On 17 Sep 2013 15:32, "Petter Reinholdtsen" <p...@hungry.com> wrote: > or by configuring privoxy, dnsmasq and redsocks with iptables to pass > all traffic passing through the Freedombox via Tor. > > Is there some reason not to do this by default?
Hi! There are some good reasons not to run unencrypted traffic through Tor: - malicious exit nodes will be studying all unencrypted traffic passing through them - badly-secured websites still send session cookies unencrypted, for example. - the exit node can very easily inject arbitrary Javascript into the web page. This is bad. I don't think Javascript-enabled browsers should use Tor. (Ditto for Flash/Java.) For fully encrypted traffic, you still need to be careful of MITM attacks. Again this is easy for a malicious exit node. You can think of Tor as subjecting yourself to a deliberate MITM. :) I have heard anecdotal evidence that the above is happening routinely on Tor, FWIW. Tim
_______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss