Re: Tor and Firefox 3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/03/08 21:38, sigi wrote: | Hi, | | On Thu, Mar 13, 2008 at 07:16:22PM +0100, anonym wrote: | On 13/03/08 00:07, defcon wrote: | | Hey all, I have been using Firefox 3 from the early beta's and I | | absolutely love torbutton dev version *but* it does not work correctly | | with Firefox 3 in linux, what is a good alternative for the torrbutton | | firefox addon? | | One alternative is a combination of the following addons: | | * FoxyProxy: [...] | * NoScript: [...] | * CS Lite: [...] | * RefControl: [...] | | Does this mean, that I can securely remove all addons from above, if I | use torbutton? Only if you use the development version of Torbutton (i.e. versions 1.1.x). The current stable version (1.0.4) does not provide with any functionality for securing javascript, cookies etc. so with the old version you _should_ use NoScript, CS Lite and RefControl. | Until now, I used them all at the same time... was that a stupid | decision, and they all could have conflicted with torbutton in any way? If you have used the development version of Torubtton there can indeed have been conflicts and stuff went wrong, possibly without you noticing. As per the FAQ at https://torbutton.torproject.org/dev/ it is not recommended to use Torbutton in conjunction with NoScript. RefControl should be cool, but I don't know about CS Lite. FoxyProxy and Torbutton doesn't make much sense combining IMHO. And as per the warning in the FAQ, one has to be very careful when using FoxyProxy with Tor. Personally I only use it for protection against mass surveillance systems, google etc. for casual browsing. If I ever do something important where I want more security, I disable the FoxyProxy filters and switch to all Tor, no scripts and no cookies and so on. | regards, | sigi. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFH4GyYp8EswdDmSVgRAslUAKC87JpcGkD19Jcn+ikXMYbcj110IQCgu81S uYXBCCFDwu7V98wSH6Im3l8= =PxTK -END PGP SIGNATURE-
Re: Tor and Firefox 3
Thus spake defcon ([EMAIL PROTECTED]): Hey all, I have been using Firefox 3 from the early beta's and I absolutely love torbutton dev version *but* it does not work correctly with Firefox 3 in linux, what is a good alternative for the torrbutton firefox addon? I've had some success using Torbutton-alpha with the latest Firefox 3.0b4. The bug with toggling Tor state (which was due to Firefox Bug 413682) seems fixed. For some reason, the crash detection that depends on the same component of that bug is *not* working, though.. There are likely lots of other subtle bugs with components and events not working the same though.. It's going to take a while to provide the same level of security with FF3 as FF2. Basically we'll need to re-verify all the various protections still pass, and they are sort of scattered about the web right now. -- Mike Perry Mad Computer Scientist fscked.org evil labs pgpYcSLUEq67Z.pgp Description: PGP signature
Re: Tor and Firefox 3
Howdy Roger, I thought the original question was asking about an alternative to torbutton. No plans to include torbutton in future versions of xB Browser. The reason we took it out is because it is counter-intuitive to user behaviors. Most users don't want a browser for both anonymous and public sessions. As an analogy, you may find people prefer to feed their dogs with different spoons than they themselves use, and it isn't for lack of a sanitizing dishwasher. So the user seems to prefer an entirely different disposable session, instead of states as provided by TorButton. Because our focus is user- oriented instead of design-oriented, elimination of TorButton was obvious. This conveys many benefits, not the least of which being one less point of failure and zero learning curve for the user. A greater benefit is that this promotes and enables concurrent browser usage so the user does not have to give up the browser they are used to. I feel this significantly increases the chance that the user will keep on employing a secure browser, rather than being faced with the choice between between having to integrate and learn something new, or turning off the warning lights and going back to insecure browsing habits. Wow, poor English. However, a significant distinction has to be made so the users do not confuse the secure browser with their normal browser, so we introduced the XeroBank Modern firefox theme, based on the defunct Netscape browser. More good news, though. At 6.7m download requests, I think we are now getting a strong idea of the user, and the appropriate threat model, so it may be time to start writing some papers that establish the evolutionary principles of xBB. Steve
Re: Tor and Firefox 3
I am a linux user, therefore I am not interested in xerobank products. If Xerobank decides to setup there service for linux I may be interested in the future. I do appreciate anonym's response, thankyou. Any other ideas for replacing torbutton until torbutton fixes there addon for firefox 3? Thanks defcon On Thu, Mar 13, 2008 at 11:39 PM, Arrakis [EMAIL PROTECTED] wrote: Howdy Roger, I thought the original question was asking about an alternative to torbutton. No plans to include torbutton in future versions of xB Browser. The reason we took it out is because it is counter-intuitive to user behaviors. Most users don't want a browser for both anonymous and public sessions. As an analogy, you may find people prefer to feed their dogs with different spoons than they themselves use, and it isn't for lack of a sanitizing dishwasher. So the user seems to prefer an entirely different disposable session, instead of states as provided by TorButton. Because our focus is user- oriented instead of design-oriented, elimination of TorButton was obvious. This conveys many benefits, not the least of which being one less point of failure and zero learning curve for the user. A greater benefit is that this promotes and enables concurrent browser usage so the user does not have to give up the browser they are used to. I feel this significantly increases the chance that the user will keep on employing a secure browser, rather than being faced with the choice between between having to integrate and learn something new, or turning off the warning lights and going back to insecure browsing habits. Wow, poor English. However, a significant distinction has to be made so the users do not confuse the secure browser with their normal browser, so we introduced the XeroBank Modern firefox theme, based on the defunct Netscape browser. More good news, though. At 6.7m download requests, I think we are now getting a strong idea of the user, and the appropriate threat model, so it may be time to start writing some papers that establish the evolutionary principles of xBB. Steve
Re: Tor and Firefox 3
defcon wrote: I am a linux user, therefore I am not interested in xerobank products. If Xerobank decides to setup there service for linux I may be interested in the future. I do appreciate anonym's response, thankyou. Any other ideas for replacing torbutton until torbutton fixes there addon for firefox 3? I would suggest using the most recent version of Torbutton-dev and Firefox 2. It's well tested and while there may be some problems, it's probably going to be your best bet. Regards, Jacob
Re: Tor and Firefox 3
Not a helpful response but I wanted to second that request.
Re: Tor and Firefox 3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 13/03/08 00:07, defcon wrote: | Hey all, I have been using Firefox 3 from the early beta's and I | absolutely love torbutton dev version *but* it does not work correctly | with Firefox 3 in linux, what is a good alternative for the torrbutton | firefox addon? One alternative is a combination of the following addons: * FoxyProxy: Allows to configure several proxies with lists of which domains should use which proxy (or no proxy). For instance, it is possible to make all domains go through Tor except those you have added to the no proxy-white list (or the Tor proxy-black list). Thus it becomes possible to visit untrusted sites (through Tor) and trusted sites (without Tor) simultaneously, which would require constant flipping of the Torbutton. * NoScript: Blocks javascript, java, flash etc. globally. Provides a nice interface to allow these plugins for the current site (if you trust it), either permanently or temporary (for the current sesstion only). * CS Lite: Like NoScript but for cookies. * RefControl: Has a nice Forging feature which changes the http referer to the destination site's domain. Otherwise it's possible to see which site you come from when following a link. It should be noted that while this approach might be more flexible and powerful than simply using Torbutton, it requires much more from the user in terms of knowledge and understanding of how Tor works. It's probably easier to screw up too. Cheers! -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFH2W9hp8EswdDmSVgRAvJ5AKCtacsHLvfT3Z3z3DOVZ1buMDZ3hQCgsT/i mDt6U8t7dE0cYpY65n4bsyM= =m9e/ -END PGP SIGNATURE-
Re: Tor and Firefox 3
We'll be releasing a version of xB Browser using the firefox 3 core after more stability testing. Otherwise, your Firefox 2 solution is xB Browser: http://xerobank.com/xB_Browser.html Rochester TOR Admin wrote: Not a helpful response but I wanted to second that request.
Re: Tor and Firefox 3
is xero bank based off of tor? or what? does it have a linux version?
Re: Tor and Firefox 3
Yes, XeroBank's Browser is based on Tor [it used to be called TorPark] but it also uses their own XeroBank network which is a privatized anonymity network. Instead of locking down a browser with a plugin like TorButton does, the xB Browser is an attempt to lock down the entire browser. There's no linux version in production. They do offer a virtual machine that can run on linux - http://xerobank.com/xB_machine.html ROC Tor Admin On Thu, Mar 13, 2008 at 8:23 PM, defcon [EMAIL PROTECTED] wrote: is xero bank based off of tor? or what? does it have a linux version?
Re: Tor and Firefox 3
The current configuration can use either the Tor or the XB network. Does that not satisfy the request? Steve Rochester TOR Admin wrote: Yes, XeroBank's Browser is based on Tor [it used to be called TorPark] but it also uses their own XeroBank network which is a privatized anonymity network. Instead of locking down a browser with a plugin like TorButton does, the xB Browser is an attempt to lock down the entire browser. There's no linux version in production. They do offer a virtual machine that can run on linux - http://xerobank.com/xB_machine.html ROC Tor Admin On Thu, Mar 13, 2008 at 8:23 PM, defcon [EMAIL PROTECTED] wrote: is xero bank based off of tor? or what? does it have a linux version?
Re: Tor and Firefox 3
XeroBank's network is not based off onion routing, although we do have a private onion routing network that isn't available to the public yet. It uses 2-hop relay traffic over TLS, as 2 hops are unneeded in a single trust domain, unless you want to do some extra country hopping. The XeroBank network is accessible for windows, mac, linux, etc via OpenVPN and SSH. Steve defcon wrote: is xero bank based off of tor? or what? does it have a linux version?
Tor and Firefox 3
Hey all, I have been using Firefox 3 from the early beta's and I absolutely love torbutton dev version *but* it does not work correctly with Firefox 3 in linux, what is a good alternative for the torrbutton firefox addon? Thanks defcon