Re: BetterPrivacy - necessary?
grarpamp wrote: As usual, it would be awesome to have a tool that could de and re encapsulate https so that proxies and caches could do their thing with it. I am very far from an expert in these matters, but it would seem to me that the ability to do so without the explicit cooperation of the browser (or other client) would indicate that your attempt at end-to-end encryption was hopelessly broken. If you could de/re-encapsulate then so could any other man-in-the-middle, and you would never be the wiser. But I do understand the usefulness of what you suggest. The only way I can see of doing it that had any possibility of being secure would be if A) your proxy/cache handled the real end-to-end encryption/authentication with the website, and B) there was a plugin (or built-in functionality) on the browser that maintained a secure AND AUTHENTICATED connection with the proxy/cache. I.e. the browser would have to be aware of what was going on and would suspend its verification of the website's certificate while insisting that it authenticate that it was talking to the approved proxy/cache which is tasked with the secure communication to the website. If the proxy/cache detected a problem with the website's certificate, then it would have to have a way of signalling this, perhaps just by serving up its own page with the relevant information. That's the best I can come up with. Comments? Jim *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: BetterPrivacy - necessary?
IMHO its important to suppress active content (Flash, ActiveX, Silverlight, JavaScript etc.) and other junk and therefor I prefer 'Privoxy' [1] instead of Polipo. I concur but doesn't TorButton do all this suppression? That said: what was the rationale in moving from Privoxy to Polipo? Did it happen because TorButton became standard? *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: BetterPrivacy - necessary?
On Fri, 01 Oct 2010 22:29:48 +0100 Matthew pump...@cotse.net wrote: IMHO its important to suppress active content (Flash, ActiveX, Silverlight, JavaScript etc.) and other junk and therefor I prefer 'Privoxy' [1] instead of Polipo. I concur but doesn't TorButton do all this suppression? Torbutton disables plugins (e.g. Java and Flash), and restricts the capabilities of JavaScript code. That said: what was the rationale in moving from Privoxy to Polipo? Did it happen because TorButton became standard? I think Polipo was a better cache, and since an HTTP proxy can't filter evil content out of HTTPS responses, Privoxy's filtering was not very useful. Robert Ransom signature.asc Description: PGP signature
Re: BetterPrivacy - necessary?
On Fri, Oct 01, 2010 at 10:29:48PM +0100, pump...@cotse.net wrote 0.5K bytes in 12 lines about: : I concur but doesn't TorButton do all this suppression? : : That said: what was the rationale in moving from Privoxy to Polipo? : Did it happen because TorButton became standard? https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#WhydoweneedPolipoorPrivoxywithTorWhichisbetter -- Andrew pgp 0x31B0974B *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: BetterPrivacy - necessary?
I think Polipo was a better cache, and since an HTTP proxy can't filter evil content out of HTTPS responses, Privoxy's filtering was not very useful. Note though that the definition of evil can be game changed by running your instance inside a secure sandbox, behind a nat, and minding your session data appropriately. With no access to the rest of the system and no crosssite cookie/etc trails, that's a good win. You're really only left with the case of a rogue applet doing a 'whatismyip.com' to defeat your use of 1918 space and then sending the result to whoever your adversary may be. Depending on what the user is doing, that could be a big weakness that warrants the tradeoff of disabling 'evil' features. As usual, it would be awesome to have a tool that could de and re encapsulate https so that proxies and caches could do their thing with it. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: BetterPrivacy - necessary?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/29/2010 02:19 PM, Matthew wrote: Are any other add-ons necessary or would people suggest I am now fully protected? I am fond of using AdBlock Plus and Ghostery to suppress adverts and web bugs (ideally so there is one less thing to worry about leaving records, but it also speeds up browsing a little). HTTPS-Everywhere is useful for making sure that connections to some websites are encrypted to provide a bit more privacy at the exit node. - -- The Doctor [412/724/301/703] PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: http://drwho.virtadpt.net/ Screaming right along at 9600 bps... -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyku7YACgkQO9j/K4B7F8HJHQCbBVZ/4nRE1L4DH6w2vjnj47Na QJwAn0TB8w49h4V4XCe/VPukAywj7/Ao =+bZM -END PGP SIGNATURE- *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: BetterPrivacy - necessary?
On 9/29/2010 2:19 PM, Matthew wrote: I currently use Tor + Polipo + Torbutton + NoScript. Obviously there are other add-ons for Firefox out there such as BetterPrivacy. Are any other add-ons necessary or would people suggest I am now fully protected? Thanks. There is no such thing as being Fully protected. Personally, as long as you don't have a three or four-letter agency after you, and are making SURE that all personally-identifiable information you enter is encrypted (under HTTPS or otherwise), I think you should be protected enough for most purposes. ~Justin Aplin
Re: BetterPrivacy - necessary?
On 2010-09-29 20:19, Matthew wrote: I currently use Tor + Polipo + Torbutton + NoScript. Obviously there are other add-ons for Firefox out there such as BetterPrivacy. I think 'BetterPrivacy' is a must! [1] Are any other add-ons necessary or would people suggest I am now fully protected? IMHO its important to suppress active content (Flash, ActiveX, Silverlight, JavaScript etc.) and other junk and therefor I prefer 'Privoxy' [1] instead of Polipo. [1] http://en.wikipedia.org/wiki/Local_Shared_Object [2] http://www.privoxy.org/ *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/