NoScript, Tor and Firefox
Justin Aplin
jmaplin at ufl.edu
Thu Jun 24 14:56:51 UTC 2010
On Jun 24, 2010, at 9:44 AM, zzzjethro666 at email2me.net wrote:
> If NoScript is so important, then why doesn't it come in the Windows
> bundle for use with a USB?
As per the Browser Bundle's download page: "The Tor Browser Bundle is
under development and not yet complete." Now, I don't have much (any)
experience with the Browser Bundle, but I imagine it doesn't come with
NoScript because it breaks functionality. Blocking JavaScript, Java,
Flash, XSS, etc etc are great for security, but the more of that you
disable, the less functional many websites become. This can break the
"plug and play" nature of the Browser Bundle.
> My limited understanding is that this is sort of a complete package,
> with configurations set to enhance and protect the user client. Now,
> perhaps that only applies to use in the Tor network, i.e. Hidden
> Services and such, and not the big, bad Spider's Web. Is this an
> accurate, useful conclusion on my part?
It's my understanding that the Browser Bundle lets you use Firefox
over Tor via Torbutton, without the hassle of having to set up
Firefox, Tor, or Torbutton on the computer you're using. That said, it
only provides those benefits unless you enhance your own security. If
you are doing something that requires extreme privacy, and can't risk
your HTTP or other unencrypted traffic being snooped on at the exit
node (when accessing the "regular" internet), then you'll need to take
measures to encrypt it. Forcing the use of HTTPS was the subject of
the previous discussion you were quoting from, and setting up custom
NoScript rules is one way of doing that. Granted, it often breaks the
functionality of certain websites.
You're correct in thinking that this is somewhat less of an issue when
accessing Tor Hidden Services, as traffic never leaves the (encrypted)
Tor network. I'm sure, depending on the type of service run, that
there are ways of maliciously gathering information about clients, but
historically I don't believe this has been an issue (someone please
correct me if I'm wrong).
> I used to use NoScript a few years and versions ago, but read about
> potential weak points in it or that it might nullify what Privoxy
> and now Polipo do. Excuse me if my memory is inaccurate but that was
> the general jist of discussions I read. It might have also been
> mentioned that configuration settings in Firefox could be changed by
> NoScript but again, I'm just trying to remember. I'm not real sure
> nor trying to spread disinfo.
I can't comment on this, not having as much experience as I'd like
with Polipo.
> I once was curious as to all the problems users have with Tor/
> Vidalia and was told that if I use it "out of the box", my problems
> are less and my anonymity is still good, depending on other factors
> to be sure. So far, that seems to be the case but tweaking, testing
> and understanding it in more environments doesn't seem to be in the
> cards for me this lifetime.
Your anonymity is improved in the sense that (theoretically) all
traffic bound for Tor is encrypted, and any traffic that would
normally be unencrypted (without Tor) is now coming out some exit node
that could be anywhere in the world and has no obvious connection to
you. This is called "Speakeasy" security, and it only takes you so
far. For example, sending your bank account details in an unencrypted
(plaintext) email over Tor isn't particularly any safer than doing so
without Tor, as anyone spying on an exit node could pick it up and
have a field day with it. Tor isn't magic. If you're dealing with
sensitive information, act as though you weren't using Tor at all and
take appropriate security measures to protect your information. With
that done, Tor is simply the icing on the cake (delicious, delicious
cake I might add).
> Thanks.
Anytime :-)
~Justin Aplin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20100624/6da2f60e/attachment.htm>
More information about the tor-talk
mailing list