NoScript, Tor and Firefox

Justin Aplin jmaplin at ufl.edu
Thu Jun 24 14:56:51 UTC 2010 

On Jun 24, 2010, at 9:44 AM, zzzjethro666 at email2me.net wrote:

> If NoScript is so important, then why doesn't it come in the Windows  
> bundle for use with a USB?

As per the Browser Bundle's download page: "The Tor Browser Bundle is  
under development and not yet complete." Now, I don't have much (any)  
experience with the Browser Bundle, but I imagine it doesn't come with  
NoScript because it breaks functionality. Blocking JavaScript, Java,  
Flash, XSS, etc etc are great for security, but the more of that you  
disable, the less functional many websites become. This can break the  
"plug and play" nature of the Browser Bundle.

> My limited understanding is that this is sort of a complete package,  
> with configurations set to enhance and protect the user client. Now,  
> perhaps that only applies to use in the Tor network, i.e. Hidden  
> Services and such, and not the big, bad Spider's Web. Is this an  
> accurate, useful conclusion on my part?

It's my understanding that the Browser Bundle lets you use Firefox  
over Tor via Torbutton, without the hassle of having to set up  
Firefox, Tor, or Torbutton on the computer you're using. That said, it  
only provides those benefits unless you enhance your own security. If  
you are doing something that requires extreme privacy, and can't risk  
your HTTP or other unencrypted traffic being snooped on at the exit  
node (when accessing the "regular" internet), then you'll need to take  
measures to encrypt it. Forcing the use of HTTPS was the subject of  
the previous discussion you were quoting from, and setting up custom  
NoScript rules is one way of doing that. Granted, it often breaks the  
functionality of certain websites.

You're correct in thinking that this is somewhat less of an issue when  
accessing Tor Hidden Services, as traffic never leaves the (encrypted)  
Tor network. I'm sure, depending on the type of service run, that  
there are ways of maliciously gathering information about clients, but  
historically I don't believe this has been an issue (someone please  
correct me if I'm wrong).

> I used to use NoScript a few years and versions ago, but read about  
> potential weak points in it or that it might nullify what Privoxy  
> and now Polipo do. Excuse me if my memory is inaccurate but that was  
> the general jist of discussions I read. It might have also been  
> mentioned that configuration settings in Firefox could be changed by  
> NoScript but again, I'm just trying to remember. I'm not real sure  
> nor trying to spread disinfo.

I can't comment on this, not having as much experience as I'd like  
with Polipo.

> I once was curious as to all the problems users have with Tor/ 
> Vidalia and was told that if I use it "out of the box", my problems  
> are less and my anonymity is still good, depending on other factors  
> to be sure. So far, that seems to be the case but tweaking, testing  
> and understanding it in more environments doesn't seem to be in the  
> cards for me this lifetime.

Your anonymity is improved in the sense that (theoretically) all  
traffic bound for Tor is encrypted, and any traffic that would  
normally be unencrypted (without Tor) is now coming out some exit node  
that could be anywhere in the world and has no obvious connection to  
you. This is called "Speakeasy" security, and it only takes you so  
far. For example, sending your bank account details in an unencrypted  
(plaintext) email over Tor isn't particularly any safer than doing so  
without Tor, as anyone spying on an exit node could pick it up and  
have a field day with it. Tor isn't magic. If you're dealing with  
sensitive information, act as though you weren't using Tor at all and  
take appropriate security measures to protect your information. With  
that done, Tor is simply the icing on the cake (delicious, delicious  
cake I might add).

> Thanks.

Anytime :-)

~Justin Aplin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20100624/6da2f60e/attachment.htm>

More information about the tor-talk mailing list