[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Tor browsing setups and practices [Was: Re: Quick question about TOR and use of SSL]
-----BEGIN PGP SIGNED MESSAGE-----
Chris Burge wrote:
> All of that said, what kind of
> setup do you use and how does it provide you extra anonymity/security
> versus others? On most sites, you just can't get by without some sort
> privacy so I'm trying to create a best practice scnario for myself on a
> site-by-site basis.
My setup is Firefox 2.x, with the development-branch Torbutton (which
provides a LOT of extra control), NoScript (I pretty much cleared the
whitelist it comes with, and enabled every possible block), and CookieSafe.
I find CookieSafe to be handy, because you can block all cookies by
default, and allow them on a site-by-site basis. It also can be set to
make all cookies last only for one session - which, of course, I do.
(To not do so opens you to a slip-up where you connect without Tor with
a "dirty" cookie, or a type of intersection attack involving persistent
cookies which I've only heard rumors about.)
Generally, there's three rules I follow, if I want to log into a site
1.) The account was made on Tor, for anonymous usage, and will only ever
be handled through Tor. You never want to log into a site with
identifying info with Tor (as it opens you up to a stream correlation
attack at the exit) - plus, it just kind of defeats the point. =;o)
2.) Any account I use through Tor, is considered expendable - since on
sites without SSL, it's definitely possible for an exit to sniff the
login and take it over (this also stresses the importance of the first
3.) If a site or service offers it, I use the SSL version, since it
greatly increases resistance to things like stream correlation and the
lifting of credentials.
AAS, CompTIA A+/Network+/Security+
Owner of Tor node "kitsune"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----