iceweasel.mdwn 7.39 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
[[!meta title="Browsing the web with IceWeasel"]]

IceWeasel is an unbranded version of Mozilla Firefox webbrowser.
Given Mozilla Firefox's popularity many of you have
probably used it before. Its user interface is like any other modern
web browser, but there are a few things we want to mention, some that
are special with this particular installation. Do you remember what we
said [earlier](#how) about end-to-end encryption and its importance
while using Tor? Here is how it looks in Firefox when you are using a
secure, end-to-end encrypted connection:

**FIXME** dead link I think

## SSL/TLS Encryption

<center><a href="ff-ssl.jpg"><img border="0" height="311"
src="ff-ssl.jpg" width="404" /></a></center>

Notice the locks in the status bar and address bar (the latter which
also has turned yellowish) and that the address begins with
"http**s**://" – these are the indicators that a secure connection
using [SSL](http://en.wikipedia.org/wiki/Secure_Sockets_Layer) is
being used. You should try to only use services that use secure
connections when you are required to send sensitive information (like
passwords), otherwise its very easy for an eavesdropper to steal
whatever information you are sending. In this case what we are trying
to do is logging in on an email account at
[lavabit](http://lavabit.com/), using their [webmail
interface](https://lavabit.com/apps/webmail/src/login.php). Let us
proceed with logging in there so we can see how it is possible to send
end-to-end encrypted email with any webmail service out there with the
nifty [FireGPG](http://getfiregpg.org/) extension.

## Email encryption using FireGPG

**FIXME**: move this item to OpenGPG encryption paragraph?

<center><a href="ff-compose-1.jpg"><img border="0" height="311"
src="ff-compose-1.jpg" width="404" /></a></center>

Here we have written a silly email to Bob, mentioning stuff like
"public" and "private" keys. If you do not know what this means but
are interested in sending encrypted email, we suggest you take
yourself some time and read up on [public key
cryptography](http://en.wikipedia.org/wiki/Public_key_cryptography)
and [PGP](http://en.wikipedia.org/wiki/Pretty_Good_Privacy) just to
get the basic concepts.

What we will do next is first selecting all of the text in the message
(by using the mouse or simply pressing Ctrl + A) and then
right-clicking somewhere on the selected text. This will make the
usual Firefox context menu appear, which has a FireGPG entry that we
are interested in. Clicking it will expand the following menu:

<center><a href="ff-firegpg.jpg"><img border="0" height="137"
src="ff-firegpg.jpg" width="96" /></a></center>

In the menu we choose "Sign and encrypt" and we get a dialogue asking
us to select the public key to encrypt it with (Bob's) and the private
key to sign it with (your). After doing this the message is only
readable by Bob, and in addition Bob will be able to verify that the
message was in fact written by you. The signed and encrypted text will
look something like this:

<center><a href="ff-compose-2.jpg"><img border="0" height="311"
src="ff-compose-2.jpg" width="404" /></a></center>

At this stage we are ready to press send. When Bob receives this email
he can also use FireGPG to decrypt it in a very similar way – he will
just have to select the encrypted message and then use the FireGPG
menu to choose "Verify" or "Decrypt", or both. This can be done with
any so-called PGP block. There is one important limitation in FireGPG,
though. It cannot generate new keys, so you will have to use another
application for that. We recommend using the [GNU Privacy
Assistant](#gpa), found under the "Utilities" section of the K menu,
or [KPGP](#kpgp), found in the "Utilities -&gt; PIM" section.

**FIXME** I think that's not the today tool to create new keys

## Torbutton

Returning to web browsing again we need to do something about the
problems with JavaScript, cookies and Adobe Flash that you might
remember from an earlier section. To deal with these problems we use
an extension called [Torbutton](https://www.torproject.org/torbutton/)
which is specifically designed for dealing with them (and other
things) for Firefox in combination with Tor. Torbutton can be either
switched on or off, indicated by "Tor enabled" and "Tor disabled" in
the Firefox status bar in the bottom right of its window. It should be
noted that these labels are a bit misleading for Tails users as Tor
cannot be switched off. So, in our case "Tor enabled" means that
Torbutton will disable a lot of stuff that could harm anonymity, and
"Tor disabled" simply means that you only get Tor and no additional
protection. As such, you should only disable Torbutton for sites that
you trust.

But why would you ever disable Torbutton? Well, while it is enabled
some sites might not work as you expect them to since certain features
are disabled or will behave differently. For example, the popular
video service [youtube](http://www.youtube.com/) will not work
properly as you can see here when we are trying to watch [this
clip](http://www.youtube.com/watch?v=XIDxDMwwlsw):

**FIXME** bad example, for youtube we should recommand the video-download utility.

<center><a href="ff-youtube-1.jpg"><img border="0" height="311"
src="ff-youtube-1.jpg" width="404" /></a></center>

In order to get the video player to show up, we will have to disable
Torbutton by clicking its panel in the Firefox status bar. Normally
this would disable the use of Tor completely, but as we have mentioned
earlier, nothing escapes Tor while running Tails so your connection
will still be anonymized. However, you will have to trust that Google
(the current owner of youtube) is not doing anything fishy with all
their JavaScripts, the Flash-based video player etc. that could break
your anonymity.

After disabling Torbutton we can finally learn how onion routing (the
technique used by the Tor network) works from the guys in the TV
series Numb3rs!

<center><a href="ff-youtube-2.jpg"><img border="0" height="311"
src="ff-youtube-2.jpg" width="404" /></a></center>

If you are reading this document as a local file in Tails (which is
the case if the address begins with file://) you might have noticed
that all links that point outside of this document do not work. This
is also due to Torbutton since it is possible for others to steal any
file from you otherwise. In order to visit them you will need to
disable Torbutton and reload the page in a new tab. Indeed there are a
few more oddities related to toggling Torbutton on and off. If a web
site does not work as expected after toggling Torbutton you might have
to do any of the following to get it to work:

* Press the "Refresh" button in the navigation bar, or imply use the
  F5 keyboard short cut.
* Click the address field and press ENTER.
* Open a new tab and re-enter (or copy and paste) the address into the
  address field of the new tab and then press ENTER.

This is a security feature, also used for separating the different
states in Firefox, which otherwise could lead to trouble (arguably a
bit less so for Tails users).

As we hope you understand by now, there are reasons for all these
quirks, and while they might be annoying we hope you will learn to
cope with them. If not, feel free to disable Torbutton and never use
it again, but in that case you should expect much less anonymity and
security. There have been several demonstration of uncovering the true
identities of Firefox users using Tor, but to the authors' knowledge
Torbutton protects you against all of them.