[tor-talk] http://torbrowser.sourceforge.net/

Randolph D. rdohm321 at gmail.com
Wed Aug 15 18:19:08 UTC 2012


https://www.torproject.org/projects/torbrowser/design/#security

1. Dooble uses Qt's proxy implementations. QFtp is not used. IP address
retrieval (feature to show the IP of the website, shown in the title of the
website) does not yet use proxies. The mechanism may be disabled by the
user and so should the vidalia plugin of Torbrowser.
2. User agent strings require isolation. JavaScript may also require some
isolation. Dooble doesn't query other browsers nor does it share
information with other browsers. Odd requirement.
3. Data that is written to disk is written in an encrypted manner.
Temporary sessions utilize temporary passwords. Authenticated sessions
destroy data that's associated with temporary sessions.
4. User data is written in an encrypted manner. User settings are stored in
human readable forms.

Complete risk isolation is not practical. That is, an entity with escalated
privileges and special knowledge could potentially gain insight into the
user's current state if access to the network and/or machine was available.
But that is given for any Browser and any machine or network. User need to
minimize the access to their machines, but in case, Dooble saves no data to
the disk, and if the user enables to write data to the disk, this is always
done in an encrypted manner since version 1.35.

2012/8/15

> i think it was a webkit bug, you were included in the communication when
> the torbrowser rised with mike perry communicaiton
> need to look that up, or it is related to the tickets you already closed.
>
> 2012/8/15 A. Megas <textbrowser at gmail.com>
>
> Was this related to FTP or Qt/WebKit proxies in general?
>>
>> On Wed, Aug 15, 2012 at 1:13 PM, Randolph D. <rdohm321 at gmail.com> wrote:
>>
>>> Hi Georg,
>>> the browser has improved a lot and what you mention, is webkit related,
>>> if I remember right.
>>> So does Tor inform all users for all the Webkit Browser?
>>> Let´s research on that more to find a risk analysis.
>>> Regards
>>> 2012/8/15 Georg Koppen <g.koppen at jondos.de>
>>>
>>>> > there is preparation draft work done to get the vidalia Qt plugin out
>>>> for
>>>> > the TorBrowser based on Dooble Web Browser 1.35 with lots of security
>>>> > improvments.
>>>> > Is there something to change on the drafted website?
>>>>
>>>> Yes, you should inform your users that Webkit (and thus your TorBrowser
>>>> clone) has serious proxy bypass issues which make the inclusion of Tor
>>>> useless.
>>>>
>>>> Georg
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> tor-talk mailing list
>>>> tor-talk at lists.torproject.org
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>>>>
>>>>
>>>
>>
>


More information about the tor-talk mailing list