[tor-talk] Flashproxy questions. (Badge config, user interaction)
Sebastian G. <bastik.tor>
bastik.tor at googlemail.com
Sun Oct 7 09:08:15 UTC 2012
David Fifield:
Thank you for the detailed information.
>> How can it be achieved that the badge is only active after it has been
>> clicked?
>
> What this means is that the JavaScript would run, but not actually do
> anything until clicked.
My question wasn't precise enough. As far as I understand it now, a
website owner (admin) can't choose between opt-in and opt-out, right?
I assumed that
iframe ="//crypto.stanford.edu/flashproxy/embed.html" width="80"
height="15" frameborder="0" scrolling="no">
will be a badge that is running on the users end (opt-out).
My question was how an admin can achieve to have be opt-in? (Now I
understand that doesn't seem possible.)
Couldn't you have
"crypto.stanford.edu/flashproxy/embed_opt_in.html"
and
"crypto.stanford.edu/flashproxy/embed_opt_out.html"
to make it possible to choose between them?
My concern about opt-out was that someone else decides for anybody else.
An admin decides for the visitors. Although the proxy might be idle most
of the time and a visitor is not affected I would find it problematic to
have it opt-out by default.
For crypto.stanford.edu it did not concern me as I read.
"If your browser runs JavaScript and has support for WebSockets then
while you are viewing this page your browser is a potential proxy
available to help censored Internet users."
For some people it may be suspicious that there browser is doing
something without their consent. I expect a browser to display web pages
and not to relay traffic.
It's also hard to figure out how many people would care to click the
badge when it's opt-in. I hadn't any good idea to make people aware of
the proxy and that the could help, without annoying them.
It's also hard to figure out how admins will react to opt-out. Users may
overlook the badge or don't care at all so the admin assumes it would be
a good idea to do it that way.
>
>> What happens if one opens multiple browsers (FF, TBB, FF Portable,
>> Opera, Chrome, Safari, IE, or any other) and visits a website containing
>> such a badge (or multiple websites with such a badge)?
>
> Each one is an independent proxy, possibly subject to
> facilitator-imposed restrictions. The proxy should disable itself when
> running in TBB but does not, because I don't know how to detect that;
> see ticket https://trac.torproject.org/projects/tor/ticket/6293.
I saw the update to exclude Tor exits from being served. And think this
is a good idea. Mostly because it catches Tor + any browser (not
recommended) and TBB.
TBB users should look all the same, but how they look changes from TBB
release to TBB release I assume. Would be not so good to have something
to fingerprint it on.
Once the flashproxy is not relaying Tor over Tor, the anonymity attacks
shouldn't be a problem to have opt-out from that point of view.
> Nice questions, please keep them coming.
Knowledge is power. I didn't know what would happen so I asked.
It's easier to explain it to both sides (admins and visitors) if you
know how it works.
I don't seem to have questions for now, but I will come back and ask for
more. Thank you for explaining so nicely.
>
> David Fifield
>
Sebastian (bastik_tor)
More information about the tor-talk
mailing list