Re: New Torbutton (1.1.4-alpha)
* Mike Perry schrieb am 2007-07-11 um 10:55 Uhr: Thus spake Jens Kubieziel ([EMAIL PROTECTED]): * Mike Perry schrieb am 2007-07-09 um 11:16 Uhr: * Cache management IMHO there should be check box for managing the cache by yourself. Like it is at privacy and cookie settings. Is there a good reason behind this wish? The cache can store unique It's about choice. Assume that I want to manage FF's cache by myself. Then I'll have no option to do it unless I stop using Torbutton. Besten Gruß -- Jens Kubieziel http://www.kubieziel.de Es sind die Begegnungen mit Menschen, die das Leben lebenswert machen. Guy de Maupassant
Re: New Torbutton (1.1.4-alpha)
Thus spake Jens Kubieziel ([EMAIL PROTECTED]): * Mike Perry schrieb am 2007-07-11 um 10:55 Uhr: Thus spake Jens Kubieziel ([EMAIL PROTECTED]): * Mike Perry schrieb am 2007-07-09 um 11:16 Uhr: * Cache management IMHO there should be check box for managing the cache by yourself. Like it is at privacy and cookie settings. Is there a good reason behind this wish? The cache can store unique It's about choice. Assume that I want to manage FF's cache by myself. Then I'll have no option to do it unless I stop using Torbutton. But why? I can actually create a lot more options if you just want choices. There are a couple things torbutton just does automatically (like making sure you never query google's safesearch for every url on the fly), and some actions (like the web history+form history+login history option) come bundled together as a single option. Torbutton is already bordering on an obscene number of nobs.. There is room for this one, I guess.. But if I do this, and split the history options out into seperate settings, we're talking about at least 10 more options (6 more history, 1 more cache.. plus at least 3-4 more others if you want *everything* to be an option). That is getting a little ridiculous, and I'm running out of space for nobs. Is all this really needed? -- Mike Perry Mad Computer Scientist fscked.org evil labs pgphyMq0wG4t5.pgp Description: PGP signature
Re: New Torbutton (1.1.4-alpha)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I missed the fact that the login history was tied to the history write setting because when I was poking around trying to make it work how I wanted, I simply unchecked the box and looked to see if the login history had turned back on without actually toggling tor again. Having it tied to the history seems logical to me, so I'm actually fine with that the way it is. A nice, multi-line tooltip would probably have eliminated my problem altogether :). Maybe some of the more obscure and specialized caveats that folks are having such wanting to control the cache manually could be addressed in about:config options without actually appearing as a nob in the options panel, that way one could change it if they *really* want to. I'm not sure how you could make a stern warning (ie: crucial) if the option could put them in serious jeopardy that way, though. Mike Perry wrote: But why? I can actually create a lot more options if you just want choices. There are a couple things torbutton just does automatically (like making sure you never query google's safesearch for every url on the fly), and some actions (like the web history+form history+login history option) come bundled together as a single option. Torbutton is already bordering on an obscene number of nobs.. There is room for this one, I guess.. But if I do this, and split the history options out into seperate settings, we're talking about at least 10 more options (6 more history, 1 more cache.. plus at least 3-4 more others if you want *everything* to be an option). That is getting a little ridiculous, and I'm running out of space for nobs. Is all this really needed? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) iQIVAwUBRpa7AKYAM/AiUno8AQLpQA//dbRgZjIkaoUza/4znseLhEjCtfvebSCt jSYjeOmyaZ533fa0kp+ghJhvWqUd036IkIhhEoeUpzy1iG4e/83k3O4vtNzVyAae zgh4KAIIIvjxTILOuulkHG7PhwzjrFKGtauYtmh6TuSjpkabfxXuU3gIPeWSGOwJ EJG5wlT5p4XWtQFMF6PPupLE90xZlGezRiT5oZUtnoEqiqPf08Q5flpPgjj/0oyh bBuvu7wLJUA/K1fof7VZLchPSiiMHKPkGGIczJOmH9V1zaXM6MTbb1H4yy0oU5Wq QfZ4SjVYLmAaxCtAq5zJzvdBvUAW89/qsJeH9CVbT0pwQ7QXVDE0r12Pl7oOKzxp 5Zuek6koR53c3pvLnt6tsd8KjxcFmUkVRv76GBjJvaFcD9mj+K7Px4oqdAaeJeTz ZtnEhtbHxZRedBw+eZ5TcPOGMUWFgAio3KpgzXtDL2E/TB/VGEpKw3NWeMVKkhDT He1pVTkPrv28PjvjmLCImP3/B1B/P3MwI/XkcbBX3Wb8GeyceOHAY1RzwGFuZYlL Le1ulgzjyugUQVKNZPrNtp8zKfEj2Lusg9iTNuxG2ExWjSjPOC7/8Kdypg2Il/hM ZVaGMdmqZFKsGBIrWSNlUjPzK7gAX8V33YbNNaEGXd+DKl6ZjT1ReUDI141riSG7 /bLcgEDwKXo= =m3G/ -END PGP SIGNATURE-
Re: New Torbutton (1.1.4-alpha)
* Mike Perry schrieb am 2007-07-09 um 11:16 Uhr: * Cache management IMHO there should be check box for managing the cache by yourself. Like it is at privacy and cookie settings. -- Jens Kubieziel http://www.kubieziel.de FdI#150: SETI Es gibt sicher extraerrestrische Wesen. Daß keine bis jetzt mit Menschen in Kontakt getreten sind, beweist deren Intelligenz. (Michael Sohmen) signature.asc Description: Digital signature
Re: New Torbutton (1.1.4-alpha)
Thus spake Ryan Wagner ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm very pleased with the new Torbutton version so far. The only thing that's bothering me is automatically disabling 'Remember passwords for sites' when tor is toggled on. I'd prefer a way to disable this feature. Even if logging into sites over tor can be dangerous for anonymity and the security of the account itself, it's still nice to prevent one's ISP from retaining a record of goings on. It's possible to manually re-enable remembering passwords after tor has been toggled on, so it's a minor inconvenience, really. This is tied in with the history writing setting. The idea was that if you are OK with tor writing out these things, then you are ok with it saving your history and vice-versa. However, this idea may be slightly flawed since you could be concerned about history disclosure attacks from regular websites you visit.. So maybe it should be a seperate option.. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpqVoEFsxUcP.pgp Description: PGP signature
Re: New Torbutton (1.1.4-alpha)
On Monday 09 July 2007 10:16:55 Mike Perry wrote: Feedback, suggestions, and comments are welcome. Especially if someone could point out what I'm doing wrong with the OpenSearch Google search plugin installations (which are somewhat unrelated, but I figured were worth putting up there, since a major usability complaint is Why do I get the damn German/Chinese/etc Google with Tor?). Stop me if this has been suggested before, but would it be worth introducing an unofficial URI for hidden services that would make them recognisable to the likes of torbutton? The idea being that the user could 'enable tor' simply by clicking on a hidden service link rather than the usual jig of click-servernotfound-back-scratchhead-enabletor-clickagain. Is this possible with a firefox plugin or would it be necessary to get the firefox developers on board? It is already possible with konqueror/kde thanks to kioslaves (tork implements a tor: 'URI' that does just this). -- Browse Anonymously Anywhere - http://anonymityanywhere.com TorK- KDE Anonymity Manager - http://tork.sf.net KlamAV - KDE Anti-Virus- http://www.klamav.net
Re: New Torbutton (1.1.4-alpha)
Thus spake Robert Hogan ([EMAIL PROTECTED]): On Monday 09 July 2007 10:16:55 Mike Perry wrote: Feedback, suggestions, and comments are welcome. Especially if someone could point out what I'm doing wrong with the OpenSearch Google search plugin installations (which are somewhat unrelated, but I figured were worth putting up there, since a major usability complaint is Why do I get the damn German/Chinese/etc Google with Tor?). Stop me if this has been suggested before, but would it be worth introducing an unofficial URI for hidden services that would make them recognisable to the likes of torbutton? The idea being that the user could 'enable tor' simply by clicking on a hidden service link rather than the usual jig of click-servernotfound-back-scratchhead-enabletor-clickagain. Is this possible with a firefox plugin or would it be necessary to get the firefox developers on board? Actually, this is possible a few different ways.. You can create your own protocol handlers, but it might not be necessary. Torbutton already listens to the LocationChange event.. It may be possible just to look to see if the new location has a .onion/ in it, and enable tor if so. But this probably should be pondered for a while.. Changing tor state automatically makes me a little nervous, even if it is only in the Tor Enabled direction.. And creating a new protocol prefix for onion sites seems a little sketchy also.. All sorts of compatibility issues are probably hiding in there (not just the obvious problem of adoption). -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpnrJWGU6k9f.pgp Description: PGP signature
Re: New Torbutton (1.1.4-alpha)
On Wednesday 11 July 2007 10:10:36 Mike Perry wrote: . Changing tor state automatically makes me a little nervous, even if it is only in the Tor Enabled direction.. If torbutton could request a yes/no response from the user in such situations that would be nice. -- Browse Anonymously Anywhere - http://anonymityanywhere.com TorK- KDE Anonymity Manager - http://tork.sf.net KlamAV - KDE Anti-Virus- http://www.klamav.net
Re: New Torbutton (1.1.4-alpha)
Hi, Looks like great progress. One question though My question: How does the new Torbutton interferes with other extensions for the same or similar purposes: - Adblock Plus - CookieCuller - CookieSafe - CustomizeGoogle - Flashblock - JavaScript Options - Layerblock - NoScript - RefControl - SafeCache - SafeHistory - User Agent Switcher Which extension can be replaced by Torbutton, which one could be a useful extension for Torbutton? Until now, i prefer the use of the FoxyProxy extension together with the extensions above. -- Ciao Kai Homepage: http://hp.kairaven.de/ Weblog: http://blog.kairaven.de/
Re: New Torbutton (1.1.4-alpha)
Thus spake [EMAIL PROTECTED] ([EMAIL PROTECTED]): Hi, Looks like great progress. One question though My question: How does the new Torbutton interferes with other extensions for the same or similar purposes: - Adblock Plus - CookieCuller I run these two. No conflicts so far. - User Agent Switcher I briefly tested this. It seems to play nice. I would advise against setting a different user agent during Tor usage though, because of anonymity set reduction. Torbutton already masks your user agent to a popular recent windows firefox build (and does a better job of it too). - SafeCache - SafeHistory These two are superceded/assimilated by Torbutton in one form or another. - Flashblock Might be useful for Non-Tor usage, but Tor usage will have all plugins disabled. Would be interesting to know if flashblock can somehow re-enable it, but I doubt it. - NoScript No idea. I don't really like this thing. Also note that Tor nodes can inject script from the default whitelist, so it doesn't really protect you there. - RefControl Hopefully this functionality will be assimilated into Torbutton. Actually, are you aware of sites that their Forge functionality still breaks? That is what I was considering implementing for all sites with Torbutton. - JavaScript Options Looks relatively benign. - CookieSafe - CustomizeGoogle - Layerblock Dunno about these guys. Please report any issues. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpU7UcSZghu7.pgp Description: PGP signature
Re: New Torbutton (1.1.4-alpha)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm very pleased with the new Torbutton version so far. The only thing that's bothering me is automatically disabling 'Remember passwords for sites' when tor is toggled on. I'd prefer a way to disable this feature. Even if logging into sites over tor can be dangerous for anonymity and the security of the account itself, it's still nice to prevent one's ISP from retaining a record of goings on. It's possible to manually re-enable remembering passwords after tor has been toggled on, so it's a minor inconvenience, really. Thanks for the great tool. Mike Perry wrote: Thus spake [EMAIL PROTECTED] ([EMAIL PROTECTED]): Hi, Looks like great progress. One question though My question: How does the new Torbutton interferes with other extensions for the same or similar purposes: - Adblock Plus - CookieCuller I run these two. No conflicts so far. - User Agent Switcher I briefly tested this. It seems to play nice. I would advise against setting a different user agent during Tor usage though, because of anonymity set reduction. Torbutton already masks your user agent to a popular recent windows firefox build (and does a better job of it too). - SafeCache - SafeHistory These two are superceded/assimilated by Torbutton in one form or another. - Flashblock Might be useful for Non-Tor usage, but Tor usage will have all plugins disabled. Would be interesting to know if flashblock can somehow re-enable it, but I doubt it. - NoScript No idea. I don't really like this thing. Also note that Tor nodes can inject script from the default whitelist, so it doesn't really protect you there. - RefControl Hopefully this functionality will be assimilated into Torbutton. Actually, are you aware of sites that their Forge functionality still breaks? That is what I was considering implementing for all sites with Torbutton. - JavaScript Options Looks relatively benign. - CookieSafe - CustomizeGoogle - Layerblock Dunno about these guys. Please report any issues. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBRpQZjqYAM/AiUno8AQIMHg/8CSK8dh+VoeZ+vUhKqOp763ptdOM94mrA kehF8wCnGO++ujRLXtue8HoV5qz+ej0WAap00JQbIOznw49mZWQDPMeS16qc52FB /MEYUm3Lmvy/gn085V//fPcmIOO3+DnRCpmdrokRr41zpRV5lIJruTcvqobKArUM t5Dz/afCe6s96SX3N+uo/x3TR+SIVtY5b4QhvlkKlhrpAsXpmdCXlZMNzwUoGdVx TDU93cyELsnPa6V/1D+XlNmi1/1v32PDzfshyf9fmEz2a7ygauc6QNtiUWLzqjNr Y3sfKiUlmgaKUXISxPB0bu2OhMxzXQfZiPQ0UvGwsu6RaDhA5vO3JvSkP2T1XZ+y hjQ/+sPz8k/s2QUN+PW8lB+kyznPRCG6Y557ELC7x2ulPPPEMcyknu38DNFhxtyL l9nOX4JgZlnnOKwcvSesFisJ4UlhKFyVDNlvmtSKJY49jrlOucPE0eYujPMwjrIb 9555jsp6jSAptWpMgFUSoGYqj69m3qSGQ9O0sjJ36+wFk2Bfl0+A+Rql7aneQG+h N8hvDfHHB+dzpnhR0vXLQ7tcKkR1hyFJK80uYA6Ut001KCjbzczFsFm3QxMTvpLb y8pDUpXYS9Ip9O98fEYOca4AfhFgLMaAso7gM/OjHbQl0dgV/rCbG1n70r5Uf5g/ 05MzHzryFpE= =koo8 -END PGP SIGNATURE-
New Torbutton (1.1.4-alpha)
As some of you know, I've been working on a security-enhanced version of Torbutton to handle all sorts of anonymity vulnerabilities present in a standard Firefox configuration (see the big fat warning on http://tor.eff.org/download.html.en - the goal is to make all that text irrelevant). I will be presenting this plugin as a part of my talk Securing the Tor Network for Black Hat and Defcon. The goal of the extension is to make it possible to use modern websites via Tor without the risk of something reducing your anonymity set or bypassing proxy settings. The major features are: * Disabling plugins while Tor is enabled * Isolating dynamic content to the Tor state at document load * Cookie jars/cookie clearing * Cache management * History Management * User agent spoofing * Timezone spoofing The extension itself, and more information on the individual features/options are available at the horrifyingly stoic homepage: http://torbutton.torproject.org/dev/ Currently, only FireFox 2.0 is supported. Kind-hearted souls are sought to help port to Seamonkey and Thunderbird. Feedback, suggestions, and comments are welcome. Especially if someone could point out what I'm doing wrong with the OpenSearch Google search plugin installations (which are somewhat unrelated, but I figured were worth putting up there, since a major usability complaint is Why do I get the damn German/Chinese/etc Google with Tor?). -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpYM5smmIWrt.pgp Description: PGP signature
Re: New Torbutton (1.1.4-alpha)
On Mon, Jul 09, 2007 at 02:16:55AM -0700, Mike Perry wrote: As some of you know, I've been working on a security-enhanced version of Torbutton to handle all sorts of anonymity vulnerabilities present in a standard Firefox configuration (see the big fat warning on http://tor.eff.org/download.html.en - the goal is to make all that text irrelevant). Hi Mike, Looks like great progress. One question though -- one of the warnings on that page that bothers me is Consider removing extensions that look up more information about the websites you type in (like Google toolbar), as they may bypass Tor and/or broadcast sensitive information. Is this one of the warnings that we're going to have to keep (along with you need to send your traffic through Tor for Tor to have any prayer of helping you and don't send plaintext passwords over the Internet), or is there something we can do about other extensions doing local resolves? The extension itself, and more information on the individual features/options are available at the horrifyingly stoic homepage: http://torbutton.torproject.org/dev/ I really like your Description of Options section of this page. I recognize they can't be tooltips yet -- are those Firefox bugs going to be fixed soon, or should we think about adding a Help window to Torbutton to explain what all these things are for people who can't get to the website? (I'm not so enthusiastic about your use of javascript on the webpage though. ;) Now the obligatory usability bug report: if I choose I will manually manage my cookies in the Cookies window, what does that mean for the choices in the Shutdown window? --Roger
