Downloading attachments with Tor - is this secure?

Matthew pumpkin at
Tue Jun 22 08:10:26 UTC 2010

Hi Scott,

I am not using NoScript but I used it some time ago.  The problem I had 
was that various websites did not work because it turned off JavaScript 
which seemed essential.  At the moment I am using Polipo and Tor with 
JavaScript operational but Java, Flash, and QuickTime are all turned off 
in Firefox.

Perhaps you could please tell me why exactly NoScript is superior to the 
methods I am using?


Scott Bennett wrote:
> On Sat, 19 Jun 2010 09:15:15 -0400 "Aplin, Justin M" <jmaplin at>
> wrote:
>>> Yes, if you use Torbutton, the attachment itself will be downloaded
>>> only via Tor.
>> I believe this is the short answer to your question, though everything 
>> else Mike said is good to keep in mind as well, especially in situations 
>> where paranoia is appropriate.
>>> This is especially dangerous if you are using Yahoo Mail, because even
>>> if you trust the person who sent you the document, your attachment
>>> will be downloaded in plaintext (via http, not https).
>> Watch out for this. Yahoo's *login* page for webmail and other services 
>> may be HTTPS, but this reverts to plain HTTP once you're actually 
>> viewing your mail and downloading attachments. A simple solution for 
>> secure webmail at the moment is using Gmail and the new Firefox addon 
>> "HTTPS-Everywhere" available from . 
>> This addon is *NOT* magic, as it only works with the particular list of 
>> websites available on its option page, but making sure "Google Services" 
>> is checked in it's options will allow all Gmail connections (including 
>> downloading attachments) to happen over HTTPS.
>      While HTTPS-Everywhere may be a nice programming exercise for its
> author(s), it appears wholly unnecessary for Firefox users because Firefox
> users should *ALREADY* be using NoScript, which allows one to accomplish
> the same thing, but also provides mountains of other protective measures.
> Don't be fooled into thinking that HTTPS-Everywhere can protect your
> anonymity or your privacy.  If you and/or the OP continue to refuse to
> use NoScript, then sooner or later you and/or the OP will get burned and
> will thus be taught the hard way the lesson you should have understood by
> now.
>                                   Scott Bennett, Comm. ASMELG, CFIAG
> **********************************************************************
> * Internet:       bennett at                              *
> *--------------------------------------------------------------------*
> * "A well regulated and disciplined militia, is at all times a good  *
> * objection to the introduction of that bane of all free governments *
> * -- a standing army."                                               *
> *    -- Gov. John Hancock, New York Journal, 28 January 1790         *
> **********************************************************************
> ***********************************************************************
> To unsubscribe, send an e-mail to majordomo at with
> unsubscribe or-talk    in the body.
To unsubscribe, send an e-mail to majordomo at with
unsubscribe or-talk    in the body.

More information about the tor-talk mailing list