[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Downloading attachments with Tor - is this secure?



Hi Scott,

I am not using NoScript but I used it some time ago. The problem I had was that various websites did not work because it turned off JavaScript which seemed essential. At the moment I am using Polipo and Tor with JavaScript operational but Java, Flash, and QuickTime are all turned off in Firefox.

Perhaps you could please tell me why exactly NoScript is superior to the methods I am using?

Thanks

Scott Bennett wrote:
On Sat, 19 Jun 2010 09:15:15 -0400 "Aplin, Justin M" <jmaplin@xxxxxxx>
wrote:
Yes, if you use Torbutton, the attachment itself will be downloaded
only via Tor.
I believe this is the short answer to your question, though everything else Mike said is good to keep in mind as well, especially in situations where paranoia is appropriate.

This is especially dangerous if you are using Yahoo Mail, because even
if you trust the person who sent you the document, your attachment
will be downloaded in plaintext (via http, not https).
Watch out for this. Yahoo's *login* page for webmail and other services may be HTTPS, but this reverts to plain HTTP once you're actually viewing your mail and downloading attachments. A simple solution for secure webmail at the moment is using Gmail and the new Firefox addon "HTTPS-Everywhere" available from https://www.eff.org/https-everywhere . This addon is *NOT* magic, as it only works with the particular list of websites available on its option page, but making sure "Google Services" is checked in it's options will allow all Gmail connections (including downloading attachments) to happen over HTTPS.

     While HTTPS-Everywhere may be a nice programming exercise for its
author(s), it appears wholly unnecessary for Firefox users because Firefox
users should *ALREADY* be using NoScript, which allows one to accomplish
the same thing, but also provides mountains of other protective measures.
Don't be fooled into thinking that HTTPS-Everywhere can protect your
anonymity or your privacy.  If you and/or the OP continue to refuse to
use NoScript, then sooner or later you and/or the OP will get burned and
will thus be taught the hard way the lesson you should have understood by
now.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/