[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Fw: Hotmail with Tor [is their a solution!?]

Thus spake William Wrightman (williamwrightman@xxxxxxxxx):

> My questions are:
> 1.	An individual is using Tor, NoScript, HTTPS-Everywhere, Better
> Privacy, and has no Java, with Flash disabled, and then securely
> deletes his places.sqlite, cookies.sqlite, etc, files after each
> session finishes.  Forgive the stupid question but in this case why
> would TorButton actually be required (for any website)?

The short answer is "maybe". 

Yes, you can cobble together your ad-hoc collection of addons to
prevent proxy bypass, and to clear your cookies, cache, DOM Storage,
SSL session IDs, HTTP Auth, and other identifiers. But then, most
likely, you are the *only* person with this request fingerprint and
browser behavior.

Do you still have anonymity? Probably. Most likely, nobody will put
the effort forth to fingerprint or correlate you (despite it being
laughably trivial). But still, we can't recommend this approach
because people who adopt it will be very linkable between different

For people who want anonymity, the safest option is the most popular
one. The problem with the ad-hoc addon approach is that even if it is
the most popular (and our numbers indicate that it may be), everyone
will do it slightly differently even with the same addons, and their
request patterns and browser behaviors will be very unique. 

In fact, if we ever see headlines about a Tor user compromised, my
money is on it being due to that user having used a custom or obsolete

> 2.	This is also probably a dumb question.  In the
> https://trac.torproject.org/projects/tor/ticket/3580 ioerror wrote:
> "Perhaps it would be useful to email the Hotmail security team and
> let them know that this isn't going to work very well for people who
> need security and privacy through anonymity?"
> Is this something that would ever be done or considered worthwhile?
> Do owners / operators of websites like Hotmail for example care what
> you have to say or do you just assume they will ignore you so do not
> bother to contact them?	

Frankly, I do not believe we have the numbers right now for anyone to
give a shit about us. That much has been clear so far from our
relations with Mozilla, Adobe, and others. (Though, to their credit,
Google usually asks us "How do we help you actually matter?" rather
than dismissing us from the outset with "Who cares about Tor? Tell us
when you have something normal people can use.").

However, I may be a tiny bit cynical and jaded. YMMV.

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpsOoF8H13Lg.pgp
Description: PGP signature

tor-talk mailing list