Tor And Firefox 3.0b5 in Hardy

May 20, 2008 at 18:06 | Posted in Tech | 3 Comments
Tags: , , , , , , ,

I have recently noticed several hits on my blog looking for TOR and Firefox 3.0b5. So Since I use both and Since I know that TorButton does not yet (at least the last time I checked) work with Firefox 3.0b5. I figured I’d write a quick howto on setting up a Safe Tor/Firefox in Hardy Heron.

The instructions below assume that you have already installed TOR and Privoxy and set them up correctly.

The first thing you will need to do is to create a separate profile for Tor browsing. The more paranoid may wish to set up a separate user account for TOR browsing thus further preventing the chance of data leakage.

To set up a separate profile, make sure there are no instances of Firefox running, then open a terminal and enter the command:

firefox -ProfileManager

A window that looks like this should show up:

Profile Manager

Create a new profile that you will use for tor only, I called mine TorFox to avoid confusion.

Now we need to create a new launcher to use the TorFox profile.

right click on the desktop and choose Create Launcher

that will bring up this Dialog

Launcher Dialogue

Fill it in like this

Type:          Leave set to Application

Name:        A name you like (I used TorFox)

Command: firefox -P TorFox -no-remote

(The value after the -P should be the name you called you TOR Profile)

Comment:  Whatever you want to show up as the tooltip

now click the icon button and if you want the Firefox icon you can find it in:


then click OK and we are ready to start setting up your TorFox.

Click the launcher (or double click if you system is set to use double clicks)

a Firefox will open up. Just double check that it is not your normal (default) profile firefox. It shouldn’t have any of your favourites, add-ons, or other setting.. It should be a fresh firefox.

once you have that, Click Edit -> Preferences

on the Main Tab

click Manage Add-ons and disable or uninstall all Add-ons (there should only be the Ubuntu firefox modifications as this should be a fresh profile)

Then at the top of the Add-ons window you will see an option for Plugins

Click it and then disable all plugins.

Once that is done exit the add-ons window and click Content on the Preferences window.

on the Content tab uncheck Enable JavaScript and Enable Java

now click Applications at the top of the Preferences window

Set all the action so that they do not use external applications. So either set them to Preview in Firefox or Always Ask or Save File Of these Save File is probably the safest bit some things don’t have that option (Podcast, Video Podcast, Web Feed) so those you will need to set to Preview in Firefox. It should look something like this:

Application Preferences

Now click the Privacy tab at the top of the Preferences window

uncheck all the history items.

The more paranoid can uncheck all the cookie options but that will greatly limit the sites you can go to so I personally accept both types of cookies but have the Keep Until option set to clear the cookies when I close firefox.

Check the Always Clear Private Data. Click the Settings button beside it and make sure all options are checked. Uncheck Ask me before clearing private data.

Now we move on to the Security Tab

I uncheck both of the Tell me if the site… options because these most likely leak information by looking up the site you are going to against a on a remote site.

Also uncheck the Remember passwords options. (If you don’t store them they cant leak)

and finally on to the Advanced tab:

under Advanced there are several tabs

we’ll start on the Network Tab, Click the Settings button beside Connections

set it up like this:

Connection settings for TOR

Also Check the Tell me when a website asks to store data offline and use the Exceptions button to be sure that are no pre-set exceptions.

On the Update Tab under Advanced

uncheck all the Update options.

Your  Tor/Firefox should now be ready for a test drive. If you find you cannot connect to anything you probably need to edit the /etc/privoxy/config file and be sure it has:

forward-socks4a   /      .

in it. The . at the end of that line is necessary.

I hope this help get people going. If anyone sees something I missed (yes I know that changing user agents might be a good idea but that is a little more advanced then I wanted to get into in this howto) Please let me know.


P.S. If you want to use both firefoxes tor and non TOR you will need to edit the launchers for the regular Firefox and add the options -P default -no-remote to their command lines so that it launches the correct profile and does not open a tab in the other browser. This will create the minor annoyance of needing to close out the browser before clicking a link in another program (like evolution) but I feel the assurance that I’m not opening a TOR browser when I meant to open a Regular one worth that minor hassle.

Also you may want to set different Themes for each browser so you can quickly spot which one you are woring in (prevents “ooopses” of accidentaly usinf a TOR browser for something that you’d rather not have going over the TOR network.)


Phorm, NebuAd, and Privacy

April 14, 2008 at 16:37 | Posted in Privacy/Security | 3 Comments
Tags: , , , , , ,

Well it seems NebuAd is coming to Canada soon, and is already in place in several US ISP’s.

So Considering all this I spent much of the day mulling ways that users can protect their privacy. I have so far come up with the following suggestions:

Flush Cookies on each browser close:

Although it won’t stop them watching what you click it will help to prevent them from getting a good picture as they will not have month or years of you browsing tied to a single UUID.

Use as much SSL as possible:

They can’t use their DPI (deep packet inspection) on encrypted connections, so find ways to be as encrypted as possible. If you use web mail make sure the entire session is encrypted (not just the log on). Better yet, use an email client that supports secure connections and a email provider that supports them Google, Yahoo Canada, fastmail, etc. Using an e-mail client with TLS/SSL not only encrypts the connection it takes cookies out of the picture.

Use things like Scroogle’s SSL page, for searching to keep them from sniffing your searches.

Use an Encrypting Proxy:

Set up and use a VPN or SSL encrypted proxy. This will make your entire session unreadable. There it the problem of trust. Encrypting systems like TOR, and I2P may just expose you to even more tracking from evil exit nodes. JAP may be backdoored (but according to Wikipedia this is not/no longer the case). Similarly “Open” proxies on the net may not be trustworth.

The best solution I can think of for this problem is to have a trusted friend in another counrty set up a VPN, private SSL proxy or Psiphon node for you, and you could do the same for them. Even if his ISP was sniffed by NebuAd and your’s by Phorm it would muddy the waters. Which bring us to


Find ways to hide your traffic. You could run a TOR or I2P exit node (lots of HTTP traffic for them to sniff none of it yours).

Find alternate ways to get webpages you don’t want sniffed like web2mail.

So those are some of my thoughts on the matter. I’ll post more as I come up with them. If any readers know of good HTTPS services on the web like secure Wikipedia or Secure WikiBooks, etc Please post them in the comments

Thoughts and comments always welcome

Blog at
Entries and comments feeds.

%d bloggers like this: