e-mail and anonymity
John Brooks
aspecialj at gmail.com
Sat Aug 16 17:32:08 UTC 2008
Enabling javascript and cookies for everything is dangerous to anonymity,
but doing that selectively is much less so. Cookies are recommended against
because they, by definition, store something along with the user - meaning
that even if the tor IP changes, the cookie can be used to connect it to the
old one. This isn't an issue for a webmail system anyway, where you have a
username that does a perfectly good job of connecting you to your old
traffic already (and if you were trying to avoid that, you'd be using a new
account, and thus a different cookie). Google, for example, uses cookies to
help track users through IP changes, which can easily become dangerous if
you use both Tor and non-Tor google in the same browser.
Javascript's only real danger to anonymity is exploits (i.e. if some
javascript traffic went outside the proxy, or if it helped compromise the
browser), but it is worth noting that javascript can also change the content
of the page you're viewing. If you have a bad exit node that inserts fake
javascript into pages (it's happened), you won't have a real way to know the
difference.
In theory, javascript could also be of use in certain timing or latency
attacks to discover a client's circuit (by generating large amounts of
constant traffic), but that's not hard to do without javascript.
You should be fine enabling javascript and cookies for specific sites that
require it - although you should try to use SSL there if at all possible.
- John Brooks
On Sat, Aug 16, 2008 at 9:56 AM, Charles.F <Charles.f at swing.be> wrote:
> Hi,
> I am not shure I understand very well how mailing lists like this works, so
> correct me if I don't do it the way it should be.
> I'm just gonna ask my question here, right ? :
>
> If one wants to be anonymous when sending an receiving mails, one should
> use privoxy and tor on his browser and also disable Java, Javascript,
> cookies and so on.
> Any webmail I tried to subscibe to couldn't work without either Javascript or
> Cookies enabled so I suppose webmails needs Javascript and/or Cookies
> enabled to work properly, am I right ?
> In that case, one can't be sure of its anonymity (as cookies or javascript
> are enabled) when one send or receive mails...
>
> I hope my question is clear and sorry if the answer is obvious or if I
> didn't send it to the right e-mail address
>
> Thanks
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20080816/32a2ad09/attachment.htm>
More information about the tor-talk
mailing list