Security notes

From JonDonym Wiki
(Difference between revisions)
Jump to: navigation, search
(copied some info from DE)
Line 1: Line 1:
 
<iimg>[[Security notes]]![[Image:en2.png]]</iimg><iimg>[[Sicherheitshinweise]]![[Image:de2.png]]</iimg>&nbsp;[[Main_Page|Main Page (en)]] | [[tips and tricks|Information for JonDonym users]]
 
<iimg>[[Security notes]]![[Image:en2.png]]</iimg><iimg>[[Sicherheitshinweise]]![[Image:de2.png]]</iimg>&nbsp;[[Main_Page|Main Page (en)]] | [[tips and tricks|Information for JonDonym users]]
 +
 
== Security notes for anonymous web surfing ==
 
== Security notes for anonymous web surfing ==
 +
 
=== General notes about secure and anonymous web surfing  ===
 
=== General notes about secure and anonymous web surfing  ===
  
Line 15: Line 17:
  
 
=== Enforce HTTPS websites list ===
 
=== Enforce HTTPS websites list ===
Many websites you can access encrypted with HTTPS. The Firefox addon NoScript contains an ''Enforce HTTPS implementation''. Here we provide an expansible list of domains you can include in the [http://anonymous-proxy-servers.net/en/help/jondofox2.html#noscript_ssl NoSript Enforce HTTPS configuration].
+
 
 +
You can access many websites with encrypted HTTPS connections, besides the default plain HTTP. The Firefox addon '''NoScript''' contains an '''Enforce HTTPS implementation'''. Here we provide an expansible list of domains you can include in the [http://anonymous-proxy-servers.net/en/help/jondofox2.html#noscript_ssl NoSript Enforce HTTPS configuration].
  
 
'''E-mail communication:'''
 
'''E-mail communication:'''
Line 106: Line 109:
  
 
Using NoScript Enforce HTTPS is easy to configure. But a complex rule for URL rewrite is not possible. It can only replace HTTP with HTTPS. For complex URL rewriting you may use the firefox addon [https://www.eff.org/https-everywhere HTTPSEverywhere]. A large ruleset for this addon ist online at [https://gitweb.torproject.org/https-everywhere.git/tree/HEAD:/src/chrome/content/rules collection of compatible domains for HTTPSEverywhere]. Download XML files of the rules you need and safe it in the subdirectory ''HTTPSEverywhereUserRules'' in your Firefox profil folder. Afterwards you have to restart Firefox.
 
Using NoScript Enforce HTTPS is easy to configure. But a complex rule for URL rewrite is not possible. It can only replace HTTP with HTTPS. For complex URL rewriting you may use the firefox addon [https://www.eff.org/https-everywhere HTTPSEverywhere]. A large ruleset for this addon ist online at [https://gitweb.torproject.org/https-everywhere.git/tree/HEAD:/src/chrome/content/rules collection of compatible domains for HTTPSEverywhere]. Download XML files of the rules you need and safe it in the subdirectory ''HTTPSEverywhereUserRules'' in your Firefox profil folder. Afterwards you have to restart Firefox.
 +
 +
=== EMET ===
 +
 +
The EMET tool allows to reduce risks of MS applications.
 +
 +
[https://www.microsoft.com/download/en/details.aspx?id=1677 Download EMET]
 +
 +
=== Optimize Foxit PDF Reader security ===
 +
 +
Download PDF Foxit Reader: [https://www.foxitsoftware.com/ FOXIT-PDF-READER]
 +
 +
Disable '''JavaScript'''
 +
 +
Enable '''Trust Manager'''
 +
 +
Disable '''Create Link from URL''' and '''Screen word-capturing'''
  
 
=== Secure PDF documents: harden Adobe Acrobat against attacks ===
 
=== Secure PDF documents: harden Adobe Acrobat against attacks ===
Using Edit->Preferences (key combination: Strg+K), you should disable various functions of your Adobe Reader in order to secure it against hackers.
+
 
 +
Using Edit->Preferences (key combination: Ctl+K), you should disable various functions of your Adobe Reader in order to secure it against hackers.
  
 
Multimedia Trust must not be allowed (prevents direct IP connections):
 
Multimedia Trust must not be allowed (prevents direct IP connections):

Revision as of 06:21, 31 March 2012

En2.png De2.png  Main Page (en) | Information for JonDonym users

Contents

Security notes for anonymous web surfing

General notes about secure and anonymous web surfing

If you are surfing the web via JonDo using JonDoFox, your IP address and the characteristics of your browser are anonymized. But you should in any case pay attention to the following notes while surfing, because otherwise JonDonym is not able to protect you:

  • If it is possible, enter personal data on web sites only if they are secured by HTTPS. JonDoFox shows for these sites a blue or green bar within the address bar.
  • If it is possible, enter your correct personal data only if you want to order some physical product. In all the other cases you should use imagined identities and do not use login names more than once.
  • Use different, randomly generated and preferably long passwords for each web service. You may use password programs like KeePass, in order to generate identities and passwords automatically and save them securely.
  • Avoid Flash and Java applications. Download web videos instead of viewing them directly in your browser.
  • For most attacs from the web modified PDF documents are used. Do not have displayed pdf-documents in your browser. Use an external application like the PDF viewers recommeded by PDFreaders.org. Time by time these viewers have security bugs too. Keep your reader up-to-date.
  • Do not use Adobe Acrobat or if you have to use it, respect the security nodes settings of your Acrobat Reader.
  • Allow JavaScript only if you need it necessarily.
  • Allow cookies just temporarily. Do not use Google search if you have accepted cookies for Googlemail.

Enforce HTTPS websites list

You can access many websites with encrypted HTTPS connections, besides the default plain HTTP. The Firefox addon NoScript contains an Enforce HTTPS implementation. Here we provide an expansible list of domains you can include in the NoSript Enforce HTTPS configuration.

E-mail communication:

anonbox.net
www.awxcnx.de
certified.privnote.com
www.cotse.net
privacybox.de
riseup.net
aikq.de
emkei.cz
safe-mail.net
*.safe-mail.net
mail.yahoo.com
login.yahoo.com
*.bc.yahoo.com

Informations about privacy in the web:

anonymous-proxy-servers.net
www.anonym-surfen.de
www.datenschutzzentrum.de
*.eff.org
www.privacyfoundation.de
www.torproject.org
www.vorratsdatenspeicherung.de
wiki.vorratsdatenspeicherung.de

Press:

www.aftenposten.no
derstandard.at
www.economist.com
www.faz.net
www.nytimes.com
www.taz.de
taz.de
blogs.taz.de
www.washingtonpost.com
voices.washingtonpost.com
www.securityweek.com

Blogs

*.wordpress.com
blog.fefe.de
www.lawblog.de
www.netzpolitik.org
www.schneier.com
scusiblog.org

NGOs:

www.accessnow.org
www.amnesty.org
www.democracynow.org
www.who.int

Social Media

flattr.com
api.flattr.com
twitpic.com
twitter.com
*.twitter.com
t.co
www.xing.com
www.studivz.net
www.facebook.com
m.facebook.com
ssl.facebook.com
login.facebook.com
developers.facebook.com

Software:

www.computerworld.com
www.i2p2.de
www.isc.org
www.macworld.com
www.phpbb.de
ubuntuone.com

Other:

wuala.com
*.wuala.com
wiki.openstreetmap.org

Youtube

s.ytimg.com
i.ytimg.com
i1.ytimg.com
i2.ytimg.com
i3.ytimg.com
i4.ytimg.com

Using NoScript Enforce HTTPS is easy to configure. But a complex rule for URL rewrite is not possible. It can only replace HTTP with HTTPS. For complex URL rewriting you may use the firefox addon HTTPSEverywhere. A large ruleset for this addon ist online at collection of compatible domains for HTTPSEverywhere. Download XML files of the rules you need and safe it in the subdirectory HTTPSEverywhereUserRules in your Firefox profil folder. Afterwards you have to restart Firefox.

EMET

The EMET tool allows to reduce risks of MS applications.

Download EMET

Optimize Foxit PDF Reader security

Download PDF Foxit Reader: FOXIT-PDF-READER

Disable JavaScript

Enable Trust Manager

Disable Create Link from URL and Screen word-capturing

Secure PDF documents: harden Adobe Acrobat against attacks

Using Edit->Preferences (key combination: Ctl+K), you should disable various functions of your Adobe Reader in order to secure it against hackers.

Multimedia Trust must not be allowed (prevents direct IP connections):

Adobe multimedia.png

JavaScript must be deactivated (prevents hacker attacks):

Adobe javascript.png

Internet: Forbid displaying PDFs in the browser (prevents direct IP connections):

Adobe internet.png

Trust Manager: Forbid to open external applications (prevents hacker attacks)

Acrobat executable en.png

Personal tools