On Fri, Mar 09, 2007 at 03:14:31AM -0500, Roger Dingledine wrote: > On Thu, Mar 08, 2007 at 07:17:09PM -0600, Mike Perry wrote: > > > The current simplest advice I can give people is to remove all plugins: > > > http://tor.eff.org/download.html.en#Warning > > > Do you have any suggestions on safe ways to back off from that? > > > > I have a couple more points - the second browser phrase should link to > > http://portableapps.com/apps/internet/firefox_portable because > > otherwise it's not really easy to have a second firefox installed. > > I hear from people on OS X who use Firefox for safe stuff and Safari > or something else for non-safe stuff. They seem happy enough. >
I was going to note this, but Roger beat me to it. This is exactly what I do. I can configure Safari to be relatively safe, but mostly use it when I really don't care or when I must/want to use some plugin, etc. I use Firefox with everything shut off together with Tor, when those things don't apply. But this is an easy option for people to understand. For this reason it might be best from a usability perspective (I'm thinking noobs here.) If most of our users are on Windows, they can be instructed to use a clamped down Firefox (with and without Tor) when they care about security and IE when they don't. We could still recommend that they try to do various things to be more safe when using IE. I _know_ people think that IE is just a big security hole, etc. I don't want to get into that debate. I am just assuming that users will be willing to do minimal things. Telling them to install Firefox and install Opera (I know it's proprietary) or whatever (fine, tell them to use the Windows port of lynx, that'll have alot of traction) is probably a non-starter. This could be a relatively simple instruction that they are relatively likely to get right wrt configuration and that will make them much more secure than they are now and more secure than they will be if they attempt some more subtle alternative and get it wrong. aloha, Paul