Tor,security and web-usability - Sorry, now readable with line-breaks...

Tue Jun 13 01:51:56 UTC 2006

Hello,
first I want to say thanks for this great programme
and that you tolerate my Mac-security related
questions. I read that Javascript and Flash are bad
for Tor´s security provisions. Though 
quitting Javascript is easy, I have not found the
appropriate way to quickly kill Flash, neither 
in Firefox nor any other browser, most Flash-sites
show  up on my OSX just fine even 
without any Java.

Does that mean one theoretically had to deinstall
Flash before surfing with Tor?
The same question applies to Windows Media Player on
the Mac, this is not secure to surf 
with, is it? Is a deinstallation also required before
achieving an acceptable security level?

The next question is related to these problems: if I
want to create an email-account with 
any of the big free webbased mail-services I know, I
HAVE to switch Java and Javascript 
on, otherwise the configurations will fail. I
understand that configurating, e.g. Yahoo with 
Tor enabled and the required Java/Javascript turned
on, renders Tor´s efforts null and 
void. I could as well surf openly to Yahoo like say 10
years ago. 
Does anybody know of a web-based mail-service, that
does not require Java/Javascript 
during configuration or use? Or do I have to accept
that I also have to use some remailer to 
reduce traceability to a secure amount?

Finally, if I go to pages like
http://gemal.dk/browserspy/, I could really get
paranoid or 
despair of security. While the useragent could be
partly be faked and randomly changed 
with tools like Fabian Keil´s great uagen.pl , an
automatic  Firefox-User-Agent-Generator, 
the flash detection at gemal.dk/browserspy/ e.g. still
reveals not only the Flash version but 
also my Operating System and its version. This works
WITHOUT Java/Javascript enabled. 
Given the fact, that more and more parts of the web
rely increasingly on Java/Javascript 
and multimedia enhanced features, are security related
efforts not really a rearguard 
action? 

Besides the problems of traceabilty that might result
for Tor if one uses Java/Javascript, 
could it be a reasonable strategy to add a layer of
obfuscation by employing second and 
third operating systems via emulation (e.g. inside a
otherwise inaccessible truecrypt 
partition (which is not yet feasible on the mac)?

Sorry, if this all sounds convoluted, I somehow just
want to appraise the scope of this 
sisyphus task. Thanks in advance and all the best for
your work

Regards

----------
This message was sent from a MailNull anti-spam account.  You can get
your free account and take control over your email by visiting the
following URL.

   http://mailnull.com/