torbutton/en/torbutton-faq.wml (cee074c39) - tor-webwml.git

torbutton-faq.wml

## translation metadata
# Revision: $Revision$
# Translation-Priority: 3-low

#include "head.wmi" TITLE="Tor Project: Torbutton FAQ" CHARSET="UTF-8"
<div id="content" class="clearfix">
	<div id="breadcrumbs">
 <a href="<page index>">Home &raquo; </a>
 <a href="<page torbutton/index>">Torbutton &raquo; </a>
 <a href="<page torbutton/torbutton-faq>">Torbutton FAQ</a>
 </div>
	<div id="maincol"> 
 
 
 <h2>Torbutton FAQ</h2>
 <hr>
 
 <h3>Questions</h3>
 
 <ul>
 <li><a href="<page torbutton/torbutton-faq>#noflash">I can't view videos on YouTube and other flash-based sites. Why?</a></li>
 <li><a href="<page torbutton/torbutton-faq>#oldtorbutton">Torbutton sure seems to do a lot of things, some of which I find annoying. Can't I just use the old version?</a></li>
 <li><a href="<page torbutton/torbutton-faq>#noautocomplete">When I use Tor, Firefox is no longer filling in logins/search boxes for me. Why?</a></li>
 <li><a href="<page torbutton/torbutton-faq>#thunderbird">What about Thunderbird support? I see a page, but it is the wrong version?</a></li>
 <li><a href="<page torbutton/torbutton-faq>#extensionconflicts">Which Firefox extensions should I avoid using?</a></li>
 <li><a href="<page torbutton/torbutton-faq>#recommendedextensions">Which Firefox extensions do you recommend?</a></li>
 <li><a href="<page torbutton/torbutton-faq>#securityissues">Are there any other issues I should be concerned about?</a></li>
 </ul>
 
 
 <a id="noflash"></a>
 <a class="anchor" href="#noflash">I can't view videos on YouTube and
 other Flash-based sites. Why?</a>
 
 
 YouTube and similar sites require third party browser plugins such as Flash.
 Plugins operate independently from Firefox and can perform
 activity on your computer that ruins your anonymity. This includes
 but is not limited to: <a href="http://decloak.net">completely disregarding
 proxy settings</a>, querying your <a
 href="http://forums.sun.com/thread.jspa?threadID=5162138&amp;messageID=9618376">local
 IP address</a>, and <a
 href="http://epic.org/privacy/cookies/flash.html">storing their own
 cookies</a>. It is possible to use a LiveCD solution such as
 or <a href="https://tails.boum.org/">The Amnesic Incognito Live System</a> that creates a
 secure, transparent proxy to protect you from proxy bypass, however issues
 with local IP address discovery and Flash cookies still remain. 
 
 
 If you are not concerned about being tracked by these sites (and sites that
 try to unmask you by pretending to be them), and are unconcerned about your
 local censors potentially noticing you visit them, you can enable plugins by
 going into the Torbutton Preferences-&gt;Security Settings
 tab and unchecking "Disable browser plugins (such as Flash)" box. If you do this
 without The Amnesic Incognito Live System or appropriate firewall
 rules, we strongly suggest you at least use <a
 href="https://addons.mozilla.org/en-US/firefox/addon/722">NoScript</a> to <a
 href="http://noscript.net/features#contentblocking">block plugins</a>. You do
 not need to use the NoScript per-domain permissions if you check the Apply
 these restrictions to trusted sites too option under the NoScript Plugins
 preference tab. In fact, with this setting you can even have NoScript allow
 Javascript globally, but still block all plugins until you click on their
 placeholders in a page. We also recommend <a
 href="https://addons.mozilla.org/en-US/firefox/addon/6623">Better Privacy</a>
 in this case to help you clear your Flash cookies.
 
 
 <a id="oldtorbutton"></a>
 <a class="anchor" href="#oldtorbutton">Torbutton sure seems to do a lot of things, some of which I find
 annoying. Can't I just use the old version?</a>
 
 
 
 No. Use of the old version, or any other vanilla proxy changer
 (including FoxyProxy -- see below) without Torbutton is actively discouraged.
 Seriously. Using a vanilla proxy switcher by itself is so insecure that you are
 not only just wasting your time, you are also actually endangering yourself.
 Simply do not use Tor and you will have the same (and in some cases,
 better) security. For more information on the types of attacks you are exposed
 to with a "homegrown" solution, please see <a
 href="design/index.html.en#adversary">The Torbutton
 Adversary Model</a>, in particular the <a
 href="design/index.html.en#attacks">Adversary
 Capabilities - Attacks</a> subsection. If there are any specific Torbutton
 behaviors that you do not like, please file a bug on <a
 href="https://trac.torproject.org/projects/tor/report/14">the
 bug tracker.</a> Most of Torbutton's security features can also be disabled via
 its preferences, if you think you have your own protection for those specific
 cases.
 
 
 
 <a id="noautocomplete"></a>
 <a class="anchor" href="#noautocomplete">When I use Tor, Firefox is no longer filling in logins/search boxes
 for me. Why?</a>
 
 
 Currently, this is tied to the "Block history writes during Tor"
 setting. If you have enabled that setting, all formfill functionality (both
 saving and reading) is disabled. If this bothers you, you can uncheck that
 option, but both history and forms will be saved. To prevent history
 disclosure attacks via Non-Tor usage, it is recommended you disable Non-Tor
 history reads if you allow history writing during Tor.
 
 
 <a id="thunderbird"></a>
 <a class="anchor" href="#thunderbird">What about Thunderbird support? I see a page, but it is the wrong
 version?</a>
 
 
 The Tor plugin for Thunderbird is called <a href="https://trac.torproject.org/projects/tor/wiki/torbirdy">
 TorBirdy</a>.
 
 
 <a id="extensionconflicts"></a>
 <a class="anchor" href="#extensionconflicts">Which Firefox extensions should I avoid using?</a>
 
 
 This is a tough one. There are thousands of Firefox extensions: making a
 complete list of ones that are bad for anonymity is near impossible. However,
 here are a few examples that should get you started as to what sorts of
 behavior are dangerous.
 
 
 <ol>
 <li>StumbleUpon, et al
 
 These extensions will send all sorts of information about the websites you
 visit to the stumbleupon servers, and correlate this information with a
 unique identifier. This is obviously terrible for your anonymity.
 More generally, any sort of extension that requires registration, or even
 extensions that provide information about websites you visit should be
 suspect.
 </li>
 <li>FoxyProxy
 
 While FoxyProxy is a nice idea in theory, in practice it is impossible to
 configure securely for Tor usage without Torbutton. Like all vanilla third
 party proxy plugins, the main risks are <a
 href="http://www.decloak.net/">plugin leakage</a>
 and <a href="http://ha.ckers.org/weird/CSS-history.cgi">history
 disclosure</a>, followed closely by cookie theft by exit nodes and tracking by
 adservers (see the <a href="design/index.html.en#adversary">Torbutton Adversary
 Model</a> for more information). However, with Torbutton installed in tandem
 and always enabled, it is possible to configure FoxyProxy securely (though it
 is tricky). Since FoxyProxy's 'Patterns' mode only applies to specific urls,
 and not to an entire tab, setting FoxyProxy to only send specific sites
 through Tor will still allow adservers (whose hosts don't match your filters) to learn your real IP. Worse, when
 sites use offsite logging services such as Google Analytics, you will
 still end up in their logs with your real IP. Malicious exit nodes can also
 cooperate with sites to inject images into pages that bypass your filters.
 Setting FoxyProxy to only send certain URLs via Non-Tor is much more secure in
 this regard, but be very careful with the filters you allow. For example,
 something as simple as allowing *google* to go via Non-Tor will still cause you to end up
 in all the logs of all websites that use Google Analytics! See
 <a href="http://foxyproxy.mozdev.org/faq.html#privacy-01">this question</a> on
 the FoxyProxy FAQ for more information.
 </li>
 </ol>
 
 <a id="recommendedextensions"></a>
 <a class="anchor" href="#recommendedextensions">Which Firefox extensions do you recommend?</a>
 <ol>
 <li><a href="https://addons.mozilla.org/firefox/addon/953">RefControl</a>
 	
 Mentioned above, this extension allows more fine-grained referrer spoofing
 than Torbutton currently provides. It should break less sites than Torbutton's
 referrer spoofing option.</li>
 
 <li><a href="https://addons.mozilla.org/firefox/addon/1474">SafeCache</a>
 
 If you use Tor excessively, and rarely disable it, you probably want to
 install this extension to minimize the ability of sites to store long term
 identifiers in your cache. This extension applies same origin policy to the
 cache, so that elements are retrieved from the cache only if they are fetched
 from a document in the same origin domain as the cached element.
 </li>
 
 <li><a href="https://addons.mozilla.org/en-US/firefox/addon/6623">Better
 Privacy</a>
 
 
 Better Privacy is an excellent extension that protects you from cookies used
 by Flash applications, which often persist forever and are not clearable via
 normal Firefox "Private Data" clearing. Flash and all other plugins are
 disabled by Torbutton by default, but if you are interested in privacy, you
 may want this extension to allow you to inspect and automatically clear your
 Flash cookies for your Non-Tor usage.
 
 
 </li>
 <li><a href="https://addons.mozilla.org/firefox/addon/1865">AdBlock Plus</a>
 
 
 AdBlock Plus is an excellent addon for removing annoying, privacy-invading,
 and <a
 href="http://www.wired.com/techbiz/media/news/2007/11/doubleclick">malware-distributing</a>
 advertisements from the web. It provides
 <a href="http://adblockplus.org/en/subscriptions">subscriptions</a> that are
 continually updated to catch the latest efforts of ad networks to circumvent
 these filters. I recommend the EasyPrivacy+EasyList combination filter
 subscription in the Miscellaneous section of the subscriptions page.
 
 
 </li> 
 <li><a href="https://addons.mozilla.org/firefox/addon/82">Cookie Culler</a>
 
 
 Cookie Culler is a handy extension to give quick access to the cookie manager
 in Firefox. It also provides the ability to protect certain cookies from
 deletion, but unfortunately, this behavior does not integrate well with Torbutton.
 
 
 </li>
 
 <li><a href="https://addons.mozilla.org/en-US/firefox/addon/722">NoScript</a>
 
 Torbutton currently mitigates all known anonymity issues with Javascript.
 However, if you are concerned about Javascript exploits against your browser
 or against websites you are logged in to, you may want to use NoScript. It
 provides the ability to allow Javascript only for particular websites
 and also provides mechanisms to force HTTPS urls for sites with
 <a href="http://fscked.org/category/tags/insecurecookies">insecure
 cookies</a>. 
 
 It can be difficult to configure such that the most sites will work
 properly though. In particular, you want to make sure you do not remove
 the Javascript whitelist for
 addons.mozilla.org, as extensions are downloaded via http and verified by
 javascript from the https page.
 
 </li>
 <li><a href="https://addons.mozilla.org/en-US/firefox/addon/9727/">Request
 Policy</a>
 
 
 Request Policy is similar to NoScript in that it requires that you configure
 which sites are allowed to load content from other domains. It can be very
 difficult for novice users to configure properly, but it does provide a good
 deal of protection against ads, injected content, and cross-site request
 forgery attacks.
 
 
 </li>
 
 </ol>
 
 <a id="securityissues"></a>
 <a class="anchor" href="#securityissues">Are there any other issues I should be concerned about?</a>
 
 
 There are a few known security issues with Torbutton (all of which are due to
 <a href="design/index.html.en#FirefoxBugs">unfixed
 Firefox security bugs</a>). The most important for anonymity is that it is
 possible to unmask the javascript hooks that wrap the Date object to conceal
 your timezone in Firefox 2, and the timezone masking code does not work at all
 on Firefox 3. We are working with the Firefox team to fix one of <a
 href="https://bugzilla.mozilla.org/show_bug.cgi?id=392274">Bug 399274</a> or
 <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=419598">Bug 419598</a>
 to address this. In the meantime, it is possible to set the TZ
 environment variable to UTC to cause the browser to use UTC as your
 timezone. Under Linux, you can add an export TZ=UTC to the
 /usr/bin/firefox script, or edit your system bashrc to do the same. Under
 Windows, you can set either a <a
 href="http://support.microsoft.com/kb/310519">User or System Environment
 Variable</a> for TZ via My Computer's properties. In MacOS, the situation is
 <a
 href="http://developer.apple.com/documentation/MacOSX/Conceptual/BPRuntimeConfig/Articles/EnvironmentVars.html#//apple_ref/doc/uid/20002093-BCIJIJBH">a
 lot more complicated</a>, unfortunately.
 
 
 
 In addition, RSS readers such as Firefox Livemarks can perform
 periodic fetches. Due to <a
 href="https://bugzilla.mozilla.org/show_bug.cgi?id=436250">Firefox Bug
 436250</a>, there is no way to disable Livemark fetches during Tor. This can
 be a problem if you have a lot of custom Livemark urls that can give away
 information about your identity.
 
 </div>
 
 <div id = "sidecol">
#include "side.wmi"
#include "info.wmi"
 </div>
 
</div>

#include <foot.wmi>

tor-webwml.git

removed some obviously outdated torbutton questions. addresses parts of #6567