Firefox and Tor? Forget about it!!
Kyle Williams
kyle.kwilliams at gmail.com
Mon Dec 21 10:47:56 UTC 2009
nnnnnnnnnnnn at Safe-mail.net wrote:
> With mounting security problems I'm finally saying, "Firefox and Tor? Forget about it!!"
>
> http://secunia.com/advisories/37699/
>
> I want something less bloated like Dillo:
>
> http://www.dillo.org.
>
> I haven't tried the old & outdated distro called ELE:
>
> http://northernsecurity.net/download/ele/
>
> "What is ELE?
> ELE is a bootable Live CD Linux distribution with focus on privacy related software. It is based on Damn Small Linux and aims to be (obviously) as small as possible. The first release was 65M, the current one 61M.
>
> What does it include?
> Irssi, Gaim, Dillo, Firefox, SSH, VNCviewer, Xpdf, most of the standard Linux apps like wget and vi. It uses the Fluxbox window manager. Everything, except VNCviewer at the moment, passes thrugh Tor. When using Dillo or Firefox scrubbing is done by Privoxy and the Google search engine has been replaced by Scroogle."
>
> but it sounds sweet. I've decided to go in this direction, using Dillo and Privoxy on a personally rolled together Linux LiveCD or USB. I'll try basing it off of Damn Small Linux
>
> http://www.damnsmalllinux.org
>
> first to see how well it works.
>
> When using Firefox and Torbutton* along with Noscript* and Privoxy* (or other extensions), It feels like I'm riding on an elephant or whale of a creature who is open to anything with its seedy downtown brothel breath fogging up my glasses. Firefox doesn't feel safe to use anymore, especially in a tor environment where hostile injections are a growing concern. (* No offense to Torbutton, Noscript and Privoxy developers you make fine software and I'll continue to use Privoxy with another browser, but how many more combinations will we continue to need to plug Firefox's issues with tor usage and how many soft spots could be considered possible or future vectors in each piece we plaster on top?)
>
> Please tell me what you think of all of this and whether or not this is a proper direction to go on or if Dillo's audience is limited and doesn't receive enough testing to warrant switching to Dillo.
> ***********************************************************************
> To unsubscribe, send an e-mail to majordomo at torproject.org with
> unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
>
You may want to look at the Chromium Browser VM. It's beta, but
functional and supports Tor.
It's also 3x faster (inside a VM) than Firefox running natively on the
host OS.
http://www.janusvm.com/chromium_vm/index.html
"
WHAT IS Chromium Browser VM?
The Chromium Browser VM is what the name says, the Chromium web browser
<http://dev.chromium.org/> running inside a virtual machine
<http://en.wikipedia.org/wiki/Virtual_Machine>. The primary difference
from other VMs is that the browser window is being exported back to the
host OS using the X Window System <http://en.wikipedia.org/wiki/X11> (or
X11) protocol. By running Chromium inside a VM, we are protected from
unknown malicious exploits, vulnerabilities, and side channel attacks
<http://www.deanonymizer.com> that could compromise our security,
privacy, and anonymity. By exporting the browser window back to the host
OS, we get a look and feel as though it's just another application on
our system, even though it's running from inside the VM. This creates a
secure environment in which we can now run Javascript, Flash, and Java
in a browser without having to worry about compromising the host OS if
we get exploited.
"
Side note, the ISO can also be burned to a CD-ROM and used as a boot CD.
It may or may not be what you're looking for, but I thought I would
throw it out there.
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list