Tor Project to Phish 13M "Do Not Track" Users

Tor Project to Phish 13M "Do Not Track" Users

 


Date: Sun, 13 May 2012 14:26:59 -0700
From: Mike Perry <mikeperry[at]torproject.org>
To: tor-talk[at]lists.torproject.org
Subject: Re: [tor-talk] Tor Browser disabling Javascript anonymity set reduction

[Snip]

Concerns about Javascript are rooted in two avenues:

1. Fingerprinting concerns.

2. Zero-day exploits against Firefox.

The reason we feel that leaving Javascript enabled trumps these concerns is:

1. We want enough people to actually use Tor Browser such that it becomes less interesting that you're a Tor user. We have plenty of academic research and mathematical proofs that tell us quite clearly that the more people use Tor, the better the privacy, anonymity, and traffic analysis resistance properties will become.

In fact, my personal goal is to grab the entire "Do Not Track" userbase from Mozilla. That userbase is probably well in excess of 12.5 million people:

http://www.techworld.com.au/article/400248/

I do *not* believe we can capture that userbase if we ship a JS-disabled-by-default browser.

2. Exploitable vulnerabilities can be anywhere in the browser, not just in the JS interpreter. We disable and/or click-to-play the known major vectors, but the best solutions here are providing bug bounties (Mozilla does this; we should too, if we had any money) and sandboxing systems (Seatbelt, AppArmor, SELinux).

Hope this clarifies some things for you.

--

Mike Perry

_____________________________________

tor-talk mailing list
tor-talk[at]lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Published by:

CWZ's picture

Name
Reza Rafati

Information
I am the founder of Cyberwarzone.com and I focus on sharing and collecting relevant cyberconflict news., The goal of Cyberwarzone is to provide the world a portal with global cyberwar information. The effort in getting this cyberwarfare information is hard. But as the internet is growing we need to get an global cyberwar & cybercrime monitoring system., By the people and for the people. We will be gathering information about Cybercrime, Cyberwarfare and hacking. LinkedIn: http://www.linkedin.com/pub/reza-rafati-%E2%99%82/1a/98b/197

Country
The Netherlands

My website
Cyberwarzone.com

Twitter:
http://twitter.com/#!/cyberwarzonecom