Tor,security and web-usability
abacus.01 at mailnull.com
abacus.01 at mailnull.com
Tue Jun 13 00:56:00 UTC 2006
Hello,
first I want to say thanks for this great programme and you that you might tolerate my Mac-security related questions. I read that Javascript and Flash are bad for Tor´s security provisions. Though quitting Javascript is easy, I have not found the appropriate way to quickly kill Flash, neither in Firefox nor any other browser, most Flash-sites show up on my OSX just fine even without any Java.
Does that mean one theoretically had to deinstall Flash before surfing with Tor?
The same question applies to Windows Media Player on the Mac, this is not secure to surf with, is it? Is a deinstallation also required before achieving an acceptable security level?
The next question is related to these problems: if I want to create an email-account with any of the big free webbased mail-services I know, I HAVE to switch Java and Javascript on, otherwise the configurations will fail. I understand that configurating, e.g. Yahoo with Tor enabled and the required Java/Javascript turned on, renders Tor´s efforts null and void. I could as well surf openly to Yahoo like say 10 years ago.
Does anybody know of a web-based mail-service, that does not require Java/Javascript during configuration or use? Or do I have to accept that I also have to use some remailer to reduce traceability to a secure amount?
Finally, if I go to pages like http://gemal.dk/browserspy/, I could really get paranoid or despair of security. While the useragent could be partly be faked and randomly changed with tools like Fabian Keil´s great uagen.pl , an automatic Firefox-User-Agent-Generator, the flash detection at gemal.dk/browserspy/ e.g. still reveals not only the Flash version but also my Operating System and its version. This works WITHOUT Java/Javascript enabled. Given the fact, that more and more parts of the web rely increasingly on Java/Javascript and multimedia enhanced features, are security related efforts not really a rearguard action?
Besides the problems of traceabilty that might result for Tor if one uses Java/Javascript, could it be a reasonable strategy to add a layer of obfuscation by employing second and third operating systems via emulation (e.g. inside a otherwise inaccessible truecrypt partition (which is not yet feasible on the mac))?
Sorry, if this all sounds convoluted, I somehow just want to appraise the scope of this gargantuan (or sisyphusian (is there a word like this?) task. Thanks in advance and all the best for your work
Regards
----------
This message was sent from a MailNull anti-spam account. You can get
your free account and take control over your email by visiting the
following URL.
http://mailnull.com/
More information about the tor-talk
mailing list