Commit 1b1189b4 authored by Tails developers's avatar Tails developers
Browse files

doc: Rewrite the Iceweasel page

parent 08743df3
......@@ -30,27 +30,3 @@ mind, then Tails might be just what you need.
Moreover, just like with a postcard, any information traveling on the
Internet can be read by many computers that relay them.
# <a name="how"></a>How does Tails provide with anonymity?
**FIXME**: This still needs to be rescued somewhere:
Furthermore, most software bundled with Tails will warn you when
your previously encrypted connection switches to unencrypted mode: be
careful!
At last, some applications have features and services that may
compromise the anonymity offered by the Tor network. All modern web
browsers, such as Firefox, support
[JavaScript](http://en.wikipedia.org/wiki/Javascript), [Adobe
Flash](http://en.wikipedia.org/wiki/Adobe_flash),
[Cookies](http://en.wikipedia.org/wiki/HTTP_cookie) and other services
which have been shown to be able to defeat the anonymity provided by
the Tor network.
When running Iceweasel (Firefox) in Tails all such features are
handled by an extension called
[Torbutton](https://www.torproject.org/torbutton/) which does all
sorts of things to prevent the above type of attacks. But that comes
at a price – since this will disable some functionalitys, some sites
might not work as intended.
[[!meta title="Browsing the web with IceWeasel"]]
IceWeasel is an unbranded version of Mozilla Firefox webbrowser.
Given Mozilla Firefox's popularity many of you have
probably used it before. Its user interface is like any other modern
web browser, but there are a few things we want to mention, some that
are special with this particular installation. Do you remember what we
said [earlier](#how) about end-to-end encryption and its importance
while using Tor? Here is how it looks in Firefox when you are using a
secure, end-to-end encrypted connection:
**FIXME** dead link I think
## SSL/TLS Encryption
<center><a href="ff-ssl.jpg"><img border="0" height="311"
src="ff-ssl.jpg" width="404" /></a></center>
Notice the locks in the status bar and address bar (the latter which
also has turned yellowish) and that the address begins with
"http**s**://" – these are the indicators that a secure connection
using [SSL](http://en.wikipedia.org/wiki/Secure_Sockets_Layer) is
being used. You should try to only use services that use secure
connections when you are required to send sensitive information (like
passwords), otherwise its very easy for an eavesdropper to steal
whatever information you are sending. In this case what we are trying
to do is logging in on an email account at
[lavabit](http://lavabit.com/), using their [webmail
interface](https://lavabit.com/apps/webmail/src/login.php). Let us
proceed with logging in there so we can see how it is possible to send
end-to-end encrypted email with any webmail service out there with the
nifty [FireGPG](http://getfiregpg.org/) extension.
## Email encryption using FireGPG
**FIXME**: move this item to OpenGPG encryption paragraph?
<center><a href="ff-compose-1.jpg"><img border="0" height="311"
src="ff-compose-1.jpg" width="404" /></a></center>
Here we have written a silly email to Bob, mentioning stuff like
"public" and "private" keys. If you do not know what this means but
are interested in sending encrypted email, we suggest you take
yourself some time and read up on [public key
cryptography](http://en.wikipedia.org/wiki/Public_key_cryptography)
and [PGP](http://en.wikipedia.org/wiki/Pretty_Good_Privacy) just to
get the basic concepts.
What we will do next is first selecting all of the text in the message
(by using the mouse or simply pressing Ctrl + A) and then
right-clicking somewhere on the selected text. This will make the
usual Firefox context menu appear, which has a FireGPG entry that we
are interested in. Clicking it will expand the following menu:
<center><a href="ff-firegpg.jpg"><img border="0" height="137"
src="ff-firegpg.jpg" width="96" /></a></center>
In the menu we choose "Sign and encrypt" and we get a dialogue asking
us to select the public key to encrypt it with (Bob's) and the private
key to sign it with (your). After doing this the message is only
readable by Bob, and in addition Bob will be able to verify that the
message was in fact written by you. The signed and encrypted text will
look something like this:
<center><a href="ff-compose-2.jpg"><img border="0" height="311"
src="ff-compose-2.jpg" width="404" /></a></center>
At this stage we are ready to press send. When Bob receives this email
he can also use FireGPG to decrypt it in a very similar way – he will
just have to select the encrypted message and then use the FireGPG
menu to choose "Verify" or "Decrypt", or both. This can be done with
any so-called PGP block. There is one important limitation in FireGPG,
though. It cannot generate new keys, so you will have to use another
application for that. We recommend using the [GNU Privacy
Assistant](#gpa), found under the "Utilities" section of the K menu,
or [KPGP](#kpgp), found in the "Utilities -&gt; PIM" section.
**FIXME** I think that's not the today tool to create new keys
## Torbutton
Returning to web browsing again we need to do something about the
problems with JavaScript, cookies and Adobe Flash that you might
remember from an earlier section. To deal with these problems we use
an extension called [Torbutton](https://www.torproject.org/torbutton/)
which is specifically designed for dealing with them (and other
things) for Firefox in combination with Tor. Torbutton can be either
switched on or off, indicated by "Tor enabled" and "Tor disabled" in
the Firefox status bar in the bottom right of its window. It should be
noted that these labels are a bit misleading for Tails users as Tor
cannot be switched off. So, in our case "Tor enabled" means that
Torbutton will disable a lot of stuff that could harm anonymity, and
"Tor disabled" simply means that you only get Tor and no additional
protection. As such, you should only disable Torbutton for sites that
you trust.
But why would you ever disable Torbutton? Well, while it is enabled
some sites might not work as you expect them to since certain features
are disabled or will behave differently. For example, the popular
video service [youtube](http://www.youtube.com/) will not work
properly as you can see here when we are trying to watch [this
clip](http://www.youtube.com/watch?v=XIDxDMwwlsw):
**FIXME** bad example, for youtube we should recommand the video-download utility.
<center><a href="ff-youtube-1.jpg"><img border="0" height="311"
src="ff-youtube-1.jpg" width="404" /></a></center>
In order to get the video player to show up, we will have to disable
Torbutton by clicking its panel in the Firefox status bar. Normally
this would disable the use of Tor completely, but as we have mentioned
earlier, nothing escapes Tor while running Tails so your connection
will still be anonymized. However, you will have to trust that Google
(the current owner of youtube) is not doing anything fishy with all
their JavaScripts, the Flash-based video player etc. that could break
your anonymity.
After disabling Torbutton we can finally learn how onion routing (the
technique used by the Tor network) works from the guys in the TV
series Numb3rs!
<center><a href="ff-youtube-2.jpg"><img border="0" height="311"
src="ff-youtube-2.jpg" width="404" /></a></center>
If you are reading this document as a local file in Tails (which is
the case if the address begins with file://) you might have noticed
that all links that point outside of this document do not work. This
is also due to Torbutton since it is possible for others to steal any
file from you otherwise. In order to visit them you will need to
disable Torbutton and reload the page in a new tab. Indeed there are a
few more oddities related to toggling Torbutton on and off. If a web
site does not work as expected after toggling Torbutton you might have
to do any of the following to get it to work:
* Press the "Refresh" button in the navigation bar, or imply use the
F5 keyboard short cut.
* Click the address field and press ENTER.
* Open a new tab and re-enter (or copy and paste) the address into the
address field of the new tab and then press ENTER.
This is a security feature, also used for separating the different
states in Firefox, which otherwise could lead to trouble (arguably a
bit less so for Tails users).
As we hope you understand by now, there are reasons for all these
quirks, and while they might be annoying we hope you will learn to
cope with them. If not, feel free to disable Torbutton and never use
it again, but in that case you should expect much less anonymity and
security. There have been several demonstration of uncovering the true
identities of Firefox users using Tor, but to the authors' knowledge
Torbutton protects you against all of them.
[[!meta title="Browsing the web with Iceweasel"]]
[[!img iceweasel/mozicon128.png link=no alt="Iceweasel icon"]]
Iceweasel is an unbranded version of the [[Mozilla
Firefox|http://www.mozilla.com/firefox/]] web browser. Given its popularity many
of you have probably used it before and its user interface is like any other
modern web browser.
Here are a few things worth mentioning in the context of Tails.
[[!toc levels=2]]
HTTPS Encryption
================
<!--
Do you remember what we said earlier about end-to-end encryption and its
importance while using Tor?
**FIXME** link to documentation about end-to-end encryption
-->
For example, here is how the browser looks like when we try to log in an email
account at [lavabit.com](http://lavabit.com/), using their [webmail
interface](https://lavabit.com/apps/webmail/src/login.php):
[[!img doc/anonymous_internet/iceweasel/lavabit.png link=no alt="Tails browser"]]
Notice the small area on the left of the address bar saying "lavabit.com" on a
blue background and the address beginning with "https://" (instead of
"http://"):
[[!img iceweasel/address-bar.png link=no alt="address bar showing 'lavabit.com'
/ 'https://lavabit.com/'"]]
These are the indicators that an encrypted connection using [[!wikipedia HTTPS]]
is being used.
You should try to only use services providing HTTPS when you are sending or
retrieving sensitive information (like passwords), otherwise its very easy for
an eavesdropper to steal whatever information you are sending or to modify the
content of a page on its way to your browser.
HTTPS Everywhere
================
[[!img https-everywhere.jpg link=no alt="HTTPS Everywhere logo"]]
[HTTPS Everywhere](https://www.eff.org/https-everywhere) is a Firefox extension
shipped in Tails and produced as a collaboration between [The Tor
Project](https://torproject.org/) and the [Electronic Frontier
Foundation](https://eff.org/). It encrypts your communications with a number of
major websites. Many sites on the web offer some limited support for encryption
over HTTPS, but make it difficult to use. For instance, they may default to
unencrypted HTTP, or fill encrypted pages with links that go back to the
unencrypted site. The HTTPS Everywhere extension fixes these problems by
rewriting all requests to these sites to HTTPS.
To learn more about HTTPS Everywhere you can see:
- the [HTTPS Everywhere homepage](https://www.eff.org/https-everywhere)
- the [HTTPS Everywhere FAQ](https://www.eff.org/https-everywhere/faq/)
Torbutton
=========
Tor alone is not enough to protect your anonymity and privacy while browsing the
web. All modern web browsers, such as Firefox, support [[!wikipedia
JavaScript]], [[!wikipedia Adobe_Flash]], [[!wikipedia HTTP_cookie
desc="cookies"]] and other services which have been shown to be able to defeat
the anonymity provided by the Tor network.
In Tails all such features are handled from inside the browser by an extension
called [Torbutton](https://www.torproject.org/torbutton/) which does all sorts
of things to prevent the above type of attacks. But that comes at a price: since
this will disable some functionalities and some sites might not work as
intended.
To learn more about Torbutton you can see:
- [the Torbutton homepage](https://www.torproject.org/torbutton/)
- [the Torbutton
FAQ](https://www.torproject.org/torbutton/torbutton-faq.html.en)
Protection against dangerous JavaScript
=======================================
Having all JavaScript disabled by default would disable a lot of harmless and
possibly useful JavaScript and render unusable many websites.
That's why **JavaScript is enabled by default** in Tails.
But we rely on Torbutton to **disable all potentially dangerous JavaScript**.
We consider this as a necessary compromise between security and usability and as
of today we are not aware of any JavaScript that would compromise Tails
anonymity.
For more technical details you can refer to the [Torbutton design
document](https://www.torproject.org/torbutton/en/design/).
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment