted by many.  You should have a look at the
> design document for Torbutton.
> 
> That defeats the purpose of building from the source code. I can do things
> that an extension can't do and the things it can do, better. The design
> document is very helpful though.
> 

No, it does not. You can do both. You can use TorButton today to protect
your users against the currently known issues. TorButton is pretty well
tested and while perhaps imperfect (sorry Mike!), it's not safe to use
Firefox without it. Additionally, you can _also_ build from source to
patch unfixed bugs in Firefox. Please document such changes, you may
find that your fixes have unintended consequences. This is something
we've considered with the Tor Browser Bundle but currently, we're not
too interested in forking Firefox. Personally, I haven't given up on
Mozilla, I think they're going to fix the issues that Mike has discovered.

Best,
Jacob

Follow-Ups:
- Re: Introducing Torfox 3.0.10
  - From: Tor Fox

References:
- Introducing Torfox 3.0.10
  - From: Tor Fox
- Re: Introducing Torfox 3.0.10
  - From: Jacob Appelbaum
- Re: Introducing Torfox 3.0.10
  - From: Tor Fox
- Re: Introducing Torfox 3.0.10
  - From: Jacob Appelbaum
- Re: Introducing Torfox 3.0.10
  - From: Tor Fox
- Re: Introducing Torfox 3.0.10
  - From: Kyle Williams
- Re: Introducing Torfox 3.0.10
  - From: Tor Fox

Prev by Author: Re: Introducing Torfox 3.0.10
Next by Author: Re: OT: google cookie
Previous by thread: Re: Introducing Torfox 3.0.10
Next by thread: Re: Introducing Torfox 3.0.10
Index(es):
- Author
- Thread