spurr tells us how best to use tor with firefox for internet security

[VerdantGreen]

hi all i felt i should re-post this here as it is very useful information.
i started a thread in the website support forum because i kept getting the 'secure connection failed' window when trying to upload my pics. long story short, spurr weighed in and shared some great tips on the subject - pretty pictures and all.

hey bro,

The problem is Polipo, the HTTP/S proxy the sits between your browser and Tor. I have been testing Privoxy for a while now, it used to be the default HTTP/S proxy for Tor, but Tor switched to Polipo because Polipo is lighter and faster. However, Polipo is not under as active development as Privoxy. After using Privoxy and not Polipo for the last few weeks I have had zero errors you listed above. But, when I used Polipo again, I get the errors often.

If you or others are interested I can tell you how to setup Privoxy for use with Tor, and how to setup Vidalia so it auto-starts Privoxy and not Polipo.

Cool, thanks Honkytonk. Glad to see it worked for you too.

I get really frustrated when I get caught in the "secure connection failed" loop due to Polipo. I am going to open a bug report ticket at the Tor flyspray site. Hopefully phobos, or Chris, or whomever is handling Polipo now its original author, Juliusz Chroboczek, has stopped developing it, will be able to figure out a fix...

The problem with using Privoxy vs. Polipo is it makes those who use Privoxy stand out 'of the crowd' of other Tor users due to fingerprinting attacks (e.x. "Panopticlick" http://panopticlick.eff.org/ ). That means it opens us up to easier identification (ex. via. rouge exit nodes) vs. using using Polipo and 'blending in' with other Tor users.

As the true adage goes "anonymity loves company"...


Here is some good info on browser fingerprint:

It's important to use TorButton and Firefox and Polipo to 'blend into the crowd'...

1. "Browser Fingerprinting Can ID You Without Cookies"
http://www.networkworld.com/news/2010/012910-browser-fingerprinting-can-id-you.html


2. "Help EFF Research Web Browser Tracking"
https://www.eff.org/deeplinks/2010/01/help-eff-research-web-browser-tracking


3. "A Primer on Information Theory and Privacy"
https://www.eff.org/deeplinks/2010/01/help-eff-research-web-browser-tracking




FWIW, here are the Firefox add-ons I use to increase my security and anonymity:

Using un-common add-ons can also make your browser fingerprint stand out from the crowd of other Tor users:

1. BetterPrivacy (a must have)

2. RefControl (a must have, and needs to be properly configured)

3. HTTPS-Everywhere

4. Flashbock

5. NoScript

6. RequestPolicy (prevent cross-site scripting, etc)

7. TorButton (of course, the uber must have)



About "EverCookies"

These are very dangerous and can not be deleted by normal methods and can be used even through TorButton, to identify users.

1. "BleachBit" (that is a very good file shredding tool, it's the only way to remove EverCookies at this time)

2. Anonymizer is releasing a new add-on for Firefox soon that will prevent setting and will remove EverCookies.

for windows, see this post

Directions for Privoxy with Mac:


1a. Mac users need to build (i.e. compile) Privoxy for their systems. If using Snow Lepard see the directions for building Privoxy here.


1b. Make sure to build the most current version of Privoxy. In the directions above the author is using v3.0.16, but right now v3.0.17 is current, so use v3.0.17; get the source code here.


2. Download the zip folder I made with Privoxy config files for Mac here; password is "ilovecanna" (without quotes).


3. Put the three files "config", "default" and "match-all" into /usr/local/etc/privoxy/config; overwrite the three files with the same name already in /usr/local/etc/privoxy/config.


4a. When Vidalia starts it also auto-starts Polipo. I could tell you all how to configure Vidalia to auto-start Privoxy instead, but I don't want to do that because it best to use Polipo whenever possible.


4b. To use Privoxy, start Vidalia and kill the Polipo process by following the directions here.


4c. Start Privoxy by hand, or use the batch file from step one. If using the batch file see the direction from step 1 on starting the file via command line: $ sudo launchctl load /Library/LaunchDaemons/org.privoxy.plist


5. In Firefox toggle Torbutton in the lower right hand corner so the text goes from being red ("Tor Disabled") to green ("Tor Enabled"). Done, now you are using Privoxy instead of Polipo for Tor and Firefox.

 

[VerdantGreen]

more

Making Firefox work better with Tor:

(do not use pipelining because Privoxy doesn't support it and I find browsing is faster without pipelining even with Polipo)


1. Start Firefox.


2. Type the following into the URL bar: "about:config" (without quotes)


3. Then copy the bolded text below, one by one, into the text bar next to "filter" (see first image below for an example). For both settings below, right click on the text and choose "modify", then enter the approximate number (i.e., 600 and 16, respectively) and click OK after configuring each setting. Then re-start Firefox.


network.http.keep-alive.timeout:600
network.http.max-persistent-connections-per-proxy:16

How to configure Firefox add-ons for use with Tor and Icmag:

See the list of add-ons I made in a post above, install all of them either via the add-ons own website or via Mozilla add-ons website (the latter can have out of date add-ons). After all of them are installed re-start Firefox. Only NoScript and RefControl need to be configured, all others can be left in their default state.

Oh yea, don't install "NeverCookie", it is a add-on that protects from EverCookies by "sandboxing" the browser, but it's not a good solution. Instead just use the program "BleachBit", I will make a post about using BleachBit to remove EverCookies next.


NoScript:

1. In Firefox go to: Tools > Add-ons > [click on] NoScript > Options > Advanced > HTTPS > Behavior. Then click the arrow and choose "Always". Then enter the two main URLs for ICamg as in the screen shot below:

​

2. Now click the "Cookies" tab next to "Behavior", click the box (so a check mark appears) next to "Enable Automatic Secure Cookies Management". Then enter the two main URLs for ICamg as in the screen shot below:

​

RefControl:


1. In Firefox go to: Tools > RefControl Options. Click on the button "edit" and then click the empty circle next to "Forge - send the root of this site (http://SITE/)"; then click OK and OK. This setting will make RefControl forge the referrer for every site. See the screen shots below:

​

 

[VerdantGreen]

even more

Problems you will encounter using using the add-ons I listed:

Of all the add-ons I listed, only "RequestPolicy" and "NoScript" will 'break' some sites.


Part 1: RequestPolicy:

In terms of ICmag, make sure to keep RequestPoilcy so it does not allow off-site destination requests from ICamg. The reason is some people like to post pics they uploaded to off-site image hosts like ImageShack, etc. When people post URLs to images on off-site hosts they are endangering your anonymity, and that is not good for various reasons.

Thus, we can use RequestPolicy to block all non-ICmag images and other junk (like YouTube videos) that people post, which can endanger our anonymity. But there is a trade-off: you cannot see the images in posts that are located on off-site hosts, instead you see an off-white vertical line, i.e. and image placeholder. I for one never allow Icmag to run off-site links (like YouTube) or images, etc., and I suggest others do the same...

By default RequestPolicy blocks all off-site destinations, so if a site doesn't look right, see if the RequstPolicy flag is red, if so, choose if you want to allow all, or just some off-site destinations to run on whatever site you are viewing.

When using Tor and Firefox to browse the Internet, many sites rely on cross-site scripting/images/etc, and thus ReqeustPolicy makes those sites unreadable for the most part. In that case, you need to choose if you want to allow cross-site scripting to run, and if you do, then right click on the flag icon in the Firefox system tray (see image below), and choose "Temporally allow all requests from FOO.com" ("FOO.com" is a generic term of any website, on ICmag, FOO.com would read "icmag.com")

When using RequestPolicy you can also choose what specific destinations are allowed to run on the site you are viewing, e.g., I could allow ImageShack to run on Icmag, but disallow any other site via sites listed under "Allowed Destinations" when I right click on the RequestPolicy flag in the lower right hand corner. It's a good idea to mess around with RequestPolicy so people understand how it's works.

Below are two examples of Huffingtonpost.com with ReqeustPolicy blocking all destinations, and then an example of Huffingtonpost.com with RequestPolicy allowing all destinations.

When the RequestPolicy flag in the lower right hand corner is gray that means it is not blocking any off-site destinations; and when the flag is red it means it is blocking some/all off-site destinations.


1. RequestPolicy blocking Huffingtonpost from running off-site destinations:

​

2. RequestPolicy allowing Huffingtonpost to run off-site destinations:

Problems you will encounter using using the add-ons I listed:

Of all the add-ons I listed, only "RequestPolicy" and "NoScript" will 'break' some sites.


Part 2: NoScript

NoScript blocks all scripts from running on most sites by default, and if it blocks scripts from running on Icmag we can not use BB code tags by clicking the buttons like [size ], [quote ], [bold ], etc., etc. Not allowing JavaScript to run on Icmag makes Icmag a pain in the ass to use.

The good news is TorButton disables Java, and runs 'sanitized' JavaScript so we can use JavaScript with minimal worry about attacks on our anonymity (ex., via a rouge Tor exit node) as long as we trust Icmag to not doing anything nefarious (ex., attacks against our browser fingerprint to identify us out of a crowd of Tor users, etc). I for one trust Gypsy enough to run JavaScript on Icamg as long as I am using TorButton...

That siad, disallowing JavaScript on every site you can, when it doesn't break usage of the site, is the safest route to take.

When using NoScript on icmag for the first time, right click on the "S" with a red line through it in the lower right hand corner of Firefox (that is the NoScript icon). Then highlight "Allow icamg.com" and the page should auto-reload with JavaScript allowed on icmag.com, and the "S" icon will not have a red line through it. That means ICmag is now allowed to run all local (i.e. on-site) JavaScript in your Firefox.

If you are using other sites that require JavaScript, like your web-based email, etc., you can enable JavaScript on a per-site basis the same way as above. Right click on the "S" with a red line through it in the lower right hand corner and choose "Temporarily allow FOO.com" or "Allow FOO.com". Sometimes if RequestPolicy is blocking a site you want to allow via NoScript you first need to allow the site via RequestPolicy, then via NoScript.

Example of Icmag disallowed via NoScipt:

Example of Icmag allowed via NoScript:

Note:

I believe in a current update to NoScript the code for forcing encryption of cookies sent over HTTPS is buggy. When I use NoScript whilst I have "Automatic Secure Cookies Management" enabled for ICmag, my login session dies. I assume this has something to due with how NoScript is encrypting the Icmag cookies. When that feature is not used my login sessions are not killed. I suggest others do not use the cookie encryption feature of NoScipt.

I will try to find out how icmag handles cookies over HTTPS; it might already properly secure them over HTTPS.