On Sun, Mar 25, 2012 at 23:15, Jacob Appelbaum <jacob@???> wrote:
> The first part of the FAQ is the most important:
>
> "Why a HTTP proxy at all?"
That part is new, and reflects the new ill-guided (in my opinion)
focus on Tor Browser Bundle. I was referring to the part that was
written by Tor developers and reflected the (objectively) ill-guided
policy of recommending usage of Polipo instead of Privoxy for years.
Just to be clear: Polipo was never any good, and Privoxy was always
good. I have been using Privoxy for over 10 years, ever since it
replaced Internet Junkbuster, and never experienced any serious
issues. Polipo, on the other hand, was always a bug-ridden annoyance
whenever I tried it. The only advantage of Polipo over Privoxy is lack
of features, and as a consequence, simpler configuration.
> It seems like your config tampers with the requests pretty heavily and
> the support of .exit should probably be disabled.
It doesn't tamper heavily with the requests. The configuration
determines the local proxy to route the request to, and rewrites two
headers to support .exit notation in URL, and two headers to be
similar to TBB, in order to make people who believe that having
uniform headers actually provides some anonymity happy. Support of
.exit should be disabled in Tor (if at all), not in Privoxy — Privoxy
just makes using .exit easier.
> I also think it is
> dangerous to support both i2p and Tor with the same privoxy config. It
> seems like it should be possible to construct a single webpage that
> attempts to link i2p and Tor usage via HTTP and thus fingerprints the
> user as using Liberté... No?
It's probably possible, but I don't think it's important. You could
probably identify specific browser versions using Javascript
peculiarities or other oddities anyway. In any case, I just referred
to Liberté's configuration as an example.
--
Maxim Kammerer
Liberté Linux (discussion / support:
http://dee.su/liberte-contribute)
