Thus spake William Wrightman (williamwrightman@xxxxxxxxx): > My questions are: > > 1. An individual is using Tor, NoScript, HTTPS-Everywhere, Better > Privacy, and has no Java, with Flash disabled, and then securely > deletes his places.sqlite, cookies.sqlite, etc, files after each > session finishes. Forgive the stupid question but in this case why > would TorButton actually be required (for any website)? The short answer is "maybe". Yes, you can cobble together your ad-hoc collection of addons to prevent proxy bypass, and to clear your cookies, cache, DOM Storage, SSL session IDs, HTTP Auth, and other identifiers. But then, most likely, you are the *only* person with this request fingerprint and browser behavior. Do you still have anonymity? Probably. Most likely, nobody will put the effort forth to fingerprint or correlate you (despite it being laughably trivial). But still, we can't recommend this approach because people who adopt it will be very linkable between different activities. For people who want anonymity, the safest option is the most popular one. The problem with the ad-hoc addon approach is that even if it is the most popular (and our numbers indicate that it may be), everyone will do it slightly differently even with the same addons, and their request patterns and browser behaviors will be very unique. In fact, if we ever see headlines about a Tor user compromised, my money is on it being due to that user having used a custom or obsolete config. > 2. This is also probably a dumb question. In the > https://trac.torproject.org/projects/tor/ticket/3580 ioerror wrote: > > "Perhaps it would be useful to email the Hotmail security team and > let them know that this isn't going to work very well for people who > need security and privacy through anonymity?" > > Is this something that would ever be done or considered worthwhile? > Do owners / operators of websites like Hotmail for example care what > you have to say or do you just assume they will ignore you so do not > bother to contact them? Frankly, I do not believe we have the numbers right now for anyone to give a shit about us. That much has been clear so far from our relations with Mozilla, Adobe, and others. (Though, to their credit, Google usually asks us "How do we help you actually matter?" rather than dismissing us from the outset with "Who cares about Tor? Tell us when you have something normal people can use."). However, I may be a tiny bit cynical and jaded. YMMV. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpsOoF8H13Lg.pgp
Description: PGP signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk