[tor-talk] New Browser Bundle

Christian Siefkes christian at siefkes.net
Tue Nov 8 13:56:47 UTC 2011


Hi Andrew, all,

On 11/07/2011 03:32 AM, Andrew Lewman wrote:
> On Sunday, November 06, 2011 15:15:21 Joe Btfsplk wrote:
> I'd like to see someone do research that proves or disproves this fear that 
> javascript and cookies everywhere is hazardous to the anonymity of a tor user. 
> I don't know a better setting for noscript. I know what I use for settings 
> when I use the default TBB setup.  
> 
>  If you use collusion with TBB, you'll see the various connections made to the 
> current browsing session. http://collusion.toolness.org/. I frequently hit 
> 'new identity' to wipe the cache/cookies.

Does that work? As I understand it, clicking the "Use a new identity" button
in Vidalia tells Tor to build new circuits for subsequent connections, but
it doesn't seem to affect Aurora -- all the cookies that have assembled
since the start of the session are still there. (At least on Linux, using
the current version.)

Or is there a different 'new identity' feature I missed?

> In my world, I'd replace noscript with requestpolicy. If you never request the 
> 3rd party sites, then you cut out lots of risks/cruft, in theory. This is the 
> core idea behind requestpolicy.  Unfortunately, this breaks lots of websites 
> and would freak out most tor users. However, this is another fine study to 
> undertake.

I tried using requestpolicy in my everyday surfing for some time, and turned
it off because it was too annoying. Almost every major site uses different
domains for e.g. static content, hence requestpolicy requires adding new
exceptions all the time.

On the other hand, I always use NoScript in its default setting without
problems. In fact, I find that if scripts don't run without explicit
permission, web surfing becomes much more peaceful. If I start Firefox with
tabs with Youtube videos open, they won't start playing automatically, which
is otherwise very annoying, for example. And if many tabs are open, Firefox
will use much less memory and is less likely to crash.

I'm a bit surprised that TBB includes NoScript but still allows all
JavaScript by default. I suspect it would be better to disable scripts by
default, leaving it to the user to decide whether s/he wants to allow
scripts on a site.

> Intuitevly it sounds bad, yes.  However, I'd like to see baseline research and 
> then settings changes that are proven to improve anonymity for the user. Of 
> course, 'improve anonymity' implies some sort of measurement, which ties into 
> https://blog.torproject.org/blog/research-problem-measuring-safety-tor-network

If that is an open research question, why play it risky in the meantime?

Best regards
	Christian

-- 
|------- Dr. Christian Siefkes ------- christian at siefkes.net -------
| Homepage: http://www.siefkes.net/ | Blog: http://www.keimform.de/
|    Peer Production Everywhere:       http://peerconomy.org/wiki/
|---------------------------------- OpenPGP Key ID: 0x346452D8 --
If one cannot state a matter clearly enough so that even an intelligent
twelve-year-old can understand it, one should remain within the cloistered
walls of the university and laboratory until one gets a better grasp of
one's subject matter.
        -- Margaret Mead

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20111108/efa87740/attachment.pgp>


More information about the tor-talk mailing list