Re: Ultimate solution
Is it really that difficult to test if active content is disabled? The Tor software should not work(i.e. the start tor button should not be clickable) if the user hasn't deactivated Javascript, Flash, Java, etc. Is this difficult do implement? There are not too many browsers. -- JT [EMAIL PROTECTED] -- http://www.fastmail.fm - Or how I learned to stop worrying and love email again
Please don't recommend Tor Button!
Hi, recommending the Tor Button is a security/anonymity hazard. Clicking on the Tor button will automatically remove the ftp and gopher proxy in firefox for example. (Would the author of Tor button also set the other protocols to use Tor if we asked him?) A better way is to create two different OS users and leave the Tor user account with all browser proxy settings permanently. This also solves the cookie problem as anonymous and non-anonymous surfing isn't mixed. Also please advise the user to make www.whatismyip.com as the homepage of the browser in the Tor OS account. So he can see what is active before he starts surfing. -- JT [EMAIL PROTECTED] -- http://www.fastmail.fm - Faster than the air-speed velocity of an unladen european swallow
Please RTM!...Re: Please don't recommend Tor Button!
--- JT [EMAIL PROTECTED] wrote: Hi, recommending the Tor Button is a security/anonymity hazard. Clicking on the Tor button will automatically remove the ftp and gopher proxy in firefox for example. These are not used with Tor and that is why the port is zero. TorButton is a great extension, it is configured correctly and the Tor devs. recommend it, as do I. Please read up on Tor before sending emails to the list, it can confuse people. Regards We won't tell. Get more on shows you hate to love (and love to hate): Yahoo! TV's Guilty Pleasures list. http://tv.yahoo.com/collections/265
Re: Please RTM!...Re: Please don't recommend Tor Button!
--- Fabian Keil [EMAIL PROTECTED] wrote: Could you post a pointer to the part of the Tor documentation that you're referring to? If I have time today, yes. There is a wiki entry stating those need to be set to break. I was referring to the fact it is suggested is set those so they'll break, I wasn't specifically referring to TorButton. The relevant parts of the documentation that I'm aware of recommend to set the gopher and ftp proxy settings to Privoxy, to make sure those requests fail instead of bypassing Tor: Maybe I was overly harsh then, I can see where the confusion may came from if someone read these sections. If one thought you _had_ to follow the old directions above then yes, it would seem like TorButton is mis-configured. If the Tor button extension would indeed remove these settings permanently, I'd consider JT's concerns valid. TorButton handles these correctly and does not route them into Privoxy, it just breaks them with a zero port...which is what was recommended by the Tor devs. when Scott Squires when building TorButton (as far I as remember). There is no need set those up to go into Privoxy if the port is zero. Regards Expecting? Get great news right away with email Auto-Check. Try the Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html
Update Tor doc [Was:Re: Please don't recommend Tor Button!]
--- light zoo [EMAIL PROTECTED] wrote: Maybe I was overly harsh then, I can see where the confusion may came from if someone read these sections. If one thought you _had_ to follow the old directions above then yes, it would seem like TorButton is mis-configured. So maybe http://tor.eff.org/docs/tor-doc-web.html.en should be updated to refelect the TorButton settings to prevent this type of confusion in the future? Regards, Expecting? Get great news right away with email Auto-Check. Try the Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html
Re: Re[2]: Ultimate solution
2. Where will this be displayed, and who is going to read it? (Simple usage instructions) On the download page. On the Configure Privacy page. When you get By default, all scripting is blocked. Click here to configure safety level of scripting on the second or third web page you go to. 3. Why keep any cookies at all after a session? (Common cookies for the tracking sites) After a session? How long do your sessions last? Mine last days. 6. I especially like #6, now how to we get the tor network to route this as an exit node? It's my understanding that if you want a connection to x.y.z.t:p, and x.y.z.t is running a tor node that permits exit on p, then you are guaranteed to use x.y.z.t as your exit node. What about Even if I'm just a middleman node? Does it still permit local exit? (I don't know). What about a trivial setup for Allow anything to exit on my node. Or even just Allow web / ftp / SSH / secure mail (or whatever other checkboxes are wanted) to exit on my node, without any bandwidth sharing for the network (litterally, just an exit-only configuration to help others who are using tor. 100% secure, encrypted communication without having to purchase an SSL certificate for your web site, or having to deal with the Do I need to translate this address to add/remove www. at the beginning, all to keep their browser from complaining, and redo that every year?.
Re: Please don't recommend Tor Button!
On 3/28/07, H D Moore [EMAIL PROTECTED] wrote: If they use the decloak portal instead, I can add tests for Gopher and FTP as well: http://metasploit.com/research/misc/decloak/index.html What is this page supposed to return/tell me? I went there, hit Start test, got my Java console, saw some java activity, and then nothing more. No web page popped up with my results, nothing.
Re: Please RTM!...Re: Please don't recommend Tor Button!
light zoo [EMAIL PROTECTED] wrote: --- Fabian Keil [EMAIL PROTECTED] wrote: If the Tor button extension would indeed remove these settings permanently, I'd consider JT's concerns valid. TorButton handles these correctly and does not route them into Privoxy, it just breaks them with a zero port...which is what was recommended by the Tor devs. when Scott Squires when building TorButton (as far I as remember). There is no need set those up to go into Privoxy if the port is zero. Is that a guess or did you actually verify that? If you did, which Firefox version were you using? At least for: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.2) Gecko/20070306 Firefox/2.0.0.2 proxy port 0 means ignore the proxy IP and use a direct connection. I would be very surprised if the behaviour would be platform-dependent. Fabian signature.asc Description: PGP signature
Re: Please don't recommend Tor Button!
Ummm... So do I need to change to Torbutton preferences from the default settings? Jay --- Roger Dingledine [EMAIL PROTECTED] wrote: Torbutton automatically sets that, so now when things default to your socks proxy, it's still safe. Yes, TorButton's configuration is ok...and a little more background info for those who are interested: FF conciders a port set to zero to be an un-proxies protocol and direct connects to the Internet. http://kb.mozillazine.org/Network.proxy.(protocol)_port When the Socks address:proxy is set it routes other non-proxied protocols into Socks settings. http://www.mozilla.org/quality/networking/docs/netprefs.html So because TorButton sets FF ftp and gopher to port zero it allows the Socks proxy to route and break ftp/gopher against Tor. Can't ever by straight forward, ;-) Be a PS3 game guru. Get your game face on with the latest PS3 news and previews at Yahoo! Games. http://videogames.yahoo.com/platform?platform=120121
GPG Preferences
Hey guys... I use GPGPreference to tweak Mac GNU Privacy Guard. Under the Key Server tab there is a text box which says: Use the following HTTP proxy to access the key server I took a guess and filled in http://127.0.0.1:8118/ and when I search for keys it seems to work. Did I configure this correctly? Is that program even meant to be used with Tor? Jay
Re: Please don't recommend Tor Button!
--- Jason Edwards [EMAIL PROTECTED] wrote: Ummm... So do I need to change to Torbutton preferences from the default settings? Jay If your using FF 1.5 or newer then, no, you don't need to change the default TorButton settings. Regards Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/features_spam.html
