[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: encrypting your communications?!

How about this?

Tor protects you by bouncing your communications around a distributed
network of relays run by volunteers all around the world: it prevents
the sites you visit from learning where you're coming from, and it
prevents somebody watching your Internet connection from learning what
sites you visit. Even the Tor relay you connect to doesn't learn that.

However, Tor is NOT a "Solve-everything" -- proper use of Tor requires
protection of cookies and Javascript (either of which, without any
other tool, can be used to reveal you to the destination node).
Finally, Tor exposes you to a new type of Man-In-The-Middle attack --
the last Tor node used will see everything that the destination site
sees. [bold] Never send a password over Tor unless you are using an
https connection. If your site only uses https for the login password,
but uses a cookie authentication and normal http after that, then your
login may still be stolen; always log out from the site you are
talking to when finished. [/bold]

It is recommended that you use a separate profile for your tor-based
anonymous browsing, with cookies cleared after each session, and
javascript disabled. "Noscript", for firefox, can safely permit
scripts on a site-by-site basis, after determining that it is safe.
Additionally, a plugin or tool to remove "referer" information is
absolutely essential, or third party sites -- such as advertisers --
can track your every move. Tor is normally used with Privoxy to both
remove referer information, and block advertisers.

("Referer" is the proper spelling -- the original http standard
misspelled "referrer", and the misspelling is too ingrained in the web
to be fixed now.)