[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Tor browsing setups and practices [Was: Re: Quick question about TOR and use of SSL]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Chris Burge wrote:
> All of that said, what kind of
> setup do you use and how does it provide you extra anonymity/security
> versus others?  On most sites, you just can't get by without some sort
> of use of cookies.  Of course, this too limits your ability towards
> privacy so I'm trying to create a best practice scnario for myself on a
> site-by-site basis.
(much snippage)

My setup is Firefox 2.x, with the development-branch Torbutton (which
provides a LOT of extra control), NoScript (I pretty much cleared the
whitelist it comes with, and enabled every possible block), and CookieSafe.

I find CookieSafe to be handy, because you can block all cookies by
default, and allow them on a site-by-site basis. It also can be set to
make all cookies last only for one session - which, of course, I do.

(To not do so opens you to a slip-up where you connect without Tor with
a "dirty" cookie, or a type of intersection attack involving persistent
cookies which I've only heard rumors about.)

Generally, there's three rules I follow, if I want to log into a site
using Tor:

1.) The account was made on Tor, for anonymous usage, and will only ever
be handled through Tor. You never want to log into a site with
identifying info with Tor (as it opens you up to a stream correlation
attack at the exit) - plus, it just kind of defeats the point. =;o)

2.) Any account I use through Tor, is considered expendable - since on
sites without SSL, it's definitely possible for an exit to sniff the
login and take it over (this also stresses the importance of the first
rule).

3.) If a site or service offers it, I use the SSL version, since it
greatly increases resistance to things like stream correlation and the
lifting of credentials.

- --
F. Fox
AAS, CompTIA A+/Network+/Security+
Owner of Tor node "kitsune"
http://fenrisfox.livejournal.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSC9Ggej8TXmm2ggwAQiQUBAAy6CfiAtYoNKvMhlUKqPgJGq8uHu0Ik+V
2lCBBMdqJKK+aQ8VxsX6V9bq2Odf73Sbluu7EDDUGOhyDAWvPoETkYmOqIVAbjBs
3JNfAn+KbXksytQ6+YMlOJlVuOqML7KYMGMsFZTuJ/rqy+gMBGq+wvC1Roa+pJ2X
UtvwpLPYSv97uF7APQhCZUVeeCsYb0HG7ovm21r9+n5VBhNQsZuo2pFXP+uVsqDu
HbKp5Ka0CKMMlML9Oohw2lVjuKoPDzsZnCmpHVMGthwWfT8RoC1mgN7nEy+osXa5
5yFWsI9SpIFv3QpDsLaabbxjMDMZN81dw/aEEmAC8nGoM4KWWzyjM2zjl286gTZx
ADdvEkqNBh92YNqaI3Uve1nm8edRlURHa4ntnPcyBELWLunVONd9AB2drlLZ03U1
qSOmWdV/aA7CBD02greXiH5qYKFfyGDJFic1cbFiKY+VObs5vdsZAiDpW+fBCd8J
bgoWE7j6X68mc80xfBZzEj8lAk9X1ecF8o+8kOuPuQDaUxwXwD6xcalZnINQaiT7
YIlzK7LQ1taCJd9pNINClkERVL3YWe6p71c2x/ZNUp/l85nZTVjMcd7KoQO9Z6Vz
HOOqJKRBSNeODeQaSWAfKoX8jYAb1/6QgmSMwRxHh7Fnm8kKXX2UPm6DGoYE8eoM
7ERodTNqawA=
=UPtb
-----END PGP SIGNATURE-----