Eugene Y. Vasserman
eyv at cs.umn.edu
Tue Feb 27 16:06:04 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
I have set up a rough HOWTO on having anonymous and non-anonymous
Firefox sessions co-exist (even though this itself is NOT recommended).
It is written for Windows, but mostly applies to any other operating
system. The HOWTO is here: http://www.cs.umn.edu/~eyv/anon-web.html
Any and all comments from the community are appreciated.
Thus spake Michael Holstein:
>> (1) Does it mean that even when I visit unencrypted sites, nobody
>> would be able to tell what sites or pages I am requesting?
> Correct. As long as you're also proxying the DNS via SOCKSv4, the only
> person that could "see" your traffic in the clear is the folks between
> the exit node and the destination.
> However .. if you do something like access your (real) Yahoo mail,
> someone could connect that traffic with the "real" you .. because they
> could see your name in the HTTP traffic. Thus, it's unwise to leak the
> recipe to the secret sauce, and then go check your Hotmail account all
> in the same session.
> You also need to be mindful of combining your "anonymous" and "regular"
> activities .. if, for example, you allow sites to set cookies and you
> visit two sites both using DoubleClick .. that cookie will connect the
> "real" you and the "tor" you. Same goes for any website that requires
> authentication (eg: Yahoo mail, etc.). Someone could check the logs and
> say "well, I see it was TOR this time, but yesterday it was Comcast".
>> (2) Can the green line be cracked by intercepting the packets or headers?
> An attack against AES that's more effective than bruteforce is not (yet)
> known, so I'd say "probably not", although TOR developers are clear to
> tell you it doesn't defend against a "global adversary" (eg:
>> (3) I don't know where the encryption key is stored. Can it be stolen
>> if my pc is hacked?
> The client key is in memory, so no .. unless you do something like
> suspend your laptop while TOR is running (thus writing it to disk).
> Also, it's possible to have the key written to swap accidently.
> You can prevent both those problems with a "liveCD" distro that dosen't
> touch the hard disk. There are many such "internet privacy appliances",
> my personal favorite being the one based on OpenBSD (Anonym.OS).
> Other general recommendations :
> Firefox (dump cookies on exit, no cache, etc)
> FlashBlock plugin (no flash)
> Michael Holstein CISSP GCIA
> Cleveland State University
Eugene Y. Vasserman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the tor-talk