installing flash player

[antipop]

On Windows OS Firefox over tor with the NoScript installed and set to Options > Advanced tab > Forbid active web content... when using a proxy (recommended with Tor), when I try to download the Adobe Flash Player on this site: http://get2.adobe.com/flashplayer/

The download is not allowed because I get a message on the site saying that JavaScript is not enabled, even though I do in fact have JavaScript enabled and I have put "*.adobe.com" in the list of exceptions for "Never force secure (HTTPS) connections for the following sites." In order to make this download work, I have to make the setting manually to "Never Forbid active web content unless it comes from a secure HTTPS connection." So, is there no place I can designate Adobe.com as an exception to the rule without having to change it manually each time?

[Thrawn]

I have put "*.adobe.com" in the list of exceptions for "Never force secure (HTTPS) connections for the following sites." In order to make this download work, I have to make the setting manually to "Never Forbid active web content unless it comes from a secure HTTPS connection." So, is there no place I can designate Adobe.com as an exception to the rule without having to change it manually each time?

No, I'm afraid not. The exception that you've written only determines whether NoScript forces connections to be HTTPS. It doesn't affect whether you allow active content over insecure connections.

In other words, with your current setup, NoScript will allow connections to Adobe to be plaintext, but will block all active content when that happens.

However, are you sure that you really want to download executable content, especially the Flash player, via an insecure Tor connection? There are reasons that NoScript recommends allowing active content only from secured sites when using Tor! You never know whether a Tor node might be malicious and give you its own version of Flash, and if the connection isn't secure, then there's nothing to stop it from doing so. If you can't download software over a secure channel, then switch off Tor or use another browser.

[antipop]

I am trying to understand how your recommendation about switching off tor would be helpful in this case: "If you can't download software over a secure channel, then switch off Tor or use another browser." I have to get the adobe plugin for FF from here: http://get2.adobe.com/flashplayer/. Since that is not a secure connection, what would switching off tor accomplish? What am I missing?

[Thrawn]

I am trying to understand how your recommendation about switching off tor would be helpful in this case: "If you can't download software over a secure channel, then switch off Tor or use another browser." I have to get the adobe plugin for FF from here: http://get2.adobe.com/flashplayer/. Since that is not a secure connection, what would switching off tor accomplish? What am I missing?

The fact that Tor traffic is routed through a bunch of extra nodes, which might have malicious motivations.

If you browse without Tor, then your traffic just goes to your destination via whatever the traffic controllers consider the best route. With Tor, though, you get bounced around a bunch of extra times to cover your tracks, and some of those bounces - specifically, the points where your traffic exits the Tor network - may go to nodes that were actually set up to spy on you or tamper with your traffic.

And if they're going to try to infect your downloads, then the Flash plugin is an obvious target: it's in your web browser, so it's automatically online and usually running; it updates frequently, so there will be plenty of chances for them to tamper with a download; and the plugin is notorious for vulnerabilities anyway, so if you got hacked, you'd probably never suspect that the plugin itself was responsible. If I were going to set up a malicious Tor exit node and inject viruses into selected downloads, I'd definitely target Flash.

If you can't download it via an encrypted connection, then you're better off with a non-Tor one.