Re: [T(A)ILS-dev] Tor Browser Bundle config

Delete this message

Reply to this message
Author: bertagaz
Date:  
To: The T(A)ILS public development discussion list
Subject: Re: [T(A)ILS-dev] Tor Browser Bundle config
On Fri, Dec 24, 2010 at 06:26:49PM +0100, intrigeri wrote:
> > * pref("browser.chrome.favicons", false);
> > * pref("browser.chrome.site_icons", false);
>
> (both should be set to true / false at the same time)
>
> Display favicons in the address bar, bookmarks menu, and in tabs. (Default)
> Load and display site icons. (Default)
>
> I wonder what are the security / privacy implications of having these
> enabled. Not downloading favicons seems to be a great way to appear
> different from other visitors. We should ask the TBB authors about this.


This might be related to the web server side, when admins did set up the
acces log not to log IPs of visitors (by customizing their access log
format, not by installing libapache2_mod_removeip). Usually in this case,
firefox browsers are still logged because by default they ask for a
favicon. If the website doesn't provide one, then every request is logged
in error.log because of the 404 error made by the browser requesting a
favicon.. For that reason it sounds like a reasonable setting. Who
cares about favicon anayway? :)

> > * pref("browser.chrome.image_icons.max_size", 0);
>
> To help users differentiate between images loaded in tabs, Firefox
> sets the tab icon (and the icon in the Location Bar) to a small
> version of the image.
> If an image’s width or height is greater than this number, the default
> icon is displayed instead of a thumbnail. The default value is 1024.
> Setting it to 0 will disable image thumbnails.
>
> I also wonder why they disabled this.


Maybe if the tab icon is not a thumbnail of the image, iceweasel try to
request the website's favicon?

> > * pref("browser.download.manager.retention", 1);
>
> When to remove downloaded files' entries from the Download Manager
> 0: Upon successful download
> 1: When the browser exits
> 2 (default): Manually
>
> TBB's configuration seems great and worth being stealed in T(A)ILS but
> doesn't Torbutton already do this?


Not sure about this. 0 would sound better to me if Torbutton did not.

> > * pref("browser.privatebrowsing.autostart", true);
>
> Firefox' so-called private browsing mode is documented here:
> https://wiki.mozilla.org/Firefox3.1/PrivateBrowsing/SecurityReview
>
> I am not sure how enabling this interacts with Torbutton.


Not sure either. I'm wondering if private mode bypass any installed
extensions/plugins.

> > * pref("browser.sessionstore.privacy_level", 2);
>
> http://kb.mozillazine.org/Browser.sessionstore.privacy_level
>
> 0 = Store extra session data for any site.
> 1 = Store extra session data for unencrypted (non-HTTPS) sites only. (Default)
> 2 = Never store extra session data.
>
> Seems to me Torbutton already does this, doesn't it?


Sure, but maybe it's still good to set that up.

Anyway, I guess it could be a good thing to inteact with TBBT author, and
this unresolved questions might be a good start.

bert.