dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5
share rss forum feed


CaptainZero

@as5577.net
reply to unreg

Re: Any secure anonymous linux distros based on Whonix

The Whonix documentation at sourceforge recommends against using Flash and Java. They never say why. ....perhaps browser fingerprinting?

»sourceforge.net/p/whonix/wiki/Se···20World/

"Flash and Java, although recommend against, can also not leak IP/location. See Browser Plugins for details."



unreg

@glasoperator.nl

said by CaptainZero :

The Whonix documentation at sourceforge recommends against using Flash and Java. They never say why. ....perhaps browser fingerprinting?

»sourceforge.net/p/whonix/wiki/Se···20World/

"Flash and Java, although recommend against, can also not leak IP/location. See Browser Plugins for details."

See »sourceforge.net/p/whonix/wiki/Br···Plugins/

"We explain the risks of browser plugins (flash etc.), discuss some alternatives and finally explain how to use browser plugins anyway in the best possible secure manner."... and read ahead.


CaptainZero

@lessnetworking.net

said by Whonix :
Avoiding browser plugins and flash is better than using them.

Note that there are alternatives to flash (and perhaps other browser plugins). Most of the workarounds aren't a 100% complete, perfect drop in replacement, but perhaps it works sufficient for you (for example, if you only need youtube). ............... Discussing the flash alternatives in details is beyond the scope of Whonix.

Consider the plugin usage pseudonymous rather than anonymous . If you are using any plugins such as Flash, it will be probable known to the exit node, exit node's ISP and website, that you are a Whonix user.

Thanks for the link. The bolding is mine. Complete Text at: »sourceforge.net/p/whonix/wiki/Br···Plugins/

If your goal is pseudonymous rather than anonymous by all means use it.


unreg

@ipredator.se

To explain the pseudonymous rather than anonymous in case that was misunderstood:

- IP/location is still hidden!
- The destination server (website) with flash could find out "Oh, that is the Tor user, we call him UserA who yesterday watched video1, video2, video3 and today is watching video4..."
- In comparison if the connection were truly anonymous the website could only know "some anonymous connection, no idea if that user ever visited our website".


You appear to be happy mixing browser plugins and anonymity. Let's agree to disagree.

said by Whonix :
The concern against browser plugins can be broken down to:
1. Likability: browser plugins use can be probably^3^ correlated to the same pseudonym.
2. Fingerprinting: browser plugins can probable leak lots of information about your (virtual) operating system (=Whonix-Workstation)
3. Security: some plugins have a history for remote exploits. More concrete: the risk for your virtual operating system to get infected by trojan horses etc. is higher.



unreg

@stratoserver.net

My point is pseudonymous here doesn't mean they can find out your IP, location, real name... Imagine you are a number, always the same number. Being always the same unique number shared with all Tor users would of course be better.

Also TBB is also not 100% anonymous. More pseudonymous. True anonymity is the goal. A long way to go.

tbb-linkability
»trac.torproject.org/projects/tor···kability

tbb-fingerprinting
»trac.torproject.org/projects/tor···printing

The security concern is valid of course. I think youtube is unlikely to attack. If you use plugins in whonix with brain and dispose the workstation sometimes to get ride of the pseudonym I think you are fine. Much safer than with any proxifier method you find on google.

slajoh01

join:2005-04-23

2 edits

Isnt their a TOR addon in FF to use for this?



CaptainZero

@torservers.net

said by slajoh01 :
Isnt their a TOR addon in FF to use for this?

Tor no longer supports the TOR Button addon for install on a Firefox distribution from Mozilla. The TOR browser bundle includes a portable Firefox 10....ESR. Helps with the insane Mozilla update schedule.

said by unreg :
Also TBB is also not 100% anonymous. More pseudonymous. True anonymity is the goal. A long way to go.

I agree completely. The links you posted are from TOR bug track. Certainly those issues are relevant to anonymity but I saw no mention of adding browser plugins to the mix. Did I miss something. Elsewhere the TOR documentation recommends against browser plugins and extensions other than those included in the bundle (HTTPS Everywhere, No Script and TOR Button).

said by unreg :
I think youtube is unlikely to attack.
If you are just trying to confuse Google there are other solutions with a lot less latency. I suppose there are reasons for anonymity on YouTube, perhaps threatening a government or an individual or just being critical of them could land you on a watch list.

None of that applies to me and I will not be adding browser plugins as they add a layer of risk that I am not comfortable with. Obviously you feel different so get after that YouTube and enjoy. Google "Two Girls and a Cup" (Flash video but no longer on YouTube). Some things are just so bad you can't stop watching.


unreg

@noisetor.net
reply to slajoh01

Yes, but they have not reached that goal.



unreg

@ipredator.se
reply to CaptainZero

Sorry, my last reply was to slajoh01. I missed yours, CaptainZero.

quote:
I agree completely. The links you posted are from TOR bug track. Certainly those issues are relevant to anonymity but I saw no mention of adding browser plugins to the mix.
That is totally right. I wrote that to make clear that the "don't use it because pseudonymous, not anonymous" argument is weak one against Flash. It's one reason against Flash but not a sufficient reason. TBB is also rather pseudonymous than anonymous. (open bugs, more fingerprinting bugs such as desktop resolution, zoom...)

quote:
Did I miss something. Elsewhere the TOR documentation recommends against browser plugins and extensions other than those included in the bundle (HTTPS Everywhere, No Script and TOR Button).
Correct.

quote:
None of that applies to me and I will not be adding browser plugins as they add a layer of risk that I am not comfortable with.
Yes, the added security risk is a strong argument against Flash.