Introducing Torfox 3.0.10

Thu Jun 11 23:03:07 UTC 2009

Hi,

I'm not seeing the benefit of Tor Fox since Tor Browser Bundle[1] and XB
Browser[2] do the same thing your doing.  Why are you trying to recreate
work that's been done already?First off, you didn't even have the browser's
proxy set to use Tor on port 9060, I had to set that myself. I noted that
the Tor Fox homepage is set to use the Tor Fox search engine, which is uses
Google results, and display's google ADs right on the top of the page.  I
was able to get a real IP address from my deanonymizer that I've been
working on. Further more, a few security issues exist with Tor Fox.
- Several URI's can be used to reveal your true IP address.
- All the plugins are still enable (Flash, Adobe Reader, etc..), which can
lead to IP disclosure.
(I stopped my review after I found this out, because one could be really
pwned with all plugins enabled.)

This leads me to think that you're trying to make a quick buck off of Google
ADs while leaving Tor users exposed to security exploits of would-be evil
doers or some hackers that just enjoy making a ruckus. So, if you are
serious about securing Tor Fox then you need to install TorButton.  Mike
Perry and others have worked hard on making TorButton secure from several
different types of attacks and information leakage, hence why it is used and
trusted by many.  You should have a look at the design document for
Torbutton.

Feel free to review this, but I for one wouldn't use it.
My quick review can be found at:
http://www.janusvm.com/goldy/audits/TorFox_Audit_06_10_2009.rar

Best regards,

Kyle Williams

REFERENCES
[1]  https://www.torproject.org/torbrowser/
[2]  https://xerobank.com/download/xb-browser/

On Wed, Jun 10, 2009 at 3:31 PM, Tor Fox <torfox.org at gmail.com> wrote:

> Jacob wrote: > Have you read the design document that Mike wrote about
> Torbutton? No, I've done a lot of that already but some of it I hadn't
> thought of. I'll make sure that Torfox offers at least those features. >
> rogue browser extensions that are often installed on Windows machines Ok,
> I'll make sure I disable those. > Why not use 9050? To not conflict with
> other running Tors? Right. > It is important to be able to build it and
> produce the same binary that you offer for download. The only thing missing
> is the icons. > I'm not sure what you mean when you say that it appeals to a
> different style of usage. Do you mean because it lacks a Torbutton logo, or
> that it lacks Vidalia? No, I mean that you can just forget Tor is even
> there. It's more like an appliance rather than an always-on service. It's
> less intrusive. > We do a lot to protect users with the Tor Browser Bundle
> (much of it is protection added by Torbutton), it would be a really good
> idea to make sure you're familiar with those things. I agree. > I look
> forward to reproducible builds! Don't forget the pgp signatures too. ;-) You
> can reproduce it right now, other than the icons.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20090611/953f9b57/attachment.htm>