Silk Road forums
Discussion => Security => Topic started by: maybejustonce on February 12, 2013, 12:41 am
-
Now I read everywhere that whilst using Tor, one should disable cookies and scripts. However, SR requires both... what to do?
-
SR doesn't require javascript so turn that off, it can expose your real IP.
Cookies are needed but you can use a cookie manager add-on (to Firefox/TorBrowser) so that they are automatically deleted after each visit. (I think the TorBrower does it automatically but don't take my word for it)
I'm no safety expert but I think this should do the trick.
Be safe!
-
fffffffuck. i've been using tor with scripts on for a damn while now...
-
Cookies are definitely deleted when you close the Tor browser. It also comes with NoScript configured for compatibility. What I mean is that it isn't configured for maximum safety, just good safety with settings that don't break the whole web (like it does if you prevent any un-whitelisted site from running, which is/was the NoScript default).
I don't know of any exploits that will bypass the out-of-the-box configuration, but that isn't my specialty, so take it with a grain of salt. You may or may not want to go to "about:config" and change "network.websocket.enabled" to be "false." There's some contention about whether or not it's really safe to have it on, but the Tor project says it is & the browser ships with it that way... so one would think it is. Your call though.
Other than that, I wouldn't worry too much.
-
Cookies are definitely deleted when you close the Tor browser. It also comes with NoScript configured for compatibility. What I mean is that it isn't configured for maximum safety, just good safety with settings that don't break the whole web (like it does if you prevent any un-whitelisted site from running, which is/was the NoScript default).
I don't know of any exploits that will bypass the out-of-the-box configuration, but that isn't my specialty, so take it with a grain of salt. You may or may not want to go to "about:config" and change "network.websocket.enabled" to be "false." There's some contention about whether or not it's really safe to have it on, but the Tor project says it is & the browser ships with it that way... so one would think it is. Your call though.
Other than that, I wouldn't worry too much.
can you explain in depth what that command line does?
-
Cookies are definitely deleted when you close the Tor browser. It also comes with NoScript configured for compatibility. What I mean is that it isn't configured for maximum safety, just good safety with settings that don't break the whole web (like it does if you prevent any un-whitelisted site from running, which is/was the NoScript default).
I don't know of any exploits that will bypass the out-of-the-box configuration, but that isn't my specialty, so take it with a grain of salt. You may or may not want to go to "about:config" and change "network.websocket.enabled" to be "false." There's some contention about whether or not it's really safe to have it on, but the Tor project says it is & the browser ships with it that way... so one would think it is. Your call though.
Other than that, I wouldn't worry too much.
can you explain in depth what that command line does?
Well, it's not some secret or anything, you can go ahead and do a search for the setting if you're uncomfortable trusting me. "about:config" is the Firefox (the Tor browser is a bundled version of Firefox) address for advanced settings. Unless you're _positive_ you know what one does, don't fuck with it. Seriously. At best you'll slow things down, at worst you'll start leaking your identity.
Websockets are an HTML5 thing. I hear their implementation is still a little buggy in Firefox, but I have no personal experience with them. Basically it's a feature to support exchanging data with a specific site and splicing it into the currently viewed page -- so for instance, say you go to "www.moviesforfree.com" (totally made up), and the (imaginary) guy who made the (imaginary) site decided to use a websocket to make sure the page doesn't have to be refreshed in order to show you "MOVIE ADDED" or something.
So the javascript opens a websocket to a different server, maybe "www.moviesforfree-updates.com" or some junk, and communicates through the websocket to get notified of updates. There was a bug in an older version of the Tor browser that bypassed Tor entirely when connecting via websockets; as in your IP was available via a simple javascript function any site could trigger. It's supposedly fixed, but like I said, there seem to be those who claim it isn't truly fixed and advise that people disable websockets entirely.
Enough information? :)
-
fffffffuck. i've been using tor with scripts on for a damn while now...
Me too. I haven't bought anything on Silk Road Marketplace yet though. If you haven't either I guess it's no problem, is it? Just create a new account. No? I'm going to keep reading for a while before I place my first order because I'm so fucking paranoid.
-
In the bottom on Tor window it shos that "Scripts Currently Forbidden | ...", but in options it shows that Java scripts are enabled. So should I disable?
-
I've browsed SR marketplace with scripts enabled and I've browsed SR forum and posted on SR forum with scripts enabled. Should I create new accounts on SR marketplace and SR forum??? I have not yet ordered anything.
-
In the bottom on Tor window it shos that "Scripts Currently Forbidden | ...", but in options it shows that Java scripts are enabled. So should I disable?
No. Unless you have a reason to believe you know better, it's best to just leave the Tor browser in the state it comes in -- the Tor project developers configured it specifically for privacy.
-
In the bottom on Tor window it shos that "Scripts Currently Forbidden | ...", but in options it shows that Java scripts are enabled. So should I disable?
No. Unless you have a reason to believe you know better, it's best to just leave the Tor browser in the state it comes in -- the Tor project developers configured it specifically for privacy.
So we shouldn't disable scripts either? When I started using the Torbrowser the button at the top left with an "S" did not have a red circle with a diagonal line.
-
In the bottom on Tor window it shos that "Scripts Currently Forbidden | ...", but in options it shows that Java scripts are enabled. So should I disable?
No. Unless you have a reason to believe you know better, it's best to just leave the Tor browser in the state it comes in -- the Tor project developers configured it specifically for privacy.
So we shouldn't disable scripts either? When I started using the Torbrowser the button at the top left with an "S" did not have a red circle with a diagonal line.
That's the button added by the NoScript extension. Like I said above, it's configured by default to protect your identity/privacy/anonymity but to also make sure web pages still work. Almost every site requires at least some javascript in order to work, and if you disable all javascript except for sites you specify (which is what it means when there's a red crossed-out circle), then almost nothing will work.
Just leave it as it is -- it's still blocking the more dangerous javascript functions the way it comes :)
-
There's a lot of FUD in this thread. First of all, JavaScript runs inside the browser and can't bypass proxy settings, so it can't "reveal your IP" in the same way as a plugin (Java, Flash). There are ways that JavaScript can deanonymize you, especially when Torbutton states are toggled, but you shouldn't be toggling Torbutton off in the browser bundle these days, and Torbutton blocks this malicious activity anyway. Here's what the Tor Project has to say about it:
Javascript can do things like wait until you have disabled Tor before trying to contact its source site, thus revealing your IP address. As such, Torbutton must disable Javascript, Meta-Refresh tags, and certain CSS behavior when Tor state changes from the state that was used to load a given page. These features are re-enabled when Torbutton goes back into the state that was used to load the page, but in some cases (particularly with Javascript and CSS) it is sometimes not possible to fully recover from the resulting errors, and the page is broken. Unfortunately, the only thing you can do (and still remain safe from having your IP address leak) is to reload the page when you toggle Tor, or just ensure you do all your work in a page before switching tor state.
https://www.torproject.org/torbutton/torbutton-faq.html.en
Also, the web sockets bug was fixed a long time ago.
https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs
https://trac.torproject.org/projects/tor/ticket/5741
The main threat to deanonymization is plugins, especially Flash and Java. Don't use them.
-
TOR browser is becoming almost useless for me and many of the web pages I need to use these days.
-
That's the button added by the NoScript extension. Like I said above, it's configured by default to protect your identity/privacy/anonymity but to also make sure web pages still work. Almost every site requires at least some javascript in order to work, and if you disable all javascript except for sites you specify (which is what it means when there's a red crossed-out circle), then almost nothing will work.
Just leave it as it is -- it's still blocking the more dangerous javascript functions the way it comes :)
Thanks. I already clicked on that button before I read your other post so it now has the red crossed-out circle. Just to make sure, should I hover over it, then click on "allow scripts globally (dangerous)" and then click OK in the warning window that comes up? thanks
-
That's the button added by the NoScript extension. Like I said above, it's configured by default to protect your identity/privacy/anonymity but to also make sure web pages still work. Almost every site requires at least some javascript in order to work, and if you disable all javascript except for sites you specify (which is what it means when there's a red crossed-out circle), then almost nothing will work.
Just leave it as it is -- it's still blocking the more dangerous javascript functions the way it comes :)
Thanks. I already clicked on that button before I read your other post so it now has the red crossed-out circle. Just to make sure, should I hover over it, then click on "allow scripts globally (dangerous)" and then click OK in the warning window that comes up? thanks
You could just reinstall the browser bundle, and leave the defaults alone if you prefer. No harm in it.
BTW, Astor's one of our resident security experts -- if you see him say something, it's probably an indisputable fact. Just for future reference and all.
-
Just to make sure, should I hover over it, then click on "allow scripts globally (dangerous)" and then click OK in the warning window that comes up? thanks
NO!! DON'T DO THAT!!!!
That will allow all websites you visit to run whatever scripts they want, which is very very bad!
PUT IT BACK TO HOW IT WAS!!