Browse code

Try to trim and simplify the download warning text.

Mike Perry authored on24/12/2011 21:39:54
Showing2 changed files
... ...
@@ -148,59 +148,65 @@
148 148
 
149 149
 <ol>
150 150
 <li>
151
-Tor only protects Internet applications that are configured to send
152
-their traffic through Tor &mdash; it doesn't magically anonymize all
153
-your traffic just because you install it.  We recommend you use the
154
-<a href="<page projects/torbrowser>">Tor Browser Bundle</a>. It is
155
-pre-configured to protect your privacy and anonymity on the web as long
156
-as you are browsing with Tor Browser.
151
+
152
+Tor only protects Internet applications that are configured to send their
153
+traffic through Tor &mdash; it doesn't magically anonymize all of your traffic
154
+just because you install it. We strongly recommend you use the <a href="<page
155
+projects/torbrowser>">Tor Browser Bundle</a>. It is pre-configured to protect
156
+your privacy and anonymity on the web as long as you're browsing with Tor
157
+Browser itself. Almost any other web browser configuration is likely to be
158
+unsafe. Similarly, we do not recommend installing additional addons into the
159
+Tor Browser, as these may bypass Tor or otherwise impede your anonymity.
160
+
157 161
 </li>
158 162
 
159 163
 <li>
160
-Tor Browser and Torbutton block browser plugins such as Java, Flash,
164
+
165
+The Tor Browser will block browser plugins such as Java, Flash,
161 166
 ActiveX, RealPlayer, Quicktime, Adobe's PDF plugin, and others: they
162 167
 can be manipulated into revealing your IP address. For example, that
163
-means Youtube is disabled. If you really need your Youtube, you can <a
164
-href="<page torbutton/torbutton-faq>#noflash">reconfigure Torbutton</a>
168
+means Youtube is disabled. If you really need your Youtube, you can
169
+<a href="<page torbutton/torbutton-faq>#noflash">reconfigure Torbutton</a>
165 170
 to allow it; but be aware that you're opening yourself up to potential
166
-attack. Also, extensions like Google toolbar look up more information
167
-about the websites you type in: they may bypass Tor and/or broadcast
168
-sensitive information. Some people prefer using two browsers (one for Tor,
169
-one for non-Tor browsing).
170
-</li>
171
+attack.
171 172
 
172
-<li>
173
-Beware of cookies: if you ever browse without Tor and a site gives
174
-you a cookie, that cookie could identify you even when you start
175
-using Tor again. Torbutton tries to handle your cookies safely. <a
176
-href="https://addons.mozilla.org/firefox/82/">CookieCuller</a> can help
177
-protect any cookies you do not want to lose.
178 173
 </li>
179 174
 
180 175
 <li>
181
-Tor anonymizes the origin of your traffic, and it encrypts everything
182
-between you and the Tor network and everything inside the Tor network,
183
-but <a href="<wikifaq>#SoImtotallyanonymousifIuseTor">it
184
-can't encrypt your traffic between the Tor network and its final
185
-destination.</a> If you are communicating sensitive information, you
186
-should use as much care as you would on the normal scary Internet &mdash;
187
-use HTTPS or other end-to-end encryption and authentication.  <a
188
-href="https://www.eff.org/https-everywhere">HTTPS Everywhere</a> is a
189
-Firefox extension produced as a collaboration between The Tor Project
190
-and the Electronic Frontier Foundation. It encrypts your communications
191
-with a number of major websites.
176
+
177
+Similarly, the Tor Browser Bundle will warn you before automatically opening
178
+documents that are handled by external applications. <b>DO NOT IGNORE THIS
179
+WARNING</b>. You should be very careful when downloading documents via Tor
180
+(especially DOC and PDF files) as these documents can contain Internet
181
+resources that will be downloaded outside of Tor by the application that
182
+opens them. These documents can be modified by malicious exit nodes, or by
183
+someone who is trying to trick you into revealing your non-Tor IP address. If
184
+you must work with DOC and/or PDF files, we strongly recommend using a
185
+disconnected computer, a <a href="https://www.virtualbox.org/">VirtualBox</a>
186
+free <a href="http://virtualboxes.org/">image</a> with networking disabled, or 
187
+<a href="http://tails.boum.org/">Tails</a>.
188
+
192 189
 </li>
193 190
 
194 191
 <li>
195
-While Tor blocks attackers on your local network from discovering
196
-or influencing your destination, it opens new risks: malicious or
197
-misconfigured Tor exit nodes can send you the wrong page, or even send
198
-you embedded Java applets disguised as domains you trust. Be careful
199
-opening documents or applications you download through Tor, unless you've
200
-verified their integrity.
192
+
193
+Tor anonymizes the origin of your traffic, and it encrypts everything between
194
+you and the Tor network and everything inside the Tor network, but 
195
+<a href="<wikifaq>#SoImtotallyanonymousifIuseTor">it can't encrypt your traffic
196
+between the Tor network and its final destination.</a> To help ensure
197
+privacy for this last leg, the Tor Browser Bundle includes 
198
+<a href="https://www.eff.org/https-everywhere">HTTPS Everywhere</a> to encrypt
199
+your communications with a number of major websites, but you should still
200
+watch the browser URL bar to ensure that websites you provide sensitive information
201
+to display a 
202
+<a href="https://support.mozilla.com/en-US/kb/Site%20Identity%20Button">blue or
203
+green validation</a>, include <b>https://</b> in the URL bar, 
204
+and display the proper name for the current website.
205
+
201 206
 </li>
202 207
 
203 208
 <li>
209
+
204 210
 Tor tries to prevent attackers from learning what destinations you connect
205 211
 to. It doesn't prevent somebody watching your traffic from learning that
206 212
 you're using Tor. You can mitigate (but not fully resolve) the risk
... ...
@@ -209,6 +215,7 @@ connecting directly to the public Tor network, but ultimately the best
209 215
 protection here is a social approach: the more Tor users there are near
210 216
 you and the more <a href="<page about/torusers>">diverse</a> their interests,
211 217
 the less dangerous it will be that you are one of them.
218
+
212 219
 </li>
213 220
 
214 221
 <li> Do not use <a
... ...
@@ -286,59 +286,65 @@
286 286
 
287 287
 <ol>
288 288
 <li>
289
-Tor only protects Internet applications that are configured to send
290
-their traffic through Tor &mdash; it doesn't magically anonymize all
291
-your traffic just because you install it.  We recommend you use the
292
-<a href="<page projects/torbrowser>">Tor Browser Bundle</a>. It is
293
-pre-configured to protect your privacy and anonymity on the web as long
294
-as you're browsing with Tor Browser.
289
+
290
+Tor only protects Internet applications that are configured to send their
291
+traffic through Tor &mdash; it doesn't magically anonymize all of your traffic
292
+just because you install it. We strongly recommend you use the <a href="<page
293
+projects/torbrowser>">Tor Browser Bundle</a>. It is pre-configured to protect
294
+your privacy and anonymity on the web as long as you're browsing with Tor
295
+Browser itself. Almost any other web browser configuration is likely to be
296
+unsafe. Similarly, we do not recommend installing additional addons into the
297
+Tor Browser, as these may bypass Tor or otherwise impede your anonymity.
298
+
295 299
 </li>
296 300
 
297 301
 <li>
298
-Tor Browser and Torbutton block browser plugins such as Java, Flash,
302
+
303
+The Tor Browser will block browser plugins such as Java, Flash,
299 304
 ActiveX, RealPlayer, Quicktime, Adobe's PDF plugin, and others: they
300 305
 can be manipulated into revealing your IP address. For example, that
301
-means Youtube is disabled. If you really need your Youtube, you can <a
302
-href="<page torbutton/torbutton-faq>#noflash">reconfigure Torbutton</a>
306
+means Youtube is disabled. If you really need your Youtube, you can
307
+<a href="<page torbutton/torbutton-faq>#noflash">reconfigure Torbutton</a>
303 308
 to allow it; but be aware that you're opening yourself up to potential
304
-attack. Also, extensions like Google toolbar look up more information
305
-about the websites you type in: they may bypass Tor and/or broadcast
306
-sensitive information. Some people prefer using two browsers (one for Tor,
307
-one for non-Tor browsing).
308
-</li>
309
+attack.
309 310
 
310
-<li>
311
-Beware of cookies: if you ever browse without Tor and a site gives
312
-you a cookie, that cookie could identify you even when you start
313
-using Tor again. Torbutton tries to handle your cookies safely. <a
314
-href="https://addons.mozilla.org/firefox/82/">CookieCuller</a> can help
315
-protect any cookies you do not want to lose.
316 311
 </li>
317 312
 
318 313
 <li>
319
-Tor anonymizes the origin of your traffic, and it encrypts everything
320
-between you and the Tor network and everything inside the Tor network,
321
-but <a href="<wikifaq>#SoImtotallyanonymousifIuseTor">it
322
-can't encrypt your traffic between the Tor network and its final
323
-destination.</a> If you are communicating sensitive information, you
324
-should use as much care as you would on the normal scary Internet &mdash;
325
-use HTTPS or other end-to-end encryption and authentication.  <a
326
-href="https://www.eff.org/https-everywhere">HTTPS Everywhere</a> is a
327
-Firefox extension produced as a collaboration between The Tor Project
328
-and the Electronic Frontier Foundation. It encrypts your communications
329
-with a number of major websites.
314
+
315
+Similarly, the Tor Browser Bundle will warn you before automatically opening
316
+documents that are handled by external applications. <b>DO NOT IGNORE THIS
317
+WARNING</b>. You should be very careful when downloading documents via Tor
318
+(especially DOC and PDF files) as these documents can contain Internet
319
+resources that will be downloaded outside of Tor by the application that
320
+opens them. These documents can be modified by malicious exit nodes, or by
321
+someone who is trying to trick you into revealing your non-Tor IP address. If
322
+you must work with DOC and/or PDF files, we strongly recommend using a
323
+disconnected computer, a <a href="https://www.virtualbox.org/">VirtualBox</a>
324
+free <a href="http://virtualboxes.org/">image</a> with networking disabled, or 
325
+<a href="http://tails.boum.org/">Tails</a>.
326
+
330 327
 </li>
331 328
 
332 329
 <li>
333
-While Tor blocks attackers on your local network from discovering
334
-or influencing your destination, it opens new risks: malicious or
335
-misconfigured Tor exit nodes can send you the wrong page, or even send
336
-you embedded Java applets disguised as domains you trust. Be careful
337
-opening documents or applications you download through Tor, unless you've
338
-verified their integrity.
330
+
331
+Tor anonymizes the origin of your traffic, and it encrypts everything between
332
+you and the Tor network and everything inside the Tor network, but 
333
+<a href="<wikifaq>#SoImtotallyanonymousifIuseTor">it can't encrypt your traffic
334
+between the Tor network and its final destination.</a> To help ensure
335
+privacy for this last leg, the Tor Browser Bundle includes 
336
+<a href="https://www.eff.org/https-everywhere">HTTPS Everywhere</a> to encrypt
337
+your communications with a number of major websites, but you should still
338
+watch the browser URL bar to ensure that websites you provide sensitive information
339
+to display a 
340
+<a href="https://support.mozilla.com/en-US/kb/Site%20Identity%20Button">blue or
341
+green validation</a>, include <b>https://</b> in the URL bar, 
342
+and display the proper name for the current website.
343
+
339 344
 </li>
340 345
 
341 346
 <li>
347
+
342 348
 Tor tries to prevent attackers from learning what destinations you connect
343 349
 to. It doesn't prevent somebody watching your traffic from learning that
344 350
 you're using Tor. You can mitigate (but not fully resolve) the risk
... ...
@@ -347,6 +353,7 @@ connecting directly to the public Tor network, but ultimately the best
347 353
 protection here is a social approach: the more Tor users there are near
348 354
 you and the more <a href="<page about/torusers>">diverse</a> their interests,
349 355
 the less dangerous it will be that you are one of them.
356
+
350 357
 </li>
351 358
 
352 359
 <li> Do not use <a