Tor (split from NoScript Didn't Block Rogue Site)

[Tom T.]

Yes I'm sure. Think about TOR user, with very limited bandwidth.

Slightly O/T, but you might want to research some of the recent stuff on the Net about TOR. Apparently, it's not as private or anonymous as claimed, and weaknesses are being found. I'm not a user and so didn't dig deeply, but if you google etc., you'll find lots of stuff. Might make you want to reconsider TOR and look for other ways to browse privately.

The issue of Fx starting a d/l before showing the option box is a Fx issue, not a NS issue, so you might go to the Fx forum at Mozillazine, search to see if it's been discussed, check the FAQ, etc., and if no info, post there about it. GL.

[jB]

Not sure what TOR has to do with this thread, but I'll comment - I guess I've never really seen the point of using this type of network unless you are doing something illegal and you don't want to be caught. Beyond that, I don't know why anyone would want this level of anonymity. I hate to think about the type of traffic that flows in and out of a TOR network.

[GµårÐïåñ]

Not sure what TOR has to do with this thread, but I'll comment - I guess I've never really seen the point of using this type of network unless you are doing something illegal and you don't want to be caught. Beyond that, I don't know why anyone would want this level of anonymity. I hate to think about the type of traffic that flows in and out of a TOR network.

Please stay on topic, the mention of TOR was only regarding the download issue and why anyone chooses to have that level of anonymity is not only not an appropriate discussion but also irrelevant to the current topic. There are many reasons one would wish to remain anonymous and the least of which has to do with doing something illegal. Its a personal choice and once again, not the point of debate here or relevant to the topic. Thank you.

Yes I'm sure. Think about TOR user, with very limited bandwidth.

Slightly O/T, but you might want to research some of the recent stuff on the Net about TOR. Apparently, it's not as private or anonymous as claimed, and weaknesses are being found. I'm not a user and so didn't dig deeply, but if you google etc., you'll find lots of stuff. Might make you want to reconsider TOR and look for other ways to browse privately.

TOR relies on people using their bandwidth to contribute to the network and that can open up A LOT of vulnerabilities and although the idea has merit and properly implemented it can be good, as it stands now, its unreliable at best. They make no secret of this and give you the full disclaimer on the download page so you know that your data stream may not be as secure if using non-ssl to get to the end point.

The issue of Fx starting a d/l before showing the option box is a Fx issue, not a NS issue, so you might go to the Fx forum at Mozillazine, search to see if it's been discussed, check the FAQ, etc., and if no info, post there about it. GL.

Agreed not a NS issue, this is the model Fx has chosen to speed up downloads and look faster than it actually is, pre-fetch and so on. Its not really a flaw per se but it would be nice to have the option to disable that feature or select what is useful. Its not really issue if you have fast connection and have good security in place but as Giorgio said, if you are counting each bit and pay accordingly, then it can be a problem to download stuff that are unnecessary.

[jB]

Please stay on topic, the mention of TOR was only regarding the download issue and why anyone chooses to have that level of anonymity is not only not an appropriate discussion but also irrelevant to the current topic. There are many reasons one would wish to remain anonymous and the least of which has to do with doing something illegal. Its a personal choice and once again, not the point of debate here or relevant to the topic. Thank you.

I initially started this thread and was not the one who brought up TOR, therefore I believe I have a right to comment on it. I also reserve the right to my opinion about TOR just as you have above. Moving along...

TOR relies on people using their bandwidth to contribute to the network and that can open up A LOT of vulnerabilities and although the idea has merit and properly implemented it can be good, as it stands now, its unreliable at best. They make no secret of this and give you the full disclaimer on the download page so you know that your data stream may not be as secure if using non-ssl to get to the end point.

Please stay on topic... Thank you.

[GµårÐïåñ]

Being an OP does not entitle anyone to fork the topic and introduce topics that are not related to the original post. Since your original post has nothing to do with why people need anonymity, its misplaced. If you want to start a discussion about TOR, you are welcome to do it on TOR's discussion boards or when relevant specific to NoScript or FlashGot, you can start a topic specific to it in the appropriate section of the board. Your comment was not regarding the function of TOR or how it relates to the topic you posted "NoScript didn't block rogue site" and to a limited extent relating to providing perspective its fine to bring up other elements but not when it takes the topic too far off track to provide any resulting benefit for those who come to see the topic for what it claims to be. The notice to stay on topic was mostly for your own benefit to get your original issue answered and not turn this into something else. It also goes for other posters and if you feel the issue has been resolved, I'd be happy to lock this thread so we don't get any more unrelated topics.

Note: Tom already mentioned it was off topic http://forums.informaction.com/viewtopi ... 1458#p5195 and you even acknowledged it was off topic and chose to comment http://forums.informaction.com/viewtopi ... 5244#p5217, I was trying to nip it in the butt once and for all because the topic was getting forked and I stand by it. If your issue is resolved, then feel free to open another thread specific to your opinion of TOR and anonymity in the security section as Giorgio suggested.

[Giorgio Maone]

You are welcome to do it on TOR's discussion boards or when relevant specific to NoScript or FlashGot, you can start a topic specific to it in the appropriate section of the board.

Just a little friendly reminder, we've got also a Security and a Web Tech section here

[GµårÐïåñ]

Giorgio, I know and I did mention that if they can find it relating to something they can place it in the board here, Security would certainly be a good place, not metaforum since it has nothing to do with the board and if you look at the NOTE section of my post, it was a matter of not getting off topic and forking into something that makes any discussion confusing or useless to future users. The reference to TOR was immediately acknowledged by TOM as off topic and was addressed in the context of the point made as a matter of courtesy and it resulted in a completely separate path the post was taking.

[jB]

Okay, so why are we still talking about it then.

Understood. I won't fork a forked thread any further.

As for a resolution, I doubt there is one. If NoScript doesn't block all META redirects or block all IFRAME content, then I guess you can close this thread. I'll just have to be more careful while on the web.

Thanks.

[Alan Baxter]

Split from NoScript Didn't Block Rogue Site

[mik33mik]

This is an interesting read:
http://www.wilderssecurity.com/showthread.php?t=244078

SteveTX (Steve Topletz) said that his deanonymizer can unmask TOR and many VPN services. He will release this tool in August, with a Wordpress plugin that uses an iframe to attack the user. It seem this tool can perform about 25 side-channel attaccks.

He claims that he has two ways to defeat noscript also!

[Giorgio Maone]

He claims that he has two ways to defeat noscript also!

Very bold statement

If he means that there are ways to guess your IP even if you've got NoScript enabled, he's probably right.
For instance, I could think of using leaked DNS queries or history/cache sniffing to deanonymize someone without exploiting any active content blocked by NoScript.
NoScript is about security rather than about privacy, even though NoScript does help a lot to enhance privacy and anonymizers (Steve's own XeroBank browser incorporates NoScript).

However he should be more careful in his word choices, because "two ways to defeat noscript also!" (notice the exclamation mark, which hints to something very difficult to achieve) may trick someone into believing he could work around NoScript protection features, which is very unlikely if not impossible.

[Tom T.]

The whole thread that mik33mik linked sounded like snake oil. Lots of vague claims, no details, "It will all be a big surprise on Aug. 1!"
If he truly had two ways to defeat NS, and were responsible, he would report them to you (Giorgio) privately. Otherwise, he is a black-hat cracker or a snake-oil salesman, or both. A cracker would be exploiting this now. I doubt he has anything that truly defeats NS unless the user can be socially engineered into allowing something in NS, which anyone can do.

I think all he is saying is that when the TOR attack is run by iFrame, and NS blocks IFrame, he has two other ways of getting the TOR user's IP. That doesn't mean he defeated NS. It means he has other de-anonymizers besides iFrame attacks, which are easily prevented by NS.

I wouldn't sweat that part of it. (TOR, I don't trust. Change your IP occasionally or when making a privacy-sensitive transmission. Lots of ways to do that.)
It will be interesting to see this big 1 Aug announcement, and how easily NS defeats it.

[luntrus]

Hi Tom T.

That is also what I expect to happen. The issue is companies like who provide pseudo-anonymity and little to no privacy for their users, adding to a so-called smearing of private data all over the place. These users get a false sense of security, even using Tor, and this can be exploited via the exit nodes (and some are known to have been compromised).
But I think when users use the proxy together with Privoxy and NoScript and do not have vulnerable extensions aboard their browsers that leak specific data that can be compared to similar data they left around when not actually using a proxy, there will not be much more to claim or we will be confronted with a mega privacy hole.
As long as you browse firefox with Tor and NoScript enabled and Google rejects your queries because it assumes you are an automated bot and throws a captcha at ye, I think you have the right configuration.
I think users for various reasons may claim some form of privacy online, although the attitude of youngsters to-day are diametrically different ignoring their own privacy almost in an exhibitionist way.
As for what Tor deanonymizer will bring, I have not brought my crystal ball, and we were not told what to expect, were we?

luntrus

[Tom T.]

Hi luntrus,

. ...These users get a false sense of security, even using Tor, and this can be exploited via the exit nodes (and some are known to have been compromised)....

A false sense of security is worse than no security.

... the attitude of youngsters to-day are diametrically different ignoring their own privacy almost in an exhibitionist way.....

Yes. We have even had teen girls posting nude pix of themselves, which technically makes them felons, trafficking in child porn -- the law makes no exception if the child is yourself! (guess they didn't anticipate that would happen). Interesting (legal) situation.

...As for what Tor deanonymizer will bring, I have not brought my crystal ball, and we were not told what to expect, were we?luntrus

No, it's all tease, which is typical of people with overblown products and hype. (which includes MS lol!) Cheers!

[cocoapuff]

Slightly O/T, but you might want to research some of the recent stuff on the Net about TOR. Apparently, it's not as private or anonymous as claimed, and weaknesses are being found. I'm not a user and so didn't dig deeply, but if you google etc., you'll find lots of stuff. Might make you want to reconsider TOR and look for other ways to browse privately.

Your mileage may vary, as for me, I consider the Torproject entirely legitimate and they do a lot of work all the time to improve their product.

As far as I know, people using Tor for illegal activities are a very small percentage of the total. Its primary function is to preserve a user's anonymity vis-à-vis their internet services provider (ISP) and any government agencies spying on their countries' users. In that, it provides a highly valuable service to dissidents and democrats in dictatorships.

Ordinary people like me use Tor to support the project by filling up its network with innocuous traffic to make it harder for attackers to analyze, and to preserve anonymity on Internet activities that are 100% legal but might be socially embarrassing if disclosed by a third party.

It does take some time to familiarize yourself with its concepts and to understand its limitations, so at this point, it is not a simple install-and-forget plugin.