Tor,security and web-usability - Sorry, now readable with line-breaks...

Tue Jun 13 02:28:54 UTC 2006

For non-script email, you could use safe-mail.net. The noscript extension
for firefox kills flash. The operating system obsfucation through virtual
machines is a waste of CPU power. Just spoof the information using something
like privoxy. Besides, the OS isn't really that bad. You should be more
concerned about getting a exploit embedded in a page that violates your
security and uploads your hard drive to a remote server or a tempest-like
attack.

On 6/12/06, abacus.01 at mailnull.com <abacus.01 at mailnull.com> wrote:
>
> Hello,
> first I want to say thanks for this great programme
> and that you tolerate my Mac-security related
> questions. I read that Javascript and Flash are bad
> for Tor´s security provisions. Though
> quitting Javascript is easy, I have not found the
> appropriate way to quickly kill Flash, neither
> in Firefox nor any other browser, most Flash-sites
> show  up on my OSX just fine even
> without any Java.
>
> Does that mean one theoretically had to deinstall
> Flash before surfing with Tor?
> The same question applies to Windows Media Player on
> the Mac, this is not secure to surf
> with, is it? Is a deinstallation also required before
> achieving an acceptable security level?
>
> The next question is related to these problems: if I
> want to create an email-account with
> any of the big free webbased mail-services I know, I
> HAVE to switch Java and Javascript
> on, otherwise the configurations will fail. I
> understand that configurating, e.g. Yahoo with
> Tor enabled and the required Java/Javascript turned
> on, renders Tor´s efforts null and
> void. I could as well surf openly to Yahoo like say 10
> years ago.
> Does anybody know of a web-based mail-service, that
> does not require Java/Javascript
> during configuration or use? Or do I have to accept
> that I also have to use some remailer to
> reduce traceability to a secure amount?
>
> Finally, if I go to pages like
> http://gemal.dk/browserspy/, I could really get
> paranoid or
> despair of security. While the useragent could be
> partly be faked and randomly changed
> with tools like Fabian Keil´s great uagen.pl , an
> automatic  Firefox-User-Agent-Generator,
> the flash detection at gemal.dk/browserspy/ e.g. still
> reveals not only the Flash version but
> also my Operating System and its version. This works
> WITHOUT Java/Javascript enabled.
> Given the fact, that more and more parts of the web
> rely increasingly on Java/Javascript
> and multimedia enhanced features, are security related
> efforts not really a rearguard
> action?
>
> Besides the problems of traceabilty that might result
> for Tor if one uses Java/Javascript,
> could it be a reasonable strategy to add a layer of
> obfuscation by employing second and
> third operating systems via emulation (e.g. inside a
> otherwise inaccessible truecrypt
> partition (which is not yet feasible on the mac)?
>
>
> Sorry, if this all sounds convoluted, I somehow just
> want to appraise the scope of this
> sisyphus task. Thanks in advance and all the best for
> your work
>
>
> Regards
>
> ----------
> This message was sent from a MailNull anti-spam account.  You can get
> your free account and take control over your email by visiting the
> following URL.
>
>   http://mailnull.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20060612/7ee4ef4d/attachment.htm>