[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor Browser Bundle for GNU/Linux 1.0.0 Released

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Tor Browser Bundle for GNU/Linux 1.0.0 Released
From: Mike Perry <mikeperry@xxxxxxxxxx>
Date: Sat, 27 Mar 2010 03:44:55 -0700
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Sat, 27 Mar 2010 06:45:05 -0400
In-reply-to: <20100327043325.GA10402@xxxxxxxxx>
References: <20100327043325.GA10402@xxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.4.2.2i

Thus spake Erinn Clark (erinn@xxxxxxxxxxxxxx):

> Tor Browser Bundle for GNU/Linux is now available for x86 and x86_64
> architectures in 12 languages.
> 
> The bundle comes with the following software:
> 
> * NoScript 1.9.9.57
> * BetterPrivacy 1.4.7

I want to point out that this is the first bundle we are shipping with
NoScript and BetterPrivacy. We've decided to attempt this as a trial
in Linux TBB for a few reasons. After the remote font exploit of
Firefox 3.6 and the apparent ~2 month delay between exploit code and
fix, we've come to the conclusion that we need to do a bit more to
protect our users against Firefox 0day being held by the underground
and aboveground exploit markets. See:

http://hackademix.net/2010/03/24/why-noscript-blocks-web-fonts/
http://hackademix.net/2010/03/22/firefox-36s-0-day-and-you/
https://bugs.torproject.org/flyspray/index.php?do=details&id=1328

We also want to provide at least some way for people to view YouTube
videos and other flash content without completely sacrificing their
privacy and anonymity while viewing all websites. Our plan is to make
it so that people who insist on viewing flash content can simply
uncheck "Disable plugins for Tor usage", and only be at risk when they
actually decide to load a plugin (possibly GnashPlayer) by clicking on
its NoScript Placeholder. Basically, we would like to replace this
long FAQ entry with a much simpler one that still has an appropriate
warning: https://www.torproject.org/torbutton/faq.html.en#noflash

In addition, we've decided to try to deploy a list of popular sites
that have insecure https functionality that can be secured by
NoScript. Right now, we are attempting to secure *twitter.com
*facebook.com blog.torproject.org www.torproject.org docs.google.com
addons.mozilla.org www.stumbleupon.com. We are open to any suggestions
for additions to this list, and what we might do about any problems
that arise.

The Noscript config shipped with the bundle has the following
additional general properties:
                                                              
1. It disables the redirect to noscript.net on updates.
2. It simplifies the context menu down to just enable/disable javascript 
3. It sets Javascript to be enabled by default.
4. It replaces most common media types and plugins with placeholders

We're open to any suggestions or comments about this approach. I am
also discussing usability issues with Giorgio to try to help make
NoScript a bit easier to use in general.

> This is a beta version, so please test it and file bugs!
> https://bugs.torproject.org/

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpI6DSdgC51F.pgp
Description: PGP signature

Follow-Ups:
- Re: Tor Browser Bundle for GNU/Linux 1.0.0 Released
  - From: coderman
- Re: Tor Browser Bundle for GNU/Linux 1.0.0 Released
  - From: Edward Langenback

References:
- Tor Browser Bundle for GNU/Linux 1.0.0 Released
  - From: Erinn Clark

Prev by Author: Re: Path-spec - fast circuits
Next by Author: Re: Tor Browser Bundle for GNU/Linux 1.0.0 Released
Previous by thread: Tor Browser Bundle for GNU/Linux 1.0.0 Released
Next by thread: Re: Tor Browser Bundle for GNU/Linux 1.0.0 Released
Index(es):
- Author
- Thread