-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 I have set up a rough HOWTO on having anonymous and non-anonymous Firefox sessions co-exist (even though this itself is NOT recommended). It is written for Windows, but mostly applies to any other operating system. The HOWTO is here: http://www.cs.umn.edu/~eyv/anon-web.html Any and all comments from the community are appreciated. Thanks, Eugene
Thus spake Michael Holstein: >> (1) Does it mean that even when I visit unencrypted sites, nobody >> would be able to tell what sites or pages I am requesting? > > Correct. As long as you're also proxying the DNS via SOCKSv4, the only > person that could "see" your traffic in the clear is the folks between > the exit node and the destination. > > However .. if you do something like access your (real) Yahoo mail, > someone could connect that traffic with the "real" you .. because they > could see your name in the HTTP traffic. Thus, it's unwise to leak the > recipe to the secret sauce, and then go check your Hotmail account all > in the same session. > > You also need to be mindful of combining your "anonymous" and "regular" > activities .. if, for example, you allow sites to set cookies and you > visit two sites both using DoubleClick .. that cookie will connect the > "real" you and the "tor" you. Same goes for any website that requires > authentication (eg: Yahoo mail, etc.). Someone could check the logs and > say "well, I see it was TOR this time, but yesterday it was Comcast". > >> (2) Can the green line be cracked by intercepting the packets or headers? > > An attack against AES that's more effective than bruteforce is not (yet) > known, so I'd say "probably not", although TOR developers are clear to > tell you it doesn't defend against a "global adversary" (eg: > $3_letter_agencies). > >> (3) I don't know where the encryption key is stored. Can it be stolen >> if my pc is hacked? > > The client key is in memory, so no .. unless you do something like > suspend your laptop while TOR is running (thus writing it to disk). > Also, it's possible to have the key written to swap accidently. > > You can prevent both those problems with a "liveCD" distro that dosen't > touch the hard disk. There are many such "internet privacy appliances", > my personal favorite being the one based on OpenBSD (Anonym.OS). > > Other general recommendations : > > Firefox (dump cookies on exit, no cache, etc) > NoScript plugin (no javascript) > FlashBlock plugin (no flash) > > Cheers, > > Michael Holstein CISSP GCIA > Cleveland State University - -- Eugene Y. Vasserman http://www.cs.umn.edu/~eyv/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF5Fbs4S3hfPlRZlkRA+qqAKCiUU8XfIFVzpU07mel8BRa16oOigCgjXxc GQDldcI2/4z5YzDWBEjrBJs= =MyMJ -----END PGP SIGNATURE-----
