Browse code

removed torbutton pages, moved 2 questions to general FAQ (#6567)

Moritz Bartl authored on 26/03/2013 05:38:32
Showing 5 changed files
... ...
@@ -62,7 +62,7 @@ includes Tor?</a></li>
62 62
     <li><a href="#TBBPolipo">I need an HTTP proxy. Where did Polipo
63 63
     go?</a></li>
64 64
     <li><a href="#TBBOtherExtensions">Can I install other Firefox
65
-    extensions?</a></li>
65
+    extensions? Which extensions should I avoid using?</a></li>
66 66
     <li><a href="#TBBJavaScriptEnabled">Why is NoScript configured to
67 67
 allow JavaScript by default in the Tor Browser Bundle?  Isn't that
68 68
 unsafe?</a></li>
... ...
@@ -942,9 +942,42 @@ YouTube
942 942
 and other Flash-based sites?</a></h3>
943 943
 
944 944
 <p>
945
-<a
946
-href="https://www.torproject.org/torbutton/torbutton-faq.html.
947
-en#noflash">Answer</a>
945
+YouTube and similar sites require third party browser plugins such as Flash.
946
+Plugins operate independently from Firefox and can perform
947
+activity on your computer that ruins your anonymity. This includes
948
+but is not limited to: <a href="http://decloak.net">completely disregarding
949
+proxy settings</a>, querying your <a
950
+href="http://forums.sun.com/thread.jspa?threadID=5162138&amp;messageID=9618376">local
951
+IP address</a>, and <a
952
+href="http://epic.org/privacy/cookies/flash.html">storing their own
953
+cookies</a>. It is possible to use a LiveCD solution such as
954
+or <a href="https://tails.boum.org/">The Amnesic Incognito Live System</a> that creates a
955
+secure, transparent proxy to protect you from proxy bypass, however issues
956
+with local IP address discovery and Flash cookies still remain.  </p>
957
+
958
+<p>
959
+<a href="https://www.youtube.com/html5">YouTube offers experimental HTML5 video 
960
+support</a> for many of their videos. You can use their Advanced Search to 
961
+find HTML5 videos.
962
+</p>
963
+
964
+<p>
965
+If you are not concerned about being tracked by these sites (and sites that
966
+try to unmask you by pretending to be them), and are unconcerned about your
967
+local censors potentially noticing you visit them, you can enable plugins by
968
+going into the Torbutton Preferences -&gt; Security Settings
969
+tab and unchecking "Disable browser plugins (such as Flash)" box. If you do this
970
+without The Amnesic Incognito Live System or appropriate firewall
971
+rules, we strongly suggest you at least use <a
972
+href="https://addons.mozilla.org/en-US/firefox/addon/722">NoScript</a> to <a
973
+href="http://noscript.net/features#contentblocking">block plugins</a>. You do
974
+not need to use the NoScript per-domain permissions if you check the <b>Apply
975
+these restrictions to trusted sites too</b> option under the NoScript Plugins
976
+preference tab. In fact, with this setting you can even have NoScript allow
977
+Javascript globally, but still block all plugins until you click on their
978
+placeholders in a page. We also recommend <a
979
+href="https://addons.mozilla.org/en-US/firefox/addon/6623">Better Privacy</a>
980
+in this case to help you clear your Flash cookies.
948 981
 </p>
949 982
 
950 983
 <hr>
... ...
@@ -1010,6 +1043,23 @@ extensions (for example, pretty much anything with the word Toolbar in
1010 1043
 its name).
1011 1044
 </p>
1012 1045
 
1046
+<p>
1047
+Generally, extensions that require registration, and/or provide 
1048
+additional information about websites you are visiting, should be 
1049
+suspect.
1050
+</p>
1051
+
1052
+<p>
1053
+Extensions you might like include
1054
+ <a href="https://addons.mozilla.org/firefox/addon/953">RefControl</a> (referer spoofing),
1055
+ <a href="https://addons.mozilla.org/firefox/addon/1474">SafeCache</a>,
1056
+ <a href="https://addons.mozilla.org/en-US/firefox/addon/6623">Better Privacy</a>,
1057
+ <a href="https://addons.mozilla.org/firefox/addon/1865">AdBlock Plus</a> (EasyPrivacy+EasyList),
1058
+ <a href="https://addons.mozilla.org/firefox/addon/82">Cookie Culler</a>,
1059
+ <a href="https://addons.mozilla.org/en-US/firefox/addon/9727/">Request Policy</a> and
1060
+ <a href="https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/">Certificate Patrol</a>.
1061
+</p> 
1062
+
1013 1063
 <hr>
1014 1064
 
1015 1065
 <a id="TBBJavaScriptEnabled"></a>
... ...
@@ -99,37 +99,10 @@
99 99
     have enough developer resources to keep up with the accelerated
100 100
     Firefox release schedule, the toggle model of Torbutton is <a
101 101
     href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton">no
102
-    longer recommended</a>. <b>Users should be using Tor Browser Bundle,
102
+    longer supported</a>. <b>Users should be using Tor Browser Bundle,
103 103
     not installing Torbutton themselves.</b>
104 104
     </p>
105 105
 
106
-    <br/><br/>
107
-    <strong>Current stable version:</strong><version-torbutton><br/>
108
-    <strong>Current alpha version:</strong><version-torbutton-alpha><br/>
109
-    <br/>
110
-    <strong>Maintainer:</strong> Mike Perry<br/>
111
-    <br/>
112
-    <strong>Expert Install (Stable):</strong> Click to <a
113
-    href="https://www.torproject.org/dist/torbutton/torbutton-current.xpi"
114
-    hash="<version-hash-torbutton>" onclick="return
115
-    install(event);">install from this website</a>. Verify the <a href="https://www.torproject.org/dist/torbutton/torbutton-current.xpi.asc">signature</a>.<br/>
116
-<!--
117
-    <strong>Expert Install (Alpha):</strong> Click to 
118
-    <a href="https://www.torproject.org/dist/torbutton/torbutton-current-alpha.xpi"
119
-      hash="<version-hash-torbutton-alpha>"
120
-      onclick="return install(event);">install from this website</a>
121
-    <br/>
122
-  -->
123
-<!--
124
-   <strong>English Google Search:</strong> 
125
-    Google search plugins for
126
-    <a href="/jsreq.html" title="Ref: 14938 (googleCA)"
127
-     onClick="addOpenSearch('GoogleCanada','ico','General','14937','g');return false">Google CA</a>, and 
128
-    <a href="/jsreq.html" title="Ref: 14938 (googleCA)"
129
-     onClick="addOpenSearch('googleuk_web','png','General','14445','g');return false">Google UK</a>.
130
-    <br/>
131
-  -->
132
-    <strong>Past Releases:</strong> <a href="https://archive.torproject.org/tor-package-archive/torbutton/">Tor Archive</a><br/>
133 106
     <strong>Developer Documentation:</strong> <a href="en/design/index.html.en">Torbutton Design Document</a> and <a href="en/design/MozillaBrownBag.pdf">Slides (Not actively updated)</a><br/>
134 107
 
135 108
     <strong>Source:</strong> You can <a
... ...
@@ -137,8 +110,8 @@
137 110
     repository</a> or simply unzip the xpi.
138 111
     <br/>
139 112
     <strong>Bug Reports:</strong> <a href="https://trac.torproject.org/projects/tor/report/14">Torproject Bug Tracker</a><br/>
140
-    <strong>Documents:</strong> <b>[</b> <a href="<page torbutton/torbutton-faq>">FAQ</a> <b>|</b>
141
-    <a href="<page torbutton/torbutton-options>">Torbutton options</a> <b>|</b>
113
+    <strong>Documents:</strong> 
114
+    <b>[</b> 
142 115
     <a href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/CHANGELOG">changelog</a> <b>|</b>
143 116
     <a href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/LICENSE">license</a> <b>|</b>
144 117
     <a href="https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/CREDITS">credits</a> <b>]</b>
... ...
@@ -1,36 +1,110 @@
1
-#!/usr/bin/wml
2
-
3 1
 ## translation metadata
4 2
 # Revision: $Revision$
5 3
 # Translation-Priority: 2-medium
6 4
 
7
-# this structure defines the side nav bar for the /torbutton pages
5
+# this structure defines the side nav bar for the /docs pages
8 6
 # and is the input for include/side.wmi
9 7
 
10 8
 # fields:
11 9
 #
12
-# name - the $WML_SRC_BASENAME of the file. It should uniquely identify the
13
-# page because at build-time it is used to determine what view of the
14
-# navigation menu to generate
15
-#
16 10
 # url - the path to the wml page, as used the the <page> tag. This tag ensures
17 11
 # that links will point to the current language if supported, and alternately
18 12
 # the english version 
19 13
 #
20 14
 # txt - the link text to be displayed. Different translations will
21 15
 # need to supply alternate txt 
22
- 
16
+
23 17
 <:
24 18
   my $sidenav;
25 19
   $sidenav = [
26
-          {'url'  => 'torbutton/index',
27
-           'txt'  => 'Torbutton',
28
-           'subelements' => [
29
-              {'url' => 'torbutton/torbutton-options',
30
-               'txt' => 'Torbutton Options',
31
-              },
32
-              {'url' => 'torbutton/torbutton-faq',
33
-               'txt' => 'Torbutton FAQ',
34
-              }]
35
-          }]
20
+      {'url'  => 'docs/documentation',
21
+       'txt'  => 'Documentation Overview',
22
+      }, 
23
+      {
24
+       'url'  => 'docs/installguide',
25
+       'txt'  => 'Installation Guides',
26
+       'subelements' => [
27
+          {'url'  => 'docs/tor-doc-windows',
28
+           'txt'  => 'Installing on Windows',
29
+          },
30
+          {'url'  => 'docs/tor-doc-unix',
31
+           'txt'  => 'Installing on Linux/BSD/Unix',
32
+          },
33
+          {'url'  => 'docs/debian',
34
+           'txt'  => 'Installing Tor on Debian/Ubuntu',
35
+          },
36
+          {'url'  => 'docs/debian-vidalia',
37
+           'txt'  => 'Installing Vidalia on Debian/Ubuntu',
38
+          },
39
+          {'url'  => 'docs/tor-doc-osx',
40
+           'txt'  => 'Installing Tor on Mac OS X',
41
+          },
42
+          {'url'  => 'docs/android',
43
+           'txt'  => 'Installing Tor on Android',
44
+          },
45
+          {'url'  => 'docs/N900',
46
+           'txt'  => 'Installing Tor on Maemo/N900',
47
+          },
48
+          {'url'  => 'docs/verifying-signatures',
49
+           'txt'  => 'Verify our GPG signatures',
50
+          }],
51
+      },
52
+      {'url'  => 'docs/manual',
53
+       'txt'  => 'Manuals',
54
+       'subelements' => [
55
+          {   
56
+           'url'  => 'docs/short-user-manual',
57
+           'txt'  => 'Short User Manual',
58
+          }, 
59
+          {'url'  => 'docs/tor-relay-debian',
60
+           'txt'  => 'Configuring a Relay manually',
61
+          },
62
+          {'url'  => 'docs/tor-doc-relay',
63
+           'txt'  => 'Configuring a Relay graphically',
64
+          },
65
+          {'url'  => 'docs/tor-hidden-service',
66
+           'txt'  => 'Configuring a Hidden Service',
67
+          }, 
68
+          {'url'  => 'docs/bridges',
69
+           'txt'  => 'Configuring a Bridge Relay',
70
+          }, 
71
+          {'url'  => 'docs/running-a-mirror',
72
+           'txt'  => 'Configuring a Mirror',
73
+          },
74
+          {'url'  => 'docs/tor-manual',
75
+           'txt'  => 'Tor -stable Manual',
76
+          },
77
+          {'url'  => 'docs/tor-manual-dev',
78
+           'txt'  => 'Tor -alpha Manual',
79
+          },
80
+          {'url'  => 'docs/proxychain',
81
+           'txt'  => 'Configuring Tor to use a Proxy Server',
82
+          },
83
+          {'url' => '<doxygen>',
84
+           'txt' => 'Doxygen output from Tor codebase',
85
+           }]
86
+      },
87
+      {
88
+       'url'  => '<wiki>',
89
+       'txt'  => 'Tor Wiki',
90
+      },
91
+      {'url'  => 'docs/faq',
92
+       'txt'  => 'General FAQ',  
93
+      },
94
+      {'url'  => 'torbutton/torbutton-faq',
95
+       'txt'  => 'Torbutton FAQ',
96
+      },
97
+      {'url'  => 'docs/faq-abuse',
98
+       'txt'  => 'Abuse FAQ',
99
+      },
100
+      {'url'  => 'docs/trademark-faq',
101
+       'txt'  => 'Trademark FAQ',
102
+      },
103
+      {'url'  => 'eff/tor-legal-faq',
104
+       'txt'  => 'Tor Legal FAQ',
105
+      },
106
+      {'url'  => 'eff/tor-dmca-response',
107
+       'txt'  => 'Tor DMCA Response',
108
+      },  
109
+  ];
36 110
 :>
... ...
@@ -11,273 +11,28 @@
11 11
   </div>
12 12
 	<div id="maincol">  
13 13
     <!-- PUT CONTENT AFTER THIS TAG -->
14
-    
15
-    <h2>Torbutton FAQ</h2>
14
+  
15
+    <h2>Torbutton</h2>
16 16
     <hr>
17
-    
18
-    <h3>Questions</h3>
19
-    <br>
20
-    <ul>
21
-    <li><a href="<page torbutton/torbutton-faq>#noflash">I can't view videos on YouTube and other flash-based sites. Why?</a></li>
22
-    <li><a href="<page torbutton/torbutton-faq>#oldtorbutton">Torbutton sure seems to do a lot of things, some of which I find annoying. Can't I just use the old version?</a></li>
23
-    <li><a href="<page torbutton/torbutton-faq>#noautocomplete">When I use Tor, Firefox is no longer filling in logins/search boxes for me. Why?</a></li>
24
-    <li><a href="<page torbutton/torbutton-faq>#thunderbird">What about Thunderbird support? I see a page, but it is the wrong version?</a></li>
25
-    <li><a href="<page torbutton/torbutton-faq>#extensionconflicts">Which Firefox extensions should I avoid using?</a></li>
26
-    <li><a href="<page torbutton/torbutton-faq>#recommendedextensions">Which Firefox extensions do you recommend?</a></li>
27
-    <li><a href="<page torbutton/torbutton-faq>#securityissues">Are there any other issues I should be concerned about?</a></li>
28
-    </ul>
29
-    <br>
30
-    
31
-    <a id="noflash"></a>
32
-    <strong><a class="anchor" href="#noflash">I can't view videos on YouTube and
33
-    other Flash-based sites. Why?</a></strong>
34
-    
35
-    <p>
36
-    YouTube and similar sites require third party browser plugins such as Flash.
37
-    Plugins operate independently from Firefox and can perform
38
-    activity on your computer that ruins your anonymity. This includes
39
-    but is not limited to: <a href="http://decloak.net">completely disregarding
40
-    proxy settings</a>, querying your <a
41
-    href="http://forums.sun.com/thread.jspa?threadID=5162138&amp;messageID=9618376">local
42
-    IP address</a>, and <a
43
-    href="http://epic.org/privacy/cookies/flash.html">storing their own
44
-    cookies</a>. It is possible to use a LiveCD solution such as
45
-    or <a href="https://tails.boum.org/">The Amnesic Incognito Live System</a> that creates a
46
-    secure, transparent proxy to protect you from proxy bypass, however issues
47
-    with local IP address discovery and Flash cookies still remain.  </p>
48
-    
49
-    <p>
50
-    If you are not concerned about being tracked by these sites (and sites that
51
-    try to unmask you by pretending to be them), and are unconcerned about your
52
-    local censors potentially noticing you visit them, you can enable plugins by
53
-    going into the Torbutton Preferences-&gt;Security Settings
54
-    tab and unchecking "Disable browser plugins (such as Flash)" box. If you do this
55
-    without The Amnesic Incognito Live System or appropriate firewall
56
-    rules, we strongly suggest you at least use <a
57
-    href="https://addons.mozilla.org/en-US/firefox/addon/722">NoScript</a> to <a
58
-    href="http://noscript.net/features#contentblocking">block plugins</a>. You do
59
-    not need to use the NoScript per-domain permissions if you check the <b>Apply
60
-    these restrictions to trusted sites too</b> option under the NoScript Plugins
61
-    preference tab. In fact, with this setting you can even have NoScript allow
62
-    Javascript globally, but still block all plugins until you click on their
63
-    placeholders in a page. We also recommend <a
64
-    href="https://addons.mozilla.org/en-US/firefox/addon/6623">Better Privacy</a>
65
-    in this case to help you clear your Flash cookies.
66
-    </p>
67
-    
68
-    <a id="oldtorbutton"></a>
69
-    <strong><a class="anchor" href="#oldtorbutton">Torbutton sure seems to do a lot of things, some of which I find
70
-    annoying. Can't I just use the old version?</a></strong>
71
-    
72
-    <p>
73
-    
74
-    <b>No.</b> Use of the old version, or any other vanilla proxy changer
75
-    (including FoxyProxy -- see below) without Torbutton is actively discouraged.
76
-    Seriously. Using a vanilla proxy switcher by itself is so insecure that you are
77
-    not only just wasting your time, you are also actually endangering yourself.
78
-    <b>Simply do not use Tor</b> and you will have the same (and in some cases,
79
-    better) security.  For more information on the types of attacks you are exposed
80
-    to with a "homegrown" solution, please see <a
81
-    href="design/index.html.en#adversary">The Torbutton
82
-    Adversary Model</a>, in particular the <a
83
-    href="design/index.html.en#attacks">Adversary
84
-    Capabilities - Attacks</a> subsection. If there are any specific Torbutton
85
-    behaviors that you do not like, please file a bug on <a
86
-    href="https://trac.torproject.org/projects/tor/report/14">the
87
-    bug tracker.</a> Most of Torbutton's security features can also be disabled via
88
-    its preferences, if you think you have your own protection for those specific
89
-    cases.
90
-    
91
-    </p>
92
-    
93
-    <a id="noautocomplete"></a>
94
-    <strong><a class="anchor" href="#noautocomplete">When I use Tor, Firefox is no longer filling in logins/search boxes
95
-    for me. Why?</a></strong>
96
-    
97
-    <p>
98
-    Currently, this is tied to the "<b>Block history writes during Tor</b>"
99
-    setting. If you have enabled that setting, all formfill functionality (both
100
-    saving and reading) is disabled. If this bothers you, you can uncheck that
101
-    option, but both history and forms will be saved. To prevent history
102
-    disclosure attacks via Non-Tor usage, it is recommended you disable Non-Tor
103
-    history reads if you allow history writing during Tor.
104
-    </p>
105
-    
106
-    <a id="thunderbird"></a>
107
-    <strong><a class="anchor" href="#thunderbird">What about Thunderbird support? I see a page, but it is the wrong
108
-    version?</a></strong>
109
-    
110
-    <p>
111
-    The Tor plugin for Thunderbird is called <a href="https://trac.torproject.org/projects/tor/wiki/torbirdy">
112
-    TorBirdy</a>.
113
-    </p>
114
-    
115
-    <a id="extensionconflicts"></a>
116
-    <strong><a class="anchor" href="#extensionconflicts">Which Firefox extensions should I avoid using?</a></strong>
117
-    
118
-    <p>
119
-    This is a tough one. There are thousands of Firefox extensions: making a
120
-    complete list of ones that are bad for anonymity is near impossible. However,
121
-    here are a few examples that should get you started as to what sorts of
122
-    behavior are dangerous.
123
-    </p>
124
-    
125
-    <ol>
126
-     <li>StumbleUpon, et al
127
-     <p>
128
-     These extensions will send all sorts of information about the websites you
129
-     visit to the stumbleupon servers, and correlate this information with a
130
-     unique identifier. This is obviously terrible for your anonymity.
131
-     More generally, any sort of extension that requires registration, or even
132
-     extensions that provide information about websites you visit should be
133
-     suspect.
134
-     </p></li>
135
-     <li>FoxyProxy
136
-    <p>
137
-    While FoxyProxy is a nice idea in theory, in practice it is impossible to
138
-    configure securely for Tor usage without Torbutton. Like all vanilla third
139
-    party proxy plugins, the main risks are <a
140
-    href="http://www.decloak.net/">plugin leakage</a>
141
-    and <a href="http://ha.ckers.org/weird/CSS-history.cgi">history
142
-    disclosure</a>, followed closely by cookie theft by exit nodes and tracking by
143
-    adservers (see the <a href="design/index.html.en#adversary">Torbutton Adversary
144
-    Model</a> for more information). However, with Torbutton installed in tandem
145
-    and always enabled, it is possible to configure FoxyProxy securely (though it
146
-    is tricky). Since FoxyProxy's 'Patterns' mode only applies to specific urls,
147
-    and not to an entire tab, setting FoxyProxy to only send specific sites
148
-    through Tor will still allow adservers (whose hosts don't match your filters) to learn your real IP. Worse, when
149
-    sites use offsite logging services such as Google Analytics, you will
150
-    still end up in their logs with your real IP. Malicious exit nodes can also
151
-    cooperate with sites to inject images into pages that bypass your filters.
152
-    Setting FoxyProxy to only send certain URLs via Non-Tor is much more secure in
153
-    this regard, but be very careful with the filters you allow. For example,
154
-    something as simple as allowing *google* to go via Non-Tor will still cause you to end up
155
-    in all the logs of all websites that use Google Analytics!  See
156
-    <a href="http://foxyproxy.mozdev.org/faq.html#privacy-01">this question</a> on
157
-    the FoxyProxy FAQ for more information.
158
-     </p></li>
159
-    </ol>
160
-    
161
-    <a id="recommendedextensions"></a>
162
-    <strong><a class="anchor" href="#recommendedextensions">Which Firefox extensions do you recommend?</a></strong>
163
-    <ol>
164
-     <li><a href="https://addons.mozilla.org/firefox/addon/953">RefControl</a>
165
-    	<p>
166
-    Mentioned above, this extension allows more fine-grained referrer spoofing
167
-    than Torbutton currently provides. It should break less sites than Torbutton's
168
-    referrer spoofing option.</p></li>
169
-    
170
-     <li><a href="https://addons.mozilla.org/firefox/addon/1474">SafeCache</a>
171
-    <p>
172
-    If you use Tor excessively, and rarely disable it, you probably want to
173
-    install this extension to minimize the ability of sites to store long term
174
-    identifiers in your cache. This extension applies same origin policy to the
175
-    cache, so that elements are retrieved from the cache only if they are fetched
176
-    from a document in the same origin domain as the cached element.
177
-    </p></li>
178
-    
179
-     <li><a href="https://addons.mozilla.org/en-US/firefox/addon/6623">Better
180
-    Privacy</a>
181
-     <p>
182
-    
183
-    Better Privacy is an excellent extension that protects you from cookies used
184
-    by Flash applications, which often persist forever and are not clearable via
185
-    normal Firefox "Private Data" clearing. Flash and all other plugins are
186
-    disabled by Torbutton by default, but if you are interested in privacy, you
187
-    may want this extension to allow you to inspect and automatically clear your
188
-    Flash cookies for your Non-Tor usage.
189
-    
190
-     </p>
191
-     </li>
192
-     <li><a href="https://addons.mozilla.org/firefox/addon/1865">AdBlock Plus</a>
193
-     <p>
194
-    
195
-    AdBlock Plus is an excellent addon for removing annoying, privacy-invading,
196
-    and <a
197
-    href="http://www.wired.com/techbiz/media/news/2007/11/doubleclick">malware-distributing</a>
198
-    advertisements from the web. It provides
199
-    <a href="http://adblockplus.org/en/subscriptions">subscriptions</a> that are
200
-    continually updated to catch the latest efforts of ad networks to circumvent
201
-    these filters. I recommend the EasyPrivacy+EasyList combination filter
202
-    subscription in the Miscellaneous section of the subscriptions page.
203
-    
204
-     </p>
205
-    </li> 
206
-    <li><a href="https://addons.mozilla.org/firefox/addon/82">Cookie Culler</a>
207
-     <p>
208
-    
209
-    Cookie Culler is a handy extension to give quick access to the cookie manager
210
-    in Firefox. It also provides the ability to protect certain cookies from
211
-    deletion, but unfortunately, this behavior does not integrate well with Torbutton.
212
-    
213
-     </p>
214
-     </li>
215
-    
216
-     <li><a href="https://addons.mozilla.org/en-US/firefox/addon/722">NoScript</a>
217
-     <p>
218
-     Torbutton currently mitigates all known anonymity issues with Javascript.
219
-     However, if you are concerned about Javascript exploits against your browser
220
-     or against websites you are logged in to, you may want to use NoScript. It
221
-     provides the ability to allow Javascript only for particular websites
222
-     and also provides mechanisms to force HTTPS urls for sites with
223
-    <a href="http://fscked.org/category/tags/insecurecookies">insecure
224
-     cookies</a>.<br>
225
-    
226
-     It can be difficult to configure such that the most sites will work
227
-     properly though. In particular, you want to make sure you do not remove
228
-     the Javascript whitelist for
229
-     addons.mozilla.org, as extensions are downloaded via http and verified by
230
-     javascript from the https page.
231
-    
232
-     </p></li>
233
-     <li><a href="https://addons.mozilla.org/en-US/firefox/addon/9727/">Request
234
-    Policy</a>
235
-     <p>
236
-    
237
-    Request Policy is similar to NoScript in that it requires that you configure
238
-    which sites are allowed to load content from other domains. It can be very
239
-    difficult for novice users to configure properly, but it does provide a good
240
-    deal of protection against ads, injected content, and cross-site request
241
-    forgery attacks.
242
-    
243
-     </p>
244
-     </li>
245
-    
246
-    </ol>
247
-    
248
-    <a id="securityissues"></a>
249
-    <strong><a class="anchor" href="#securityissues">Are there any other issues I should be concerned about?</a></strong>
250
-    
17
+
251 18
     <p>
252
-    There are a few known security issues with Torbutton (all of which are due to
253
-    <a href="design/index.html.en#FirefoxBugs">unfixed
254
-    Firefox security bugs</a>). The most important for anonymity is that it is
255
-    possible to unmask the javascript hooks that wrap the Date object to conceal
256
-    your timezone in Firefox 2, and the timezone masking code does not work at all
257
-    on Firefox 3. We are working with the Firefox team to fix one of <a
258
-    href="https://bugzilla.mozilla.org/show_bug.cgi?id=392274">Bug 399274</a> or
259
-    <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=419598">Bug 419598</a>
260
-    to address this. In the meantime, it is possible to set the <b>TZ</b>
261
-    environment variable to <b>UTC</b> to cause the browser to use UTC as your
262
-    timezone. Under Linux, you can add an <b>export TZ=UTC</b> to the
263
-    /usr/bin/firefox script, or edit your system bashrc to do the same. Under
264
-    Windows, you can set either a <a
265
-    href="http://support.microsoft.com/kb/310519">User or System Environment
266
-    Variable</a> for TZ via My Computer's properties. In MacOS, the situation is
267
-    <a
268
-    href="http://developer.apple.com/documentation/MacOSX/Conceptual/BPRuntimeConfig/Articles/EnvironmentVars.html#//apple_ref/doc/uid/20002093-BCIJIJBH">a
269
-    lot more complicated</a>, unfortunately.
19
+    Torbutton is the component in <a href="<page projects/torbrowser>">Tor
20
+    Browser Bundle</a> that takes care of application-level
21
+    security and privacy concerns in Firefox.  To keep you safe,
22
+    Torbutton disables many types of active content.
270 23
     </p>
271
-    
24
+
272 25
     <p>
273
-    In addition, RSS readers such as Firefox Livemarks can perform
274
-    periodic fetches. Due to <a
275
-    href="https://bugzilla.mozilla.org/show_bug.cgi?id=436250">Firefox Bug
276
-    436250</a>, there is no way to disable Livemark fetches during Tor. This can
277
-    be a problem if you have a lot of custom Livemark urls that can give away
278
-    information about your identity.
26
+    Now that the <a href="<page projects/torbrowser>">Tor Browser
27
+    Bundle</a> includes a patched version of Firefox, and because we don't
28
+    have enough developer resources to keep up with the accelerated
29
+    Firefox release schedule, the toggle model of Torbutton is <a
30
+    href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton">no
31
+    longer supported</a>. <b>Users should be using Tor Browser Bundle,
32
+    not installing Torbutton themselves.</b>
279 33
     </p>
280
-  </div>
34
+  
35
+    </div>
281 36
   <!-- END MAINCOL -->
282 37
   <div id = "sidecol">
283 38
 #include "side.wmi"
... ...
@@ -11,257 +11,27 @@
11 11
   </div>
12 12
 	<div id="maincol">  
13 13
     <!-- PUT CONTENT AFTER THIS TAG -->
14
-    
15
-    <h2>Torbutton Options</h2>
14
+
15
+    <h2>Torbutton</h2>
16 16
     <hr>
17
-    
18
-    <p>Torbutton 1.2.0 adds several new security features to protect your
19
-    anonymity from all the major threats we know about. The defaults should be
20
-    fine (and safest!) for most people, but in case you are the tweaker type,
21
-    or if you prefer to try to outsource some options to more flexible extensions,
22
-    here is the complete list. (In an ideal world, these descriptions should all be
23
-    tooltips in the extension itself, but Firefox bugs <a
24
-    href="https://bugzilla.mozilla.org/show_bug.cgi?id=45375">45375</a> and <a
25
-    href="https://bugzilla.mozilla.org/show_bug.cgi?id=218223">218223</a> currently
26
-    prevent this.)</p>
27
-    
28
-    <ul>
29
-     <li>Disable plugins on Tor Usage (crucial)<p> 
30
-    
31
-      This option is key to Tor security. Plugins perform their own networking
32
-    independent of the browser, and many plugins only partially obey even their own
33
-    proxy settings.
34
-    </p></li>
35
-      <li>Isolate Dynamic Content to Tor State (crucial)<p> 
36
-    
37
-      Another crucial option, this setting causes the plugin to disable Javascript
38
-      on tabs that are loaded during a Tor state different than the current one,
39
-      to prevent delayed fetches of injected URLs that contain unique identifiers,
40
-      and to prevent meta-refresh tags from revealing your IP when you turn off
41
-      Tor. It also prevents all fetches from tabs loaded with an opposite Tor
42
-      state. This serves to block non-Javascript dynamic content such as CSS
43
-      popups from revealing your IP address if you disable Tor.
44
-    </p></li>
45
-      <li>Hook Dangerous Javascript (crucial)<p> 
46
-    
47
-    This setting enables the Javascript hooking code. Javascript is injected into
48
-    pages to hook the Date object to mask your timezone, and to hook the navigator
49
-    object to mask OS and user agent properties not handled by the standard
50
-    Firefox user agent override settings.
51
-    </p></li>
52
-      <li>Resize window dimensions to multiples of 50px on toggle (recommended)<p> 
53
-    
54
-    To cut down on the amount of state available to fingerprint users uniquely, 
55
-    this pref causes windows to be resized to a multiple of 50 pixels on each
56
-    side when Tor is enabled and pages are loaded.
57
-    </p></li>
58
-      <li>Disable Updates During Tor (recommended)<p> 
59
-    
60
-    Under Firefox 2, many extension authors did not update their extensions from 
61
-    SSL-enabled websites. It is possible for malicious Tor nodes to hijack these extensions and replace them with malicious ones, or add malicious code to 
62
-    existing extensions. Since Firefox 3 now enforces encrypted and/or
63
-    authenticated updates, this setting is no longer as important as it once
64
-    was (though updates do leak information about which extensions you have, it is
65
-    fairly infrequent).
66
-    </p></li>
67
-      <li>Disable Search Suggestions during Tor (optional)<p> 
68
-    
69
-    This optional setting governs if you get Google search suggestions during Tor
70
-    usage. Since no cookie is transmitted during search suggestions, this is a
71
-    relatively benign behavior.
72
-    </p></li>
73
-      <li>Block Livemarks updates during Tor usage (recommended)<p> 
74
-    
75
-    This setting causes Torbutton to disable your <a
76
-    href="http://www.mozilla.com/firefox/livebookmarks.html">Live bookmark</a>
77
-    updates. Since most people use Live bookmarks for RSS feeds from their blog,
78
-    their friends' blogs, the wikipedia page they edit, and other such things,
79
-    these updates probably should not happen over Tor. This feature takes effect
80
-    in Firefox 3.5 and above only.
81
-    
82
-    </p></li>
83
-      <li>Block Tor/Non-Tor access to network from file:// urls (recommended)<p> 
84
-    
85
-    These settings prevent local html documents from transmitting local files to
86
-    arbitrary websites <a href="http://www.gnucitizen.org/blog/content-disposition-hacking/">under Firefox 2</a>. Since exit nodes can insert headers that
87
-    force the browser to save arbitrary pages locally (and also inject script into
88
-    arbitrary html files you save to disk via Tor), it is probably a good idea to
89
-    leave this setting on.
90
-    </p></li>
91
-      <li>Close all Non-Tor/Tor windows and tabs on toggle (optional)<p> 
92
-    
93
-    These two settings allow you to obtain a greater degree of assurance that
94
-    after you toggle out of Tor, the pages are really gone and can't perform any
95
-    extra network activity. Currently, there is no known way that pages can still
96
-    perform activity after toggle, but these options exist as a backup measure
97
-    just in case a flaw is discovered. They can also serve as a handy 'Boss
98
-    Button' feature for clearing all Tor browsing off your screen in a hurry.
99
-    </p></li>
100
-      <li>Isolate access to history navigation to Tor state (crucial)<p> 
101
-    
102
-    This setting prevents both Javascript and accidental user clicks from causing
103
-    the session history to load pages that were fetched in a different Tor state
104
-    than the current one. Since this can be used to correlate Tor and Non-Tor
105
-    activity and thus determine your IP address, it is marked as a crucial 
106
-    setting.
107
-    </p></li>
108
-      <li>Block History Reads during Tor (crucial)<p> 
109
-    
110
-      Based on code contributed by <a href="http://www.collinjackson.com/">Collin
111
-      Jackson</a>, when enabled and Tor is enabled, this setting prevents the
112
-    rendering engine from knowing if certain links were visited.  This mechanism
113
-    defeats all document-based history disclosure attacks, including CSS-only
114
-    attacks.
115
-    </p></li>
116
-      <li>Block History Reads during Non-Tor (recommended)<p> 
117
-    
118
-      This setting accomplishes the same but for your Non-Tor activity.
119
-    </p></li>
120
-      <li>Block History Writes during Tor (recommended)<p> 
121
-    
122
-      This setting prevents the rendering engine from recording visited URLs, and
123
-    also disables download manager history. Note that if you allow writing of Tor history,
124
-    it is recommended that you disable non-Tor history reads, since malicious
125
-    websites you visit without Tor can query your history for .onion sites and
126
-    other history recorded during Tor usage (such as Google queries).
127
-    </p></li>
128
-      <li>Block History Writes during Non-Tor (optional)<p> 
129
-    
130
-    This setting also disables recording any history information during Non-Tor
131
-    usage.
132
-    </p></li>
133
-    <li>Clear History During Tor Toggle (optional)<p> 
134
-    
135
-      This is an alternate setting to use instead of (or in addition to) blocking
136
-    history reads or writes.
137
-    </p></li>
138
-      <li>Block Password+Form saving during Tor/Non-Tor<p> 
139
-    
140
-      These options govern if the browser writes your passwords and search
141
-      submissions to disk for the given state.
142
-    </p></li>
143
-      <li>Block Tor disk cache and clear all cache on Tor Toggle<p> 
144
-    
145
-      Since the browser cache can be leveraged to store unique identifiers, cache
146
-    must not persist across Tor sessions. This option keeps the memory cache active
147
-    during Tor usage for performance, but blocks disk access for caching.
148
-    </p></li>
149
-      <li>Block disk and memory cache during Tor<p> 
150
-    
151
-      This setting entirely blocks the cache during Tor, but preserves it for
152
-    Non-Tor usage.
153
-    </p></li>
154
-      <li>Clear Cookies on Tor Toggle<p> 
155
-    
156
-      Fully clears all cookies on Tor toggle.
157
-    </p></li>
158
-      <li>Store Non-Tor cookies in a protected jar<p> 
159
-    
160
-      This option stores your persistent Non-Tor cookies in a special cookie jar
161
-      file, in case you wish to preserve some cookies. Based on code contributed
162
-      by <a href="http://www.collinjackson.com/">Collin Jackson</a>. It is
163
-      compatible with third party extensions that you use to manage your Non-Tor
164
-      cookies. Your Tor cookies will be cleared on toggle, of course.
165
-    </p></li>
166
-      <li>Store both Non-Tor and Tor cookies in a protected jar (dangerous)<p> 
167
-    
168
-      This option stores your persistent Tor and Non-Tor cookies 
169
-      separate cookie jar files. Note that it is a bad idea to keep Tor
170
-      cookies around for any length of time, as they can be retrieved by exit
171
-      nodes that inject spoofed forms into plaintext pages you fetch.
172
-    </p></li>
173
-      <li>Manage My Own Cookies (dangerous)<p> 
174
-    
175
-      This setting allows you to manage your own cookies with an alternate
176
-    extension, such as <a href="https://addons.mozilla.org/firefox/addon/82">CookieCuller</a>. Note that this is particularly dangerous,
177
-    since malicious exit nodes can spoof document elements that appear to be from
178
-    sites you have preserved cookies for (and can then do things like fetch your
179
-    entire gmail inbox, even if you were not using gmail or visiting any google
180
-    pages at the time!).
181
-    </p></li>
182
-      <li>Do not write Tor/Non-Tor cookies to disk<p> 
183
-    
184
-      These settings prevent Firefox from writing any cookies to disk during the
185
-      corresponding Tor state. If cookie jars are enabled, those jars will
186
-      exist in memory only, and will be cleared when Firefox exits.
187
-    </p></li>
188
-      <li>Disable DOM Storage during Tor usage (crucial)<p> 
189
-    
190
-      Firefox has recently added the ability to store additional state and
191
-      identifiers in persistent tables, called <a
192
-      href="http://developer.mozilla.org/docs/DOM:Storage">DOM Storage</a>.
193
-      Obviously this can compromise your anonymity if stored content can be
194
-      fetched across Tor-state.
195
-    </p></li>
196
-      <li>Clear HTTP auth sessions (recommended)<p> 
197
-    
198
-      HTTP authentication credentials can be probed by exit nodes and used to both confirm that you visit a certain site that uses HTTP auth, and also impersonate you on this site. 
199
-    </p></li>
200
-      <li>Clear cookies on Tor/Non-Tor shutdown<p> 
201
-    
202
-      These settings install a shutdown handler to clear cookies on Tor
203
-    and/or Non-Tor browser shutdown. It is independent of your Clear Private Data
204
-    settings, and does in fact clear the corresponding cookie jars.
205
-    </p></li>
206
-      <li>Prevent session store from saving Tor-loaded tabs (recommended)<p> 
207
-    
208
-      This option augments the session store to prevent it from writing out
209
-      Tor-loaded tabs to disk. Unfortunately, this also disables your ability to 
210
-      undo closed tabs. The reason why this setting is recommended is because
211
-      after a session crash, your browser will be in an undefined Tor state, and
212
-      can potentially load a bunch of Tor tabs without Tor. The following option
213
-      is another alternative to protect against this.
214
-    </p></li>
215
-      <li>On normal startup, set state to: Tor, Non-Tor, Shutdown State<p> 
216
-    
217
-      This setting allows you to choose which Tor state you want the browser to
218
-      start in normally: Tor, Non-Tor, or whatever state the browser shut down in.
219
-    </p></li>
220
-      <li>On crash recovery or session restored startup, restore via: Tor, Non-Tor<p> 
221
-    
222
-      When Firefox crashes, the Tor state upon restart usually is completely
223
-      random, and depending on your choice for the above option, may load 
224
-      a bunch of tabs in the wrong state. This setting allows you to choose
225
-      which state the crashed session should always be restored in to.
226
-    </p></li>
227
-      <li>Prevent session store from saving Non-Tor/Tor-loaded tabs<p> 
228
-    
229
-      These two settings allow you to control what the Firefox Session Store
230
-      writes to disk. Since the session store state is used to automatically
231
-      load websites after a crash or upgrade, it is advisable not to allow
232
-      Tor tabs to be written to disk, or they may get loaded in Non-Tor
233
-      after a crash (or the reverse, depending upon the crash recovery setting, 
234
-      of course).
235
-    </p></li>
236
-      <li>Set user agent during Tor usage (crucial)<p> 
237
-    
238
-      User agent masking is done with the idea of making all Tor users appear
239
-    uniform. A recent Firefox 2.0.0.4 Windows build was chosen to mimic for this
240
-    string and supporting navigator.* properties, and this version will remain the
241
-    same for all TorButton versions until such time as specific incompatibility
242
-    issues are demonstrated. Uniformity of this value is obviously very important
243
-    to anonymity. Note that for this option to have full effectiveness, the user
244
-    must also allow Hook Dangerous Javascript ensure that the navigator.*
245
-    properties are reset correctly.  The browser does not set some of them via the
246
-    exposed user agent override preferences.
247
-    </p></li>
248
-      <li>Spoof US English Browser<p> 
249
-    
250
-    This option causes Firefox to send http headers as if it were an English
251
-    browser. Useful for internationalized users.
252
-    </p></li>
253
-      <li>Don't send referrer during Tor Usage<p> 
254
-    
255
-    This option disables the referrer header, preventing sites from determining
256
-    where you came from to visit them. This can break some sites, however. <a
257
-    href="http://www.digg.com">Digg</a> in particular seemed to be broken by this.
258
-    A more streamlined, less intrusive version of this option should be available
259
-    eventually. In the meantime, <a
260
-    href="https://addons.mozilla.org/firefox/addon/953">RefControl</a> can
261
-    provide this functionality via a default option of <b>Forge</b>.
262
-    </p></li>
263
-    </ul>
264
-  </div>
17
+
18
+    <p>
19
+    Torbutton is the component in <a href="<page projects/torbrowser>">Tor
20
+    Browser Bundle</a> that takes care of application-level
21
+    security and privacy concerns in Firefox.  To keep you safe,
22
+    Torbutton disables many types of active content.
23
+    </p>
24
+  
25
+    <p>
26
+    Now that the <a href="<page projects/torbrowser>">Tor Browser
27
+    Bundle</a> includes a patched version of Firefox, and because we don't
28
+    have enough developer resources to keep up with the accelerated
29
+    Firefox release schedule, the toggle model of Torbutton is <a
30
+    href="https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton">no
31
+    longer supported</a>. <b>Users should be using Tor Browser Bundle,
32
+    not installing Torbutton themselves.</b>
33
+    </p>
34
+    </div>
265 35
   <!-- END MAINCOL -->
266 36
   <div id = "sidecol">
267 37
 #include "side.wmi"