suggestion for 'is my installation of tor working?' page

James Muir jamuir at scs.carleton.ca
Fri Feb 16 05:08:31 UTC 2007


Nick Mathewson wrote:
> On Sun, Feb 04, 2007 at 08:58:36PM -0800, Wesley Kenzie wrote:
>> I've got an initial version up now at http://www.showmyip.com/torstatus/ -
>> feedback welcome!  More content and links to come!
> 
> As others have noted, this is really excellent, but there's way too
> much information there for it to be useful for unsophisticated users.
> There's no way that my dad, for example could tell that his window
> width and height identify him far more uniquely than do his User-Agent
> or his "DMA code".
> 
> Maybe there should be some kind of "What I Learned" section at the
> top, with parts like:
> 
>   Javascript said:   "Your IP is x.y.z.w".
>      (Learn more about how to disable Javascript _here_.),
>   Java said: "Your IP is x.y.z.w.":
>      (Learn more about how to disable Java _here_.)
> 
> That is, sort information by order of significance of disclosure, and
> for each piece of information, tell users what it means, how much it
> isolates them, and how to stop disclosing it.
> 
> Also, is there some way to see, use, and distribute the source for
> these pages?  As long as you operate them, yours will of course be
> most popular, but my free software instincts make me ask "what do we
> do if Wesley is unavailable for a while?"

Along with having a web page which attempts to educate Tor users about 
the dangers of executing Java, JavaScript, Flash, etc. in their 
browsers, I think there also needs to be a stronger warning about this 
on the main Tor web site (tor.eff.org).  There is a warning on the wiki 
but this is something that's important enough to promote to the main 
page (and have translated).

There are Java and Flash applets that, when run in a Tor user's browser, 
will open non-proxied connections back to their originating web sites 
and thus expose a user's real IP address.  This is, I think, the most 
serious threat to Tor users who don't disable these in their browsers -- 
never mind fingerprinting my machine by capturing my screen resolution, 
etc. with JavaScript.

The NoScript extension with FireFox works great -- it disables all 
scripts and plugins.  I hope people who really need anonymity are using 
these.  However, I expect that many are using IE.  I don't run Windows, 
but I would guess that there probably isn't an easy way to disable Flash 
in IE.  A clear warning with the Tor client installation instructions 
might help new Tor users better protect their anonymity.

-James



More information about the tor-talk mailing list