>> Whether using an "isolating proxy" (multiple machines) or not, using a >> white-listing proxy like Corridor can help ensure all of your traffic >> passes through Tor (Entry Guard, at least). >> > > That's right. Also, using Firefox with those extensions is *not* the same > as > using Tor Browser:
Understood. I do take a few more precautions (with iptables, bridges, etc.) but Torbrowser certainly does take care of a lot of important things for you. > https://www.torproject.org/projects/torbrowser/design/ Wow, that's a great resource, thanks! I think I still prefer to "roll my own" versus using TBB. (And that link is great for tips on doing that.) There are four (probably reasonable and legitimate) things about TBB (and tails) that are red flags to my overly-paranoid mind: 1) Not a problem in Tails (being a bit "read-only), but the normal Torbrowser Bundle is very stubborn about doing an update check every time it starts. I understand the reasoning behind it, keeping up with 0days as they're discovered, and at least one exploit in the past would have been avoided by anybody who stayed updated. Sure, notify me, but forcing that "phone home" on every start is a bit too much like MS-style tracking to me. I could be wrong (I often am), but even turning off the update check in settings didn't seem to work for me. Although I might have screwed up somehow or it might have been an artifact of non-persistence in an AppVM. Having that update check/download on by default, I don't like. Finding the actual tor browser binary to launch is a major pain. It almost seems intentionally hidden. :) 2) JavaScript on by default. I understand the convenience for the general public, but TBB isn't really for the general public but the security-conscious. And the security-conscious shouldn't turn on JS unless necessary. (And with Qubes, one can keep their JS-dependant sites to a separate VM, whoohoo!) In Tails, having JS on plus automatically loading Tails home page (which could be subverted by someone with CA ability) is a bit of a risk, IMO. To avoid having a JS-enabled load of the Tails home page, you have to start it without networking, disable things, then enable networking. Blah. 3) Default search engine set to Disconnect.me. And disconnect.me seems to do nothing but redirect your search to duckduckgo. Why are they even in the loop then? Supposedly they financially support the tor project. So a company founded by a former NSA person paid money to be able to capture all the searches that are eventually done by DDG in TBB/Tails. Okaaaay... Whenever I do launch Torbrowser, the first two things I do is disable global javascript, and change the default search provider. 4) It's not really fair to include this one, as I have nothing to back it up with, but I remember something in the past that made me a bit uneasy about Torbutton. I'll follow up if I can remember/find my concern. Interested in hearing others opinions on those points. Cheers. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d21ff94ceb2ed97c456bc3e127f1318a.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
