[tor-talk] Flashproxy questions. (Badge config, user interaction)

Sebastian G. <bastik.tor> bastik.tor at googlemail.com
Sun Oct 7 09:08:15 UTC 2012


David Fifield:

Thank you for the detailed information.

>> How can it be achieved that the badge is only active after it has been
>> clicked?
> 
> What this means is that the JavaScript would run, but not actually do
> anything until clicked.

My question wasn't precise enough. As far as I understand it now, a
website owner (admin) can't choose between opt-in and opt-out, right?

I assumed that

iframe ="//crypto.stanford.edu/flashproxy/embed.html" width="80"
height="15" frameborder="0" scrolling="no">

will be a badge that is running on the users end (opt-out).

My question was how an admin can achieve to have be opt-in? (Now I
understand that doesn't seem possible.)

Couldn't you have
"crypto.stanford.edu/flashproxy/embed_opt_in.html"
and
"crypto.stanford.edu/flashproxy/embed_opt_out.html"
to make it possible to choose between them?

My concern about opt-out was that someone else decides for anybody else.
An admin decides for the visitors. Although the proxy might be idle most
of the time and a visitor is not affected I would find it problematic to
have it opt-out by default.

For crypto.stanford.edu it did not concern me as I read.
"If your browser runs JavaScript and has support for WebSockets then
while you are viewing this page your browser is a potential proxy
available to help censored Internet users."

For some people it may be suspicious that there browser is doing
something without their consent. I expect a browser to display web pages
and not to relay traffic.

It's also hard to figure out how many people would care to click the
badge when it's opt-in. I hadn't any good idea to make people aware of
the proxy and that the could help, without annoying them.

It's also hard to figure out how admins will react to opt-out. Users may
overlook the badge or don't care at all so the admin assumes it would be
a good idea to do it that way.

> 
>> What happens if one opens multiple browsers (FF, TBB, FF Portable,
>> Opera, Chrome, Safari, IE, or any other) and visits a website containing
>> such a badge (or multiple websites with such a badge)?
> 
> Each one is an independent proxy, possibly subject to
> facilitator-imposed restrictions. The proxy should disable itself when
> running in TBB but does not, because I don't know how to detect that;
> see ticket https://trac.torproject.org/projects/tor/ticket/6293.

I saw the update to exclude Tor exits from being served. And think this
is a good idea. Mostly because it catches Tor + any browser (not
recommended) and TBB.

TBB users should look all the same, but how they look changes from TBB
release to TBB release I assume. Would be not so good to have something
to fingerprint it on.

Once the flashproxy is not relaying Tor over Tor, the anonymity attacks
shouldn't be a problem to have opt-out from that point of view.


> Nice questions, please keep them coming.

Knowledge is power. I didn't know what would happen so I asked.

It's easier to explain it to both sides (admins and visitors) if you
know how it works.

I don't seem to have questions for now, but I will come back and ask for
more. Thank you for explaining so nicely.

> 
> David Fifield
> 
Sebastian (bastik_tor)


More information about the tor-talk mailing list