[tor-commits] r26134: {website} removed torbutton pages, moved 2 questions to general FAQ (# (in website/trunk: docs/en torbutton/en)

Moritz Bartl moritz at torservers.net
Tue Mar 26 04:38:32 UTC 2013


Author: moritz
Date: 2013-03-26 04:38:32 +0000 (Tue, 26 Mar 2013)
New Revision: 26134

Modified:
   website/trunk/docs/en/faq.wml
   website/trunk/torbutton/en/index.wml
   website/trunk/torbutton/en/sidenav.wmi
   website/trunk/torbutton/en/torbutton-faq.wml
   website/trunk/torbutton/en/torbutton-options.wml
Log:
removed torbutton pages, moved 2 questions to general FAQ (#6567)

Modified: website/trunk/docs/en/faq.wml
===================================================================
--- website/trunk/docs/en/faq.wml	2013-03-25 22:48:25 UTC (rev 26133)
+++ website/trunk/docs/en/faq.wml	2013-03-26 04:38:32 UTC (rev 26134)
@@ -62,7 +62,7 @@
     <li><a href="#TBBPolipo">I need an HTTP proxy. Where did Polipo
     go?</a></li>
     <li><a href="#TBBOtherExtensions">Can I install other Firefox
-    extensions?</a></li>
+    extensions? Which extensions should I avoid using?</a></li>
     <li><a href="#TBBJavaScriptEnabled">Why is NoScript configured to
 allow JavaScript by default in the Tor Browser Bundle?  Isn't that
 unsafe?</a></li>
@@ -942,11 +942,44 @@
 and other Flash-based sites?</a></h3>
 
 <p>
-<a
-href="https://www.torproject.org/torbutton/torbutton-faq.html.
-en#noflash">Answer</a>
+YouTube and similar sites require third party browser plugins such as Flash.
+Plugins operate independently from Firefox and can perform
+activity on your computer that ruins your anonymity. This includes
+but is not limited to: <a href="http://decloak.net">completely disregarding
+proxy settings</a>, querying your <a
+href="http://forums.sun.com/thread.jspa?threadID=5162138&messageID=9618376">local
+IP address</a>, and <a
+href="http://epic.org/privacy/cookies/flash.html">storing their own
+cookies</a>. It is possible to use a LiveCD solution such as
+or <a href="https://tails.boum.org/">The Amnesic Incognito Live System</a> that creates a
+secure, transparent proxy to protect you from proxy bypass, however issues
+with local IP address discovery and Flash cookies still remain.  </p>
+
+<p>
+<a href="https://www.youtube.com/html5">YouTube offers experimental HTML5 video 
+support</a> for many of their videos. You can use their Advanced Search to 
+find HTML5 videos.
 </p>
 
+<p>
+If you are not concerned about being tracked by these sites (and sites that
+try to unmask you by pretending to be them), and are unconcerned about your
+local censors potentially noticing you visit them, you can enable plugins by
+going into the Torbutton Preferences -> Security Settings
+tab and unchecking "Disable browser plugins (such as Flash)" box. If you do this
+without The Amnesic Incognito Live System or appropriate firewall
+rules, we strongly suggest you at least use <a
+href="https://addons.mozilla.org/en-US/firefox/addon/722">NoScript</a> to <a
+href="http://noscript.net/features#contentblocking">block plugins</a>. You do
+not need to use the NoScript per-domain permissions if you check the <b>Apply
+these restrictions to trusted sites too</b> option under the NoScript Plugins
+preference tab. In fact, with this setting you can even have NoScript allow
+Javascript globally, but still block all plugins until you click on their
+placeholders in a page. We also recommend <a
+href="https://addons.mozilla.org/en-US/firefox/addon/6623">Better Privacy</a>
+in this case to help you clear your Flash cookies.
+</p>
+
 <hr>
 
 <a id="TBBSocksPort"></a>
@@ -1010,6 +1043,23 @@
 its name).
 </p>
 
+<p>
+Generally, extensions that require registration, and/or provide 
+additional information about websites you are visiting, should be 
+suspect.
+</p>
+
+<p>
+Extensions you might like include
+ <a href="https://addons.mozilla.org/firefox/addon/953">RefControl</a> (referer spoofing),
+ <a href="https://addons.mozilla.org/firefox/addon/1474">SafeCache</a>,
+ <a href="https://addons.mozilla.org/en-US/firefox/addon/6623">Better Privacy</a>,
+ <a href="https://addons.mozilla.org/firefox/addon/1865">AdBlock Plus</a> (EasyPrivacy+EasyList),
+ <a href="https://addons.mozilla.org/firefox/addon/82">Cookie Culler</a>,
+ <a href="https://addons.mozilla.org/en-US/firefox/addon/9727/">Request Policy</a> and
+ <a href="https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/">Certificate Patrol</a>.
+</p> 
+
 <hr>
 
 <a id="TBBJavaScriptEnabled"></a>

Modified: website/trunk/torbutton/en/index.wml
===================================================================
--- website/trunk/torbutton/en/index.wml	2013-03-25 22:48:25 UTC (rev 26133)
+++ website/trunk/torbutton/en/index.wml	2013-03-26 04:38:32 UTC (rev 26134)
@@ -99,37 +99,10 @@
     have enough developer resources to keep up with the accelerated
     Firefox release schedule, the toggle model of Torbutton is <a
     href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton">no
-    longer recommended</a>. <b>Users should be using Tor Browser Bundle,
+    longer supported</a>. <b>Users should be using Tor Browser Bundle,
     not installing Torbutton themselves.</b>
     </p>
 
-    <br/><br/>
-    <strong>Current stable version:</strong><version-torbutton><br/>
-    <strong>Current alpha version:</strong><version-torbutton-alpha><br/>
-    <br/>
-    <strong>Maintainer:</strong> Mike Perry<br/>
-    <br/>
-    <strong>Expert Install (Stable):</strong> Click to <a
-    href="https://www.torproject.org/dist/torbutton/torbutton-current.xpi"
-    hash="<version-hash-torbutton>" onclick="return
-    install(event);">install from this website</a>. Verify the <a href="https://www.torproject.org/dist/torbutton/torbutton-current.xpi.asc">signature</a>.<br/>
-<!--
-    <strong>Expert Install (Alpha):</strong> Click to 
-    <a href="https://www.torproject.org/dist/torbutton/torbutton-current-alpha.xpi"
-      hash="<version-hash-torbutton-alpha>"
-      onclick="return install(event);">install from this website</a>
-    <br/>
-  -->
-<!--
-   <strong>English Google Search:</strong> 
-    Google search plugins for
-    <a href="/jsreq.html" title="Ref: 14938 (googleCA)"
-     onClick="addOpenSearch('GoogleCanada','ico','General','14937','g');return false">Google CA</a>, and 
-    <a href="/jsreq.html" title="Ref: 14938 (googleCA)"
-     onClick="addOpenSearch('googleuk_web','png','General','14445','g');return false">Google UK</a>.
-    <br/>
-  -->
-    <strong>Past Releases:</strong> <a href="https://archive.torproject.org/tor-package-archive/torbutton/">Tor Archive</a><br/>
     <strong>Developer Documentation:</strong> <a href="en/design/index.html.en">Torbutton Design Document</a> and <a href="en/design/MozillaBrownBag.pdf">Slides (Not actively updated)</a><br/>
 
     <strong>Source:</strong> You can <a
@@ -137,8 +110,8 @@
     repository</a> or simply unzip the xpi.
     <br/>
     <strong>Bug Reports:</strong> <a href="https://trac.torproject.org/projects/tor/report/14">Torproject Bug Tracker</a><br/>
-    <strong>Documents:</strong> <b>[</b> <a href="<page torbutton/torbutton-faq>">FAQ</a> <b>|</b>
-    <a href="<page torbutton/torbutton-options>">Torbutton options</a> <b>|</b>
+    <strong>Documents:</strong> 
+    <b>[</b> 
     <a href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/CHANGELOG">changelog</a> <b>|</b>
     <a href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/LICENSE">license</a> <b>|</b>
     <a href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/CREDITS">credits</a> <b>]</b>

Modified: website/trunk/torbutton/en/sidenav.wmi
===================================================================
--- website/trunk/torbutton/en/sidenav.wmi	2013-03-25 22:48:25 UTC (rev 26133)
+++ website/trunk/torbutton/en/sidenav.wmi	2013-03-26 04:38:32 UTC (rev 26134)
@@ -1,36 +1,110 @@
-#!/usr/bin/wml
-
 ## translation metadata
 # Revision: $Revision$
 # Translation-Priority: 2-medium
 
-# this structure defines the side nav bar for the /torbutton pages
+# this structure defines the side nav bar for the /docs pages
 # and is the input for include/side.wmi
 
 # fields:
 #
-# name - the $WML_SRC_BASENAME of the file. It should uniquely identify the
-# page because at build-time it is used to determine what view of the
-# navigation menu to generate
-#
 # url - the path to the wml page, as used the the <page> tag. This tag ensures
 # that links will point to the current language if supported, and alternately
 # the english version 
 #
 # txt - the link text to be displayed. Different translations will
 # need to supply alternate txt 
- 
+
 <:
   my $sidenav;
   $sidenav = [
-          {'url'  => 'torbutton/index',
-           'txt'  => 'Torbutton',
-           'subelements' => [
-              {'url' => 'torbutton/torbutton-options',
-               'txt' => 'Torbutton Options',
-              },
-              {'url' => 'torbutton/torbutton-faq',
-               'txt' => 'Torbutton FAQ',
-              }]
-          }]
+      {'url'  => 'docs/documentation',
+       'txt'  => 'Documentation Overview',
+      }, 
+      {
+       'url'  => 'docs/installguide',
+       'txt'  => 'Installation Guides',
+       'subelements' => [
+          {'url'  => 'docs/tor-doc-windows',
+           'txt'  => 'Installing on Windows',
+          },
+          {'url'  => 'docs/tor-doc-unix',
+           'txt'  => 'Installing on Linux/BSD/Unix',
+          },
+          {'url'  => 'docs/debian',
+           'txt'  => 'Installing Tor on Debian/Ubuntu',
+          },
+          {'url'  => 'docs/debian-vidalia',
+           'txt'  => 'Installing Vidalia on Debian/Ubuntu',
+          },
+          {'url'  => 'docs/tor-doc-osx',
+           'txt'  => 'Installing Tor on Mac OS X',
+          },
+          {'url'  => 'docs/android',
+           'txt'  => 'Installing Tor on Android',
+          },
+          {'url'  => 'docs/N900',
+           'txt'  => 'Installing Tor on Maemo/N900',
+          },
+          {'url'  => 'docs/verifying-signatures',
+           'txt'  => 'Verify our GPG signatures',
+          }],
+      },
+      {'url'  => 'docs/manual',
+       'txt'  => 'Manuals',
+       'subelements' => [
+          {   
+           'url'  => 'docs/short-user-manual',
+           'txt'  => 'Short User Manual',
+          }, 
+          {'url'  => 'docs/tor-relay-debian',
+           'txt'  => 'Configuring a Relay manually',
+          },
+          {'url'  => 'docs/tor-doc-relay',
+           'txt'  => 'Configuring a Relay graphically',
+          },
+          {'url'  => 'docs/tor-hidden-service',
+           'txt'  => 'Configuring a Hidden Service',
+          }, 
+          {'url'  => 'docs/bridges',
+           'txt'  => 'Configuring a Bridge Relay',
+          }, 
+          {'url'  => 'docs/running-a-mirror',
+           'txt'  => 'Configuring a Mirror',
+          },
+          {'url'  => 'docs/tor-manual',
+           'txt'  => 'Tor -stable Manual',
+          },
+          {'url'  => 'docs/tor-manual-dev',
+           'txt'  => 'Tor -alpha Manual',
+          },
+          {'url'  => 'docs/proxychain',
+           'txt'  => 'Configuring Tor to use a Proxy Server',
+          },
+          {'url' => '<doxygen>',
+           'txt' => 'Doxygen output from Tor codebase',
+           }]
+      },
+      {
+       'url'  => '<wiki>',
+       'txt'  => 'Tor Wiki',
+      },
+      {'url'  => 'docs/faq',
+       'txt'  => 'General FAQ',  
+      },
+      {'url'  => 'torbutton/torbutton-faq',
+       'txt'  => 'Torbutton FAQ',
+      },
+      {'url'  => 'docs/faq-abuse',
+       'txt'  => 'Abuse FAQ',
+      },
+      {'url'  => 'docs/trademark-faq',
+       'txt'  => 'Trademark FAQ',
+      },
+      {'url'  => 'eff/tor-legal-faq',
+       'txt'  => 'Tor Legal FAQ',
+      },
+      {'url'  => 'eff/tor-dmca-response',
+       'txt'  => 'Tor DMCA Response',
+      },  
+  ];
 :>

Modified: website/trunk/torbutton/en/torbutton-faq.wml
===================================================================
--- website/trunk/torbutton/en/torbutton-faq.wml	2013-03-25 22:48:25 UTC (rev 26133)
+++ website/trunk/torbutton/en/torbutton-faq.wml	2013-03-26 04:38:32 UTC (rev 26134)
@@ -11,273 +11,28 @@
   </div>
 	<div id="maincol">  
     <!-- PUT CONTENT AFTER THIS TAG -->
-    
-    <h2>Torbutton FAQ</h2>
+  
+    <h2>Torbutton</h2>
     <hr>
-    
-    <h3>Questions</h3>
-    <br>
-    <ul>
-    <li><a href="<page torbutton/torbutton-faq>#noflash">I can't view videos on YouTube and other flash-based sites. Why?</a></li>
-    <li><a href="<page torbutton/torbutton-faq>#oldtorbutton">Torbutton sure seems to do a lot of things, some of which I find annoying. Can't I just use the old version?</a></li>
-    <li><a href="<page torbutton/torbutton-faq>#noautocomplete">When I use Tor, Firefox is no longer filling in logins/search boxes for me. Why?</a></li>
-    <li><a href="<page torbutton/torbutton-faq>#thunderbird">What about Thunderbird support? I see a page, but it is the wrong version?</a></li>
-    <li><a href="<page torbutton/torbutton-faq>#extensionconflicts">Which Firefox extensions should I avoid using?</a></li>
-    <li><a href="<page torbutton/torbutton-faq>#recommendedextensions">Which Firefox extensions do you recommend?</a></li>
-    <li><a href="<page torbutton/torbutton-faq>#securityissues">Are there any other issues I should be concerned about?</a></li>
-    </ul>
-    <br>
-    
-    <a id="noflash"></a>
-    <strong><a class="anchor" href="#noflash">I can't view videos on YouTube and
-    other Flash-based sites. Why?</a></strong>
-    
+
     <p>
-    YouTube and similar sites require third party browser plugins such as Flash.
-    Plugins operate independently from Firefox and can perform
-    activity on your computer that ruins your anonymity. This includes
-    but is not limited to: <a href="http://decloak.net">completely disregarding
-    proxy settings</a>, querying your <a
-    href="http://forums.sun.com/thread.jspa?threadID=5162138&messageID=9618376">local
-    IP address</a>, and <a
-    href="http://epic.org/privacy/cookies/flash.html">storing their own
-    cookies</a>. It is possible to use a LiveCD solution such as
-    or <a href="https://tails.boum.org/">The Amnesic Incognito Live System</a> that creates a
-    secure, transparent proxy to protect you from proxy bypass, however issues
-    with local IP address discovery and Flash cookies still remain.  </p>
-    
-    <p>
-    If you are not concerned about being tracked by these sites (and sites that
-    try to unmask you by pretending to be them), and are unconcerned about your
-    local censors potentially noticing you visit them, you can enable plugins by
-    going into the Torbutton Preferences->Security Settings
-    tab and unchecking "Disable browser plugins (such as Flash)" box. If you do this
-    without The Amnesic Incognito Live System or appropriate firewall
-    rules, we strongly suggest you at least use <a
-    href="https://addons.mozilla.org/en-US/firefox/addon/722">NoScript</a> to <a
-    href="http://noscript.net/features#contentblocking">block plugins</a>. You do
-    not need to use the NoScript per-domain permissions if you check the <b>Apply
-    these restrictions to trusted sites too</b> option under the NoScript Plugins
-    preference tab. In fact, with this setting you can even have NoScript allow
-    Javascript globally, but still block all plugins until you click on their
-    placeholders in a page. We also recommend <a
-    href="https://addons.mozilla.org/en-US/firefox/addon/6623">Better Privacy</a>
-    in this case to help you clear your Flash cookies.
+    Torbutton is the component in <a href="<page projects/torbrowser>">Tor
+    Browser Bundle</a> that takes care of application-level
+    security and privacy concerns in Firefox.  To keep you safe,
+    Torbutton disables many types of active content.
     </p>
-    
-    <a id="oldtorbutton"></a>
-    <strong><a class="anchor" href="#oldtorbutton">Torbutton sure seems to do a lot of things, some of which I find
-    annoying. Can't I just use the old version?</a></strong>
-    
+
     <p>
-    
-    <b>No.</b> Use of the old version, or any other vanilla proxy changer
-    (including FoxyProxy -- see below) without Torbutton is actively discouraged.
-    Seriously. Using a vanilla proxy switcher by itself is so insecure that you are
-    not only just wasting your time, you are also actually endangering yourself.
-    <b>Simply do not use Tor</b> and you will have the same (and in some cases,
-    better) security.  For more information on the types of attacks you are exposed
-    to with a "homegrown" solution, please see <a
-    href="design/index.html.en#adversary">The Torbutton
-    Adversary Model</a>, in particular the <a
-    href="design/index.html.en#attacks">Adversary
-    Capabilities - Attacks</a> subsection. If there are any specific Torbutton
-    behaviors that you do not like, please file a bug on <a
-    href="https://trac.torproject.org/projects/tor/report/14">the
-    bug tracker.</a> Most of Torbutton's security features can also be disabled via
-    its preferences, if you think you have your own protection for those specific
-    cases.
-    
+    Now that the <a href="<page projects/torbrowser>">Tor Browser
+    Bundle</a> includes a patched version of Firefox, and because we don't
+    have enough developer resources to keep up with the accelerated
+    Firefox release schedule, the toggle model of Torbutton is <a
+    href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton">no
+    longer supported</a>. <b>Users should be using Tor Browser Bundle,
+    not installing Torbutton themselves.</b>
     </p>
-    
-    <a id="noautocomplete"></a>
-    <strong><a class="anchor" href="#noautocomplete">When I use Tor, Firefox is no longer filling in logins/search boxes
-    for me. Why?</a></strong>
-    
-    <p>
-    Currently, this is tied to the "<b>Block history writes during Tor</b>"
-    setting. If you have enabled that setting, all formfill functionality (both
-    saving and reading) is disabled. If this bothers you, you can uncheck that
-    option, but both history and forms will be saved. To prevent history
-    disclosure attacks via Non-Tor usage, it is recommended you disable Non-Tor
-    history reads if you allow history writing during Tor.
-    </p>
-    
-    <a id="thunderbird"></a>
-    <strong><a class="anchor" href="#thunderbird">What about Thunderbird support? I see a page, but it is the wrong
-    version?</a></strong>
-    
-    <p>
-    The Tor plugin for Thunderbird is called <a href="https://trac.torproject.org/projects/tor/wiki/torbirdy">
-    TorBirdy</a>.
-    </p>
-    
-    <a id="extensionconflicts"></a>
-    <strong><a class="anchor" href="#extensionconflicts">Which Firefox extensions should I avoid using?</a></strong>
-    
-    <p>
-    This is a tough one. There are thousands of Firefox extensions: making a
-    complete list of ones that are bad for anonymity is near impossible. However,
-    here are a few examples that should get you started as to what sorts of
-    behavior are dangerous.
-    </p>
-    
-    <ol>
-     <li>StumbleUpon, et al
-     <p>
-     These extensions will send all sorts of information about the websites you
-     visit to the stumbleupon servers, and correlate this information with a
-     unique identifier. This is obviously terrible for your anonymity.
-     More generally, any sort of extension that requires registration, or even
-     extensions that provide information about websites you visit should be
-     suspect.
-     </p></li>
-     <li>FoxyProxy
-    <p>
-    While FoxyProxy is a nice idea in theory, in practice it is impossible to
-    configure securely for Tor usage without Torbutton. Like all vanilla third
-    party proxy plugins, the main risks are <a
-    href="http://www.decloak.net/">plugin leakage</a>
-    and <a href="http://ha.ckers.org/weird/CSS-history.cgi">history
-    disclosure</a>, followed closely by cookie theft by exit nodes and tracking by
-    adservers (see the <a href="design/index.html.en#adversary">Torbutton Adversary
-    Model</a> for more information). However, with Torbutton installed in tandem
-    and always enabled, it is possible to configure FoxyProxy securely (though it
-    is tricky). Since FoxyProxy's 'Patterns' mode only applies to specific urls,
-    and not to an entire tab, setting FoxyProxy to only send specific sites
-    through Tor will still allow adservers (whose hosts don't match your filters) to learn your real IP. Worse, when
-    sites use offsite logging services such as Google Analytics, you will
-    still end up in their logs with your real IP. Malicious exit nodes can also
-    cooperate with sites to inject images into pages that bypass your filters.
-    Setting FoxyProxy to only send certain URLs via Non-Tor is much more secure in
-    this regard, but be very careful with the filters you allow. For example,
-    something as simple as allowing *google* to go via Non-Tor will still cause you to end up
-    in all the logs of all websites that use Google Analytics!  See
-    <a href="http://foxyproxy.mozdev.org/faq.html#privacy-01">this question</a> on
-    the FoxyProxy FAQ for more information.
-     </p></li>
-    </ol>
-    
-    <a id="recommendedextensions"></a>
-    <strong><a class="anchor" href="#recommendedextensions">Which Firefox extensions do you recommend?</a></strong>
-    <ol>
-     <li><a href="https://addons.mozilla.org/firefox/addon/953">RefControl</a>
-    	<p>
-    Mentioned above, this extension allows more fine-grained referrer spoofing
-    than Torbutton currently provides. It should break less sites than Torbutton's
-    referrer spoofing option.</p></li>
-    
-     <li><a href="https://addons.mozilla.org/firefox/addon/1474">SafeCache</a>
-    <p>
-    If you use Tor excessively, and rarely disable it, you probably want to
-    install this extension to minimize the ability of sites to store long term
-    identifiers in your cache. This extension applies same origin policy to the
-    cache, so that elements are retrieved from the cache only if they are fetched
-    from a document in the same origin domain as the cached element.
-    </p></li>
-    
-     <li><a href="https://addons.mozilla.org/en-US/firefox/addon/6623">Better
-    Privacy</a>
-     <p>
-    
-    Better Privacy is an excellent extension that protects you from cookies used
-    by Flash applications, which often persist forever and are not clearable via
-    normal Firefox "Private Data" clearing. Flash and all other plugins are
-    disabled by Torbutton by default, but if you are interested in privacy, you
-    may want this extension to allow you to inspect and automatically clear your
-    Flash cookies for your Non-Tor usage.
-    
-     </p>
-     </li>
-     <li><a href="https://addons.mozilla.org/firefox/addon/1865">AdBlock Plus</a>
-     <p>
-    
-    AdBlock Plus is an excellent addon for removing annoying, privacy-invading,
-    and <a
-    href="http://www.wired.com/techbiz/media/news/2007/11/doubleclick">malware-distributing</a>
-    advertisements from the web. It provides
-    <a href="http://adblockplus.org/en/subscriptions">subscriptions</a> that are
-    continually updated to catch the latest efforts of ad networks to circumvent
-    these filters. I recommend the EasyPrivacy+EasyList combination filter
-    subscription in the Miscellaneous section of the subscriptions page.
-    
-     </p>
-    </li> 
-    <li><a href="https://addons.mozilla.org/firefox/addon/82">Cookie Culler</a>
-     <p>
-    
-    Cookie Culler is a handy extension to give quick access to the cookie manager
-    in Firefox. It also provides the ability to protect certain cookies from
-    deletion, but unfortunately, this behavior does not integrate well with Torbutton.
-    
-     </p>
-     </li>
-    
-     <li><a href="https://addons.mozilla.org/en-US/firefox/addon/722">NoScript</a>
-     <p>
-     Torbutton currently mitigates all known anonymity issues with Javascript.
-     However, if you are concerned about Javascript exploits against your browser
-     or against websites you are logged in to, you may want to use NoScript. It
-     provides the ability to allow Javascript only for particular websites
-     and also provides mechanisms to force HTTPS urls for sites with
-    <a href="http://fscked.org/category/tags/insecurecookies">insecure
-     cookies</a>.<br>
-    
-     It can be difficult to configure such that the most sites will work
-     properly though. In particular, you want to make sure you do not remove
-     the Javascript whitelist for
-     addons.mozilla.org, as extensions are downloaded via http and verified by
-     javascript from the https page.
-    
-     </p></li>
-     <li><a href="https://addons.mozilla.org/en-US/firefox/addon/9727/">Request
-    Policy</a>
-     <p>
-    
-    Request Policy is similar to NoScript in that it requires that you configure
-    which sites are allowed to load content from other domains. It can be very
-    difficult for novice users to configure properly, but it does provide a good
-    deal of protection against ads, injected content, and cross-site request
-    forgery attacks.
-    
-     </p>
-     </li>
-    
-    </ol>
-    
-    <a id="securityissues"></a>
-    <strong><a class="anchor" href="#securityissues">Are there any other issues I should be concerned about?</a></strong>
-    
-    <p>
-    There are a few known security issues with Torbutton (all of which are due to
-    <a href="design/index.html.en#FirefoxBugs">unfixed
-    Firefox security bugs</a>). The most important for anonymity is that it is
-    possible to unmask the javascript hooks that wrap the Date object to conceal
-    your timezone in Firefox 2, and the timezone masking code does not work at all
-    on Firefox 3. We are working with the Firefox team to fix one of <a
-    href="https://bugzilla.mozilla.org/show_bug.cgi?id=392274">Bug 399274</a> or
-    <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=419598">Bug 419598</a>
-    to address this. In the meantime, it is possible to set the <b>TZ</b>
-    environment variable to <b>UTC</b> to cause the browser to use UTC as your
-    timezone. Under Linux, you can add an <b>export TZ=UTC</b> to the
-    /usr/bin/firefox script, or edit your system bashrc to do the same. Under
-    Windows, you can set either a <a
-    href="http://support.microsoft.com/kb/310519">User or System Environment
-    Variable</a> for TZ via My Computer's properties. In MacOS, the situation is
-    <a
-    href="http://developer.apple.com/documentation/MacOSX/Conceptual/BPRuntimeConfig/Articles/EnvironmentVars.html#//apple_ref/doc/uid/20002093-BCIJIJBH">a
-    lot more complicated</a>, unfortunately.
-    </p>
-    
-    <p>
-    In addition, RSS readers such as Firefox Livemarks can perform
-    periodic fetches. Due to <a
-    href="https://bugzilla.mozilla.org/show_bug.cgi?id=436250">Firefox Bug
-    436250</a>, there is no way to disable Livemark fetches during Tor. This can
-    be a problem if you have a lot of custom Livemark urls that can give away
-    information about your identity.
-    </p>
-  </div>
+  
+    </div>
   <!-- END MAINCOL -->
   <div id = "sidecol">
 #include "side.wmi"

Modified: website/trunk/torbutton/en/torbutton-options.wml
===================================================================
--- website/trunk/torbutton/en/torbutton-options.wml	2013-03-25 22:48:25 UTC (rev 26133)
+++ website/trunk/torbutton/en/torbutton-options.wml	2013-03-26 04:38:32 UTC (rev 26134)
@@ -11,257 +11,27 @@
   </div>
 	<div id="maincol">  
     <!-- PUT CONTENT AFTER THIS TAG -->
-    
-    <h2>Torbutton Options</h2>
+
+    <h2>Torbutton</h2>
     <hr>
-    
-    <p>Torbutton 1.2.0 adds several new security features to protect your
-    anonymity from all the major threats we know about. The defaults should be
-    fine (and safest!) for most people, but in case you are the tweaker type,
-    or if you prefer to try to outsource some options to more flexible extensions,
-    here is the complete list. (In an ideal world, these descriptions should all be
-    tooltips in the extension itself, but Firefox bugs <a
-    href="https://bugzilla.mozilla.org/show_bug.cgi?id=45375">45375</a> and <a
-    href="https://bugzilla.mozilla.org/show_bug.cgi?id=218223">218223</a> currently
-    prevent this.)</p>
-    
-    <ul>
-     <li>Disable plugins on Tor Usage (crucial)<p> 
-    
-      This option is key to Tor security. Plugins perform their own networking
-    independent of the browser, and many plugins only partially obey even their own
-    proxy settings.
-    </p></li>
-      <li>Isolate Dynamic Content to Tor State (crucial)<p> 
-    
-      Another crucial option, this setting causes the plugin to disable Javascript
-      on tabs that are loaded during a Tor state different than the current one,
-      to prevent delayed fetches of injected URLs that contain unique identifiers,
-      and to prevent meta-refresh tags from revealing your IP when you turn off
-      Tor. It also prevents all fetches from tabs loaded with an opposite Tor
-      state. This serves to block non-Javascript dynamic content such as CSS
-      popups from revealing your IP address if you disable Tor.
-    </p></li>
-      <li>Hook Dangerous Javascript (crucial)<p> 
-    
-    This setting enables the Javascript hooking code. Javascript is injected into
-    pages to hook the Date object to mask your timezone, and to hook the navigator
-    object to mask OS and user agent properties not handled by the standard
-    Firefox user agent override settings.
-    </p></li>
-      <li>Resize window dimensions to multiples of 50px on toggle (recommended)<p> 
-    
-    To cut down on the amount of state available to fingerprint users uniquely, 
-    this pref causes windows to be resized to a multiple of 50 pixels on each
-    side when Tor is enabled and pages are loaded.
-    </p></li>
-      <li>Disable Updates During Tor (recommended)<p> 
-    
-    Under Firefox 2, many extension authors did not update their extensions from 
-    SSL-enabled websites. It is possible for malicious Tor nodes to hijack these extensions and replace them with malicious ones, or add malicious code to 
-    existing extensions. Since Firefox 3 now enforces encrypted and/or
-    authenticated updates, this setting is no longer as important as it once
-    was (though updates do leak information about which extensions you have, it is
-    fairly infrequent).
-    </p></li>
-      <li>Disable Search Suggestions during Tor (optional)<p> 
-    
-    This optional setting governs if you get Google search suggestions during Tor
-    usage. Since no cookie is transmitted during search suggestions, this is a
-    relatively benign behavior.
-    </p></li>
-      <li>Block Livemarks updates during Tor usage (recommended)<p> 
-    
-    This setting causes Torbutton to disable your <a
-    href="http://www.mozilla.com/firefox/livebookmarks.html">Live bookmark</a>
-    updates. Since most people use Live bookmarks for RSS feeds from their blog,
-    their friends' blogs, the wikipedia page they edit, and other such things,
-    these updates probably should not happen over Tor. This feature takes effect
-    in Firefox 3.5 and above only.
-    
-    </p></li>
-      <li>Block Tor/Non-Tor access to network from file:// urls (recommended)<p> 
-    
-    These settings prevent local html documents from transmitting local files to
-    arbitrary websites <a href="http://www.gnucitizen.org/blog/content-disposition-hacking/">under Firefox 2</a>. Since exit nodes can insert headers that
-    force the browser to save arbitrary pages locally (and also inject script into
-    arbitrary html files you save to disk via Tor), it is probably a good idea to
-    leave this setting on.
-    </p></li>
-      <li>Close all Non-Tor/Tor windows and tabs on toggle (optional)<p> 
-    
-    These two settings allow you to obtain a greater degree of assurance that
-    after you toggle out of Tor, the pages are really gone and can't perform any
-    extra network activity. Currently, there is no known way that pages can still
-    perform activity after toggle, but these options exist as a backup measure
-    just in case a flaw is discovered. They can also serve as a handy 'Boss
-    Button' feature for clearing all Tor browsing off your screen in a hurry.
-    </p></li>
-      <li>Isolate access to history navigation to Tor state (crucial)<p> 
-    
-    This setting prevents both Javascript and accidental user clicks from causing
-    the session history to load pages that were fetched in a different Tor state
-    than the current one. Since this can be used to correlate Tor and Non-Tor
-    activity and thus determine your IP address, it is marked as a crucial 
-    setting.
-    </p></li>
-      <li>Block History Reads during Tor (crucial)<p> 
-    
-      Based on code contributed by <a href="http://www.collinjackson.com/">Collin
-      Jackson</a>, when enabled and Tor is enabled, this setting prevents the
-    rendering engine from knowing if certain links were visited.  This mechanism
-    defeats all document-based history disclosure attacks, including CSS-only
-    attacks.
-    </p></li>
-      <li>Block History Reads during Non-Tor (recommended)<p> 
-    
-      This setting accomplishes the same but for your Non-Tor activity.
-    </p></li>
-      <li>Block History Writes during Tor (recommended)<p> 
-    
-      This setting prevents the rendering engine from recording visited URLs, and
-    also disables download manager history. Note that if you allow writing of Tor history,
-    it is recommended that you disable non-Tor history reads, since malicious
-    websites you visit without Tor can query your history for .onion sites and
-    other history recorded during Tor usage (such as Google queries).
-    </p></li>
-      <li>Block History Writes during Non-Tor (optional)<p> 
-    
-    This setting also disables recording any history information during Non-Tor
-    usage.
-    </p></li>
-    <li>Clear History During Tor Toggle (optional)<p> 
-    
-      This is an alternate setting to use instead of (or in addition to) blocking
-    history reads or writes.
-    </p></li>
-      <li>Block Password+Form saving during Tor/Non-Tor<p> 
-    
-      These options govern if the browser writes your passwords and search
-      submissions to disk for the given state.
-    </p></li>
-      <li>Block Tor disk cache and clear all cache on Tor Toggle<p> 
-    
-      Since the browser cache can be leveraged to store unique identifiers, cache
-    must not persist across Tor sessions. This option keeps the memory cache active
-    during Tor usage for performance, but blocks disk access for caching.
-    </p></li>
-      <li>Block disk and memory cache during Tor<p> 
-    
-      This setting entirely blocks the cache during Tor, but preserves it for
-    Non-Tor usage.
-    </p></li>
-      <li>Clear Cookies on Tor Toggle<p> 
-    
-      Fully clears all cookies on Tor toggle.
-    </p></li>
-      <li>Store Non-Tor cookies in a protected jar<p> 
-    
-      This option stores your persistent Non-Tor cookies in a special cookie jar
-      file, in case you wish to preserve some cookies. Based on code contributed
-      by <a href="http://www.collinjackson.com/">Collin Jackson</a>. It is
-      compatible with third party extensions that you use to manage your Non-Tor
-      cookies. Your Tor cookies will be cleared on toggle, of course.
-    </p></li>
-      <li>Store both Non-Tor and Tor cookies in a protected jar (dangerous)<p> 
-    
-      This option stores your persistent Tor and Non-Tor cookies 
-      separate cookie jar files. Note that it is a bad idea to keep Tor
-      cookies around for any length of time, as they can be retrieved by exit
-      nodes that inject spoofed forms into plaintext pages you fetch.
-    </p></li>
-      <li>Manage My Own Cookies (dangerous)<p> 
-    
-      This setting allows you to manage your own cookies with an alternate
-    extension, such as <a href="https://addons.mozilla.org/firefox/addon/82">CookieCuller</a>. Note that this is particularly dangerous,
-    since malicious exit nodes can spoof document elements that appear to be from
-    sites you have preserved cookies for (and can then do things like fetch your
-    entire gmail inbox, even if you were not using gmail or visiting any google
-    pages at the time!).
-    </p></li>
-      <li>Do not write Tor/Non-Tor cookies to disk<p> 
-    
-      These settings prevent Firefox from writing any cookies to disk during the
-      corresponding Tor state. If cookie jars are enabled, those jars will
-      exist in memory only, and will be cleared when Firefox exits.
-    </p></li>
-      <li>Disable DOM Storage during Tor usage (crucial)<p> 
-    
-      Firefox has recently added the ability to store additional state and
-      identifiers in persistent tables, called <a
-      href="http://developer.mozilla.org/docs/DOM:Storage">DOM Storage</a>.
-      Obviously this can compromise your anonymity if stored content can be
-      fetched across Tor-state.
-    </p></li>
-      <li>Clear HTTP auth sessions (recommended)<p> 
-    
-      HTTP authentication credentials can be probed by exit nodes and used to both confirm that you visit a certain site that uses HTTP auth, and also impersonate you on this site. 
-    </p></li>
-      <li>Clear cookies on Tor/Non-Tor shutdown<p> 
-    
-      These settings install a shutdown handler to clear cookies on Tor
-    and/or Non-Tor browser shutdown. It is independent of your Clear Private Data
-    settings, and does in fact clear the corresponding cookie jars.
-    </p></li>
-      <li>Prevent session store from saving Tor-loaded tabs (recommended)<p> 
-    
-      This option augments the session store to prevent it from writing out
-      Tor-loaded tabs to disk. Unfortunately, this also disables your ability to 
-      undo closed tabs. The reason why this setting is recommended is because
-      after a session crash, your browser will be in an undefined Tor state, and
-      can potentially load a bunch of Tor tabs without Tor. The following option
-      is another alternative to protect against this.
-    </p></li>
-      <li>On normal startup, set state to: Tor, Non-Tor, Shutdown State<p> 
-    
-      This setting allows you to choose which Tor state you want the browser to
-      start in normally: Tor, Non-Tor, or whatever state the browser shut down in.
-    </p></li>
-      <li>On crash recovery or session restored startup, restore via: Tor, Non-Tor<p> 
-    
-      When Firefox crashes, the Tor state upon restart usually is completely
-      random, and depending on your choice for the above option, may load 
-      a bunch of tabs in the wrong state. This setting allows you to choose
-      which state the crashed session should always be restored in to.
-    </p></li>
-      <li>Prevent session store from saving Non-Tor/Tor-loaded tabs<p> 
-    
-      These two settings allow you to control what the Firefox Session Store
-      writes to disk. Since the session store state is used to automatically
-      load websites after a crash or upgrade, it is advisable not to allow
-      Tor tabs to be written to disk, or they may get loaded in Non-Tor
-      after a crash (or the reverse, depending upon the crash recovery setting, 
-      of course).
-    </p></li>
-      <li>Set user agent during Tor usage (crucial)<p> 
-    
-      User agent masking is done with the idea of making all Tor users appear
-    uniform. A recent Firefox 2.0.0.4 Windows build was chosen to mimic for this
-    string and supporting navigator.* properties, and this version will remain the
-    same for all TorButton versions until such time as specific incompatibility
-    issues are demonstrated. Uniformity of this value is obviously very important
-    to anonymity. Note that for this option to have full effectiveness, the user
-    must also allow Hook Dangerous Javascript ensure that the navigator.*
-    properties are reset correctly.  The browser does not set some of them via the
-    exposed user agent override preferences.
-    </p></li>
-      <li>Spoof US English Browser<p> 
-    
-    This option causes Firefox to send http headers as if it were an English
-    browser. Useful for internationalized users.
-    </p></li>
-      <li>Don't send referrer during Tor Usage<p> 
-    
-    This option disables the referrer header, preventing sites from determining
-    where you came from to visit them. This can break some sites, however. <a
-    href="http://www.digg.com">Digg</a> in particular seemed to be broken by this.
-    A more streamlined, less intrusive version of this option should be available
-    eventually. In the meantime, <a
-    href="https://addons.mozilla.org/firefox/addon/953">RefControl</a> can
-    provide this functionality via a default option of <b>Forge</b>.
-    </p></li>
-    </ul>
-  </div>
+
+    <p>
+    Torbutton is the component in <a href="<page projects/torbrowser>">Tor
+    Browser Bundle</a> that takes care of application-level
+    security and privacy concerns in Firefox.  To keep you safe,
+    Torbutton disables many types of active content.
+    </p>
+  
+    <p>
+    Now that the <a href="<page projects/torbrowser>">Tor Browser
+    Bundle</a> includes a patched version of Firefox, and because we don't
+    have enough developer resources to keep up with the accelerated
+    Firefox release schedule, the toggle model of Torbutton is <a
+    href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton">no
+    longer supported</a>. <b>Users should be using Tor Browser Bundle,
+    not installing Torbutton themselves.</b>
+    </p>
+    </div>
   <!-- END MAINCOL -->
   <div id = "sidecol">
 #include "side.wmi"



More information about the tor-commits mailing list