[tor-talk] Vidalia+Tor separtely from TBB`s Firefox
Joe Btfsplk
joebtfsplk at gmx.com
Sun Jan 15 23:33:17 UTC 2012
On 1/13/2012 4:10 PM, Mike Perry wrote:
> Thus spake Greg Kalitnikoff (kalitnikoff at privatdemail.net):
>
>> P.S. Also reading https://www.torproject.org/projects/torbrowser/design/
>> I found this: "Filter-based addons such as AdBlock Plus, Request Policy,
>> Ghostery, Priv3, and Sharemenot are to be avoided." But here
>> https://lists.torproject.org/pipermail/tor-talk/2011-November/022052.html
>> we see Andrew Lewman`s "In my world, I'd replace noscript with
>> requestpolicy". I`m a bit confused :-/
> There should be no need to use filters to address 3rd party linkability
> with a proper implementation of the requirements in
> https://www.torproject.org/projects/torbrowser/design/#privacy
>
> To my knowledge, the only remaining 3rd party direct linkability risk
> is through HTTP Keepalive (Section 3.5.6), but this linkability is
> limited to a 20 second window.
>
> There is a risk of first party linkability through redirects (Section
> 3.5.7). This one will be harder to solve, but it is more noticable
> attack.
>
> There are also fingerprinting risks involving time that need to be
> addressed (3.6.6 and 3.6.7), but the verdict is not in as to exactly
> how much info these provide in practice. Regardless, we should also
> have some level of mitigation in place for Tor Browser 2.3.x.
>
> It is my opinion that these remaining threats do not justify the need
> for filters, and that we should focus on eliminating these few
> remaining issues rather than trying to design a filter mechanism that
> isn't full of fail.
>
I'm unclear. How does Tor ( in TBB) prevent trackers (beacons, web
bugs) from gathering & transmitting data, once these are loaded w/ web
pages? If there something in Tor that prevents these from phoning
home? If so, how? It's been mentioned about the discussion from
https://www.torproject.org/projects/torbrowser/design/#privacy
> "Filter-based addons such as AdBlock Plus
> <https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/>,
> Request Policy <http://requestpolicy.com/>, Ghostery
> <http://www.ghostery.com/about>, Priv3
> <http://priv3.icsi.berkeley.edu/>, and Sharemenot
> <http://sharemenot.cs.washington.edu/> are to be avoided. We believe
> that these addons do not add any real privacy to a proper
> implementation
> <https://www.torproject.org/projects/torbrowser/design/#Implementation> of
> the above privacy requirements
> <https://www.torproject.org/projects/torbrowser/design/#privacy>, as
> all third parties are prevented from tracking users between sites by
> the implementation."
Side note - In TBB, the preference "network.http.sendRefererHeader"
comes w/ default setting to send referer header info (I believe that
wasn't always the case). With this default setting, doesn't that allow
websites to identify the site you just came from if you click a link?
And haven't I read that all ads aren't necessarily JUST ads?
Thanks.
More information about the tor-talk
mailing list