David Fifield: Thank you for the detailed information.
>> How can it be achieved that the badge is only active after it has been >> clicked? > > What this means is that the JavaScript would run, but not actually do > anything until clicked. My question wasn't precise enough. As far as I understand it now, a website owner (admin) can't choose between opt-in and opt-out, right? I assumed that iframe ="//crypto.stanford.edu/flashproxy/embed.html" width="80" height="15" frameborder="0" scrolling="no"> will be a badge that is running on the users end (opt-out). My question was how an admin can achieve to have be opt-in? (Now I understand that doesn't seem possible.) Couldn't you have "crypto.stanford.edu/flashproxy/embed_opt_in.html" and "crypto.stanford.edu/flashproxy/embed_opt_out.html" to make it possible to choose between them? My concern about opt-out was that someone else decides for anybody else. An admin decides for the visitors. Although the proxy might be idle most of the time and a visitor is not affected I would find it problematic to have it opt-out by default. For crypto.stanford.edu it did not concern me as I read. "If your browser runs JavaScript and has support for WebSockets then while you are viewing this page your browser is a potential proxy available to help censored Internet users." For some people it may be suspicious that there browser is doing something without their consent. I expect a browser to display web pages and not to relay traffic. It's also hard to figure out how many people would care to click the badge when it's opt-in. I hadn't any good idea to make people aware of the proxy and that the could help, without annoying them. It's also hard to figure out how admins will react to opt-out. Users may overlook the badge or don't care at all so the admin assumes it would be a good idea to do it that way. > >> What happens if one opens multiple browsers (FF, TBB, FF Portable, >> Opera, Chrome, Safari, IE, or any other) and visits a website containing >> such a badge (or multiple websites with such a badge)? > > Each one is an independent proxy, possibly subject to > facilitator-imposed restrictions. The proxy should disable itself when > running in TBB but does not, because I don't know how to detect that; > see ticket https://trac.torproject.org/projects/tor/ticket/6293. I saw the update to exclude Tor exits from being served. And think this is a good idea. Mostly because it catches Tor + any browser (not recommended) and TBB. TBB users should look all the same, but how they look changes from TBB release to TBB release I assume. Would be not so good to have something to fingerprint it on. Once the flashproxy is not relaying Tor over Tor, the anonymity attacks shouldn't be a problem to have opt-out from that point of view. > Nice questions, please keep them coming. Knowledge is power. I didn't know what would happen so I asked. It's easier to explain it to both sides (admins and visitors) if you know how it works. I don't seem to have questions for now, but I will come back and ask for more. Thank you for explaining so nicely. > > David Fifield > Sebastian (bastik_tor) _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
