If NoScript is so important, then why doesn't it come in the Windows bundle for use with a USB?
As per the Browser Bundle's download page: "The Tor Browser Bundle is under development and not yet complete." Now, I don't have much (any) experience with the Browser Bundle, but I imagine it doesn't come with NoScript because it breaks functionality. Blocking _javascript_, Java, Flash, XSS, etc etc are great for security, but the more of that you disable, the less functional many websites become. This can break the "plug and play" nature of the Browser Bundle.
My limited understanding is that this is sort of a complete package, with configurations set to enhance and protect the user client. Now, perhaps that only applies to use in the Tor network, i.e. Hidden Services and such, and not the big, bad Spider's Web. Is this an accurate, useful conclusion on my part?
It's my understanding that the Browser Bundle lets you use Firefox over Tor via Torbutton, without the hassle of having to set up Firefox, Tor, or Torbutton on the computer you're using. That said, it only provides those benefits unless you enhance your own security. If you are doing something that requires extreme privacy, and can't risk your HTTP or other unencrypted traffic being snooped on at the exit node (when accessing the "regular" internet), then you'll need to take measures to encrypt it. Forcing the use of HTTPS was the subject of the previous discussion you were quoting from, and setting up custom NoScript rules is one way of doing that. Granted, it often breaks the functionality of certain websites.
You're correct in thinking that this is somewhat less of an issue when accessing Tor Hidden Services, as traffic never leaves the (encrypted) Tor network. I'm sure, depending on the type of service run, that there are ways of maliciously gathering information about clients, but historically I don't believe this has been an issue (someone please correct me if I'm wrong). I used to use NoScript a few years and versions ago, but read about potential weak points in it or that it might nullify what Privoxy and now Polipo do. Excuse me if my memory is inaccurate but that was the general jist of discussions I read. It might have also been mentioned that configuration settings in Firefox could be changed by NoScript but again, I'm just trying to remember. I'm not real sure nor trying to spread disinfo.
I can't comment on this, not having as much experience as I'd like with Polipo. I once was curious as to all the problems users have with Tor/Vidalia and was told that if I use it "out of the box", my problems are less and my anonymity is still good, depending on other factors to be sure. So far, that seems to be the case but tweaking, testing and understanding it in more environments doesn't seem to be in the cards for me this lifetime.
Your anonymity is improved in the sense that (theoretically) all traffic bound for Tor is encrypted, and any traffic that would normally be unencrypted (without Tor) is now coming out some exit node that could be anywhere in the world and has no obvious connection to you. This is called "Speakeasy" security, and it only takes you so far. For example, sending your bank account details in an unencrypted (plaintext) email over Tor isn't particularly any safer than doing so without Tor, as anyone spying on an exit node could pick it up and have a field day with it. Tor isn't magic. If you're dealing with sensitive information, act as though you weren't using Tor at all and take appropriate security measures to protect your information. With that done, Tor is simply the icing on the cake (delicious, delicious cake I might add).
~Justin Aplin
|