[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] New Browser Bundle

Hi Andrew, all,

On 11/07/2011 03:32 AM, Andrew Lewman wrote:
> On Sunday, November 06, 2011 15:15:21 Joe Btfsplk wrote:
> I'd like to see someone do research that proves or disproves this fear that 
> javascript and cookies everywhere is hazardous to the anonymity of a tor user. 
> I don't know a better setting for noscript. I know what I use for settings 
> when I use the default TBB setup.  
>  If you use collusion with TBB, you'll see the various connections made to the 
> current browsing session. http://collusion.toolness.org/. I frequently hit 
> 'new identity' to wipe the cache/cookies.

Does that work? As I understand it, clicking the "Use a new identity" button
in Vidalia tells Tor to build new circuits for subsequent connections, but
it doesn't seem to affect Aurora -- all the cookies that have assembled
since the start of the session are still there. (At least on Linux, using
the current version.)

Or is there a different 'new identity' feature I missed?

> In my world, I'd replace noscript with requestpolicy. If you never request the 
> 3rd party sites, then you cut out lots of risks/cruft, in theory. This is the 
> core idea behind requestpolicy.  Unfortunately, this breaks lots of websites 
> and would freak out most tor users. However, this is another fine study to 
> undertake.

I tried using requestpolicy in my everyday surfing for some time, and turned
it off because it was too annoying. Almost every major site uses different
domains for e.g. static content, hence requestpolicy requires adding new
exceptions all the time.

On the other hand, I always use NoScript in its default setting without
problems. In fact, I find that if scripts don't run without explicit
permission, web surfing becomes much more peaceful. If I start Firefox with
tabs with Youtube videos open, they won't start playing automatically, which
is otherwise very annoying, for example. And if many tabs are open, Firefox
will use much less memory and is less likely to crash.

I'm a bit surprised that TBB includes NoScript but still allows all
JavaScript by default. I suspect it would be better to disable scripts by
default, leaving it to the user to decide whether s/he wants to allow
scripts on a site.

> Intuitevly it sounds bad, yes.  However, I'd like to see baseline research and 
> then settings changes that are proven to improve anonymity for the user. Of 
> course, 'improve anonymity' implies some sort of measurement, which ties into 
> https://blog.torproject.org/blog/research-problem-measuring-safety-tor-network

If that is an open research question, why play it risky in the meantime?

Best regards

|------- Dr. Christian Siefkes ------- christian@xxxxxxxxxxx -------
| Homepage: http://www.siefkes.net/ | Blog: http://www.keimform.de/
|    Peer Production Everywhere:       http://peerconomy.org/wiki/
|---------------------------------- OpenPGP Key ID: 0x346452D8 --
If one cannot state a matter clearly enough so that even an intelligent
twelve-year-old can understand it, one should remain within the cloistered
walls of the university and laboratory until one gets a better grasp of
one's subject matter.
        -- Margaret Mead

Attachment: signature.asc
Description: OpenPGP digital signature

tor-talk mailing list