-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi,
" Disable Updates During Tor (recommended) Under Firefox 2, many extension authors did not update their extensions from SSL-enabled websites. It is possible for malicious Tor nodes to hijack these extensions and replace them with malicious ones, or add malicious code to existing extensions. Since Firefox 3 now enforces encrypted and/or authenticated updates, this setting is no longer as important as it once was (though updates do leak information about which extensions you have, it is fairly infrequent). " https://www.torproject.org/torbutton/torbutton-options.html.en Note: The current Torbutton (1.3.3-alpha) doesn't display the "(recommended)" next to this option. I think it is better to not enable this option, meaning: you should make updates - also - over Tor. I would like to hear your opinion if you don't agree. - - I assume requests to mozilla are encrypted + authenticated - - I assume 3th-party extensions are update via mozilla server - - update requests leak your version and used addons to mozilla but mozilla shouldn't be able to connect that information with other information about you. It is a problem if these versioncheck requests would set a cookie that is transmitted while browsing mozilla sites. - - enabling this option (disabling upates) will result in outdated software which may contain security issues - - updates my contain security issues too, but that is a question of whether you trust that addon or not - - Firefox 2 is not supported any more (for quite some time now) -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAk32GYsACgkQyM26BSNOM7Zd7QD/cLJGeg3Q7GWWQd1tlXPjbBkU 6/i00gRp1ZOf2MduU0EBAKSXRsdnqj8Z7EhuFq+z9GFfGoGmTDBPY2FrBF4Jg06E =cfU1 -----END PGP SIGNATURE----- _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
