Torfox

Discussion in 'privacy technology' started by betaman, Jun 15, 2009.

Thread Status:
Not open for further replies.
  1. betaman

    betaman Registered Member

    Joined:
    Jan 10, 2009
    Posts:
    8
    Have you tried this?
    http://www.torfox.org/

    Installer: http://torfox.googlecode.com/svn/trunk/site/Torfox-3.0.10.1.msi
    ZIP (for USB flash usage): http://torfox.googlecode.com/svn/trunk/site/Torfox-3.0.10.1.zip
    Hashes: http://torfox.googlecode.com/svn/trunk/site/Torfox-3.0.10.1.sha1

    This also blocks CSS history attack

    Very good :thumb:
     
  2. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    RUN RUN RUN RUN! We broke torfox 1000 different ways and it is designed to insert google tracking advertisements. It is leaky, the designer knows absolutely nothing about tor security or threat model, and has no comprehension of the work that existed before torfox. New != Good.


    :thumbd: :thumbd: :thumbd: :thumbd: :thumbd: :thumbd: :thumbd: :thumbd: :thumbd: :thumbd: :thumbd: :thumbd: :thumbd: :thumbd: :thumbd: :thumbd:

    or-talk discussion 1

    or-talk discussion 2
    or-talk discussion 3
     
    Last edited: Jun 15, 2009
  3. betaman

    betaman Registered Member

    Joined:
    Jan 10, 2009
    Posts:
    8
    You are talking about old version. The new one 3.0.10.1 has cookie, javascript, referer, plugins, and other things disabled. So no one can track you, even google.
    It's also portable, very good.
     
  4. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    If the developer didn't know what he was doing the first time, I don't trust him this time either. Oh yesterday it was terrible and insecure and now it is better? I don't think so. The developer just has not had his new mistakes pointed out to him yet.
     
  5. CaixFang

    CaixFang Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    72
    Tor is tor, FireFox is FF. Combining them makes neither stronger, nor weaker. Same threats still apply.

    Would I run? No. Would I use it if I didnt have the experience to setup a Tor config and a FF config *I* trusted, then yes. Does it provide enough for the casual user, probably. Does it provide enough for teh paranoid, probably not (although I'm still waiting to see THE solution.)

    Personally, I would find a provider (be it Tor, VPN, proxy, etc) that suits YOUR needs, then start with a base FF, strip what is a security concern, ad trusted addons that help protect you, and surf away....thats just me.

    There is no perfect solution, its all about what is "enough" for you.
     
  6. Torfox

    Torfox Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    4
    The first version was only a proof of concept and there are ads on all Google search pages. They are text only because JavaScript is disabled. It's impossible to track someone with Torfox because it deletes all cookies. If you can break Torfox then prove it and provide repeatable instructions.
     
  7. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    replied offlist.
     
  8. Less

    Less Registered Member

    Joined:
    Dec 24, 2008
    Posts:
    248
    are u bashing someone? :rolleyes:
     
  9. fuzzylogic

    fuzzylogic Registered Member

    Joined:
    Mar 12, 2008
    Posts:
    149
    Steve would never do something like this :rolleyes: . I think its good to see someone have a crack at trying to make something different. I actually read the whole discussion and from what i've read the author isn't trying to recreate Xbbrowser or the Tor bundle, he's trying to different approach. Obiviously he's no pro programmer but give credit where credits due and actually give the programmer some feedback not a personal assult on trying to make a quick buck. Hey if he successes then good, if not then he becomes a better programmer for it.
     
  10. Torfox

    Torfox Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    4
    Anyone can write an extension or set proxy settings but I wouldn't call modifying Firefox's socket code so that it inserts a socks4 header "easy".
     
  11. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,102
    Icecat is the Gnu version (formerly Iceweasel) of Firefox version 3.0.11 now available. You can use it with the FF add-on Stealther to get most of the functionality described, and configure it in the about:config to use tor-resolve for DNS queries.

    I can run Icecat w/limited add-ons, no-plugins, no JavaScript, etc., Tor (latest), Tork and polipo (pipelined) in Kubuntu 9.04. Who needs TorFox? Incognito runs with Iceweasel.

    -- Tom
     
  12. Torfox

    Torfox Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    4
    Who needs Thunderbird when you've got Outlook Express? Who needs Firefox when you've got Internet Explorer? There can be more than one program that does the same thing. We're not out to evangelize. We simply have a different design philosophy. You clearly don't need help running Tor. However, the average whistle blower or dissident blogger isn't going to know how to do all that or isn't willing to keep themselves exposed long enough to learn how. After watching dozens of people give up on Tor because it was too "hard", I decided to start this project. If you don't like it or don't need it, that's fine, don't use it.
     
  13. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,102
    Hi Torfox,

    Clearly you seem to be upset about my comment which was simply a matter of fact statement, but upfront you did not state your motivation to supplying Torfox for the Tor challenged - so, I stand on what I said previously.

    It's ok to have a different design philosophy, its even ok to evangelize - believe me, I struggled with Tor rereading many times over the documentation and learning how to compile Tork on new versions of Kubuntu w/Qt3/Qt4 in order to have a better UI to control Tor interfaces.

    If you are really serious about your mashup, you will integrate Vidalia or Tork into the scheme of things to make it yet easier for the user.

    My comment, again, was not to rain on your parade, just a factual statement that was arrived at with a lot of work on my part to make sure that the latest Tor, Tork, proxy features (i.e. polipo pipelining), and torkifying Icecat with similar interfaces to Incognito were well understood.

    Trust me, if you can come up with a solid, reliable product that helps the challenged, and does not exploit them with undesired tracking, then more power to you!

    -- Tom
     
  14. Torfox

    Torfox Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    4
    Vidalia will not make Torfox easier. It will overcomplicate it. There's already something like that with TBB which is what everyone keeps giving up on. You still don't understand the design philosophy and I'm starting to think you don't really care. Rather, you seem more interested in spreading FUD and creating drama with reference to exploiting users with "undesired tracking" and trying to get this into a discussion of emotions rather than focusing on the actual topic at hand. I'll say it again. If you don't like it, don't use it. If you want to volunteer and help make it better then you are welcome to join the project and do so. If you have found a weakness in Torfox then prove it and provide repeatable instructions. I'm uninterested in discussing anything beyond this. I'm not upset, I apologize if I come across as short tempered but I'm just extremely busy and I don't have time for niceties.
     
  15. dRag0nMa

    dRag0nMa Registered Member

    Joined:
    Aug 28, 2003
    Posts:
    79
    Location:
    SH China
    it seems no config file for tor
    you embeded all the command line to the exe file?
     
  16. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,102
    Dearest Torfox,

    I am only interested is software that is reliable, safe and easy to use which does not compromise anonymity, privacy or security - not about whining back and forth with your perceptions as misconstrued as they are about my posts.

    My original post was only to point out that there are alternatives that achieve the same effect without the need to develop new software. If TorFox lives up to its intent then well done.

    -- Tom
     
  17. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    TorFox is solid, I have tested it, and there aren't leak!
    This is the most secure firefox version I have ever seen!

    @lotuseclat79
    Vidalia, Tork, Polipo, aren't inherent to anonymity. And how do you set yor browser to prevent leak and tracking? :D
     
  18. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,102
    Basically, I took as much of an in-depth look at Incognito which used Iceweasel to find out what I needed to setup tork, tor-socks, tor, and Iceweasel. Incognito is only maintained and worked on by one or two people. They have a hardened version of the release which I managed to grab before they took it down - I sent them some comments.

    I then decided, I wanted to use the latest of Tor, and Tork, so that meant engaging how to compile the sources for Tork in an updated KDE environment which they had not done.
    Once that was done, I had to make some changes to get the latest repositories to update Tor, and tor-socks. I still haven't quite figured out to make a bonafide .deb package for my compilation of Tork on Kubuntu 9.04 - its on the back burner though.

    As I mentioned before, the FF add-on Stealther does a lot of what was mentioned for Torfox - no cookies, no history, etc. I also use NoScript. I also make sure that DNS is not leaked when using Tor with Icecat (The Gnu version of FF fomerly aka Iceweasel as used with Incognito) by making sure that tor-resolve is used by setting up about:config properly. I always check my IP address when I have a message from Tork that says the client is ready to use Tor just to make sure that my IP address isn't showing. I have not yet tested Vidalia, but will soon. Polipo has good documentation for setting it up, and its much faster than Privoxy with pipelining.

    By the by, when anyone says "this is the most secure firefox I have ever seen" - I tend to be from Missouri, and ask: so how many firefoxes have you ever seen, and what security testing have you put each through. And what is your baseline criteria for security on each feature tested?

    Anyone can claim their secure software is better than others - I want to see proof side-by-side and know what the comprehensive evidence is before I can commit to any assessment on a known baseline.

    Am I skeptical, you might ask - when it comes to security - you betcha! And I'm not from the Upper Mid-west!

    -- Tom
     
  19. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    Torfox is secure for anonymous browsing because is an intrinsically by default sucure browser. This hardened browser has a lot of internal improvements, so it doesn't need third party tool and addon.
    I have tested many hardened configuration, but all of them have needed extra tool and addon to obtain security and avoid leak.
    Instead Torfox is by default secure, and you won't waste anymore time to set properly the browser.

    A lot of people use tor with proxy (privoxy or polipo) vidalia, etc, but many of them don't know how to configure these, such as make proxy filter, disable javascript (tor statistics tell us that most Tor users don't disable JavaScript), disable tracking cookie, improve network performance (pipelining), etc.
    Now they can use Torfox!
     
  20. Airflow

    Airflow Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    39
    Good question.

    Links don´t work for me.
     
  21. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    because those links are old. Go to homepage, and download the installe or zip/portable version
    http://www.torfox.org/
     
  22. Pulstar69

    Pulstar69 Registered Member

    Joined:
    Aug 27, 2009
    Posts:
    1
    Got the proggy easy enough, installed it without issue but the damn thing simply won't connect. Just sits there with a blank page saying it's connecting but getting nowhere.
    Not much use like that, imho.
     
  23. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Watch out or SteveTX will come here and say he has cracked TorFox "100000 different ways" without providing one shred of evidence or source code to back his claims.

    SteveTX, seriously, I hear you say often that "we have cracked Tor" and "we have built an anonymity tester which proves Tor is insecure" etc., but I have not seen you put up. When are you going to show the world these marvelous technologies? I remember reading a couple of months ago that you were only a few months away from releasing this anonymity tester. So, when are we going to see the goods?
     
  24. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    SteveTX VS NoScript​


    1)
    https://www.wilderssecurity.com/showpost.php?p=1516839&postcount=23
    2)
    https://www.wilderssecurity.com/showpost.php?p=1480741&postcount=26
    3)
    https://www.wilderssecurity.com/showpost.php?p=1375378&postcount=20
    4)
    https://www.wilderssecurity.com/showpost.php?p=1304208&postcount=26
    5)
    https://www.wilderssecurity.com/showpost.php?p=1270718&postcount=2


    SteveTX VS Torbutton​


    1)
    https://www.wilderssecurity.com/showthread.php?t=214474


    SteveTX VS Sandboxie​


    1)
    https://www.wilderssecurity.com/showpost.php?p=1375378&postcount=20
    2)
    https://www.wilderssecurity.com/showpost.php?p=1416907&postcount=24
    but:
    3)
    https://www.wilderssecurity.com/showpost.php?p=1416360&postcount=8
    4)
    https://www.wilderssecurity.com/showpost.php?p=1397324&postcount=7
    5)
    https://www.wilderssecurity.com/showpost.php?p=1270718&postcount=2

    There are also others attacks which "we will be demonstrating at defcon/black hat"...

    So do you want proofs about all those stuff? ;)
    Wait December 2012 :argh:
     
  25. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    How does something like TorFox compare with paid services like xerobank? Also can I enable javascript on TorFox?
     
Thread Status:
Not open for further replies.