As suggested on IRC, I think
the Tor documentation strategy needs to be rethought. Most people
barely read the download page, let alone the reems of FAQ questions.
We've had two "attacks" now on Tor that rely on unmasking users who
use Tor incorrectly. One of them actually published a paper and had
decent results at unmasking this way (mostly Asian users who probably
can't read our english mailinglist or english FAQ), and the media
still doesn't seem to understand that these attacks are well
documented.
The Tor download page should have a concice "Things to know before
downloading" section that lists a few key points about the most easy
ways your identity can be revealed through Tor. Something like
Things to know before you download Tor:
- Browser plugins can be made to reveal your IP.
- This includes Flash, Java, ActiveX and others.
- It is recommended that you use FireFox and install the extensions
NoScript, QuickJava, and FlashBlock to control this behavior if
you must have these plugins installed for non-Tor usage.
- Make sure your browser settings have a proxy listed for ALL
protocols (including Gopher and FTP).
- For further details, please consult the Tor FAQ.
I had advocated something similar some time ago. Actually what I proposed
was that some sort of test server be set up. I know there are already
many of them, but I was thinking that there could be testing stages
in an install wizard (or a post-install testing wizard)
that takes the user through various tests and what to do in response
to results. I know a lot of work, maybe another suggestion to be
listed on the volunteer page or a candidate for summer of code?
As a new user (about a week now) and without much of a background,
hopefully I can offer some insight. The installation and documentation
to get up and started is very helpful, especially the screen shots.
However I am lost with Privoxy configuration, e-mail config (especially
about the smtp port 465 in Thunderbird), and if.. how.. and when I need
to modify modify the torrc file. I have subscribed to all the lists
and am doing my best to absorb the info.
I usually learn new programs by futzing with them until I have learned
the ins and outs. However, this is different because the learning curve
could do some damage (stories of how Tor users were not protected).
My suggestions/responses to help protect green users like me from those
who can take advantage of our lack of information are:
- A hold your hand walk through of add ons to Firefox and Thunderbird to
be installed before attempting to use the programs ( just like the set
info instructions, they were great)
- A few predefined configurations of Privoxy, Noscript etc. with a WALK
THROUGH on how to access them, what they mean and how to tweak them in
the future.
- The test server sounds like a great idea. I keep reading about things
which break pages and reveal your identity but I have no idea if it is
actually happening. Is there a way to set an alert which notifies the
user that his/her anonymity has been compromised?
- Again, a list of IMPORTANT things you should not do is a great idea. I
don't know if I can use another browser without privoxy etc installed
after I have disconnected from Tor and wish to surf as I did previously.
Is that bad? I am also pretty sure that I should not use any other
programs which don't go through Tor while I am connected to Tor. Is it
ok to use them after I disconnect?
The takeaway from my rambling is that compromises to security and the
networks reputation are going to come from users like me, not from a
developer or experienced user. To maintain integrity it is a good idea
to devote time to developing better walk throughs regarding use after
initial setup and to help new users from hurting themselves or the
reputation of the network.
Jay
