Security notes
(copied some info from DE) |
|||
| Line 1: | Line 1: | ||
<iimg>[[Security notes]]![[Image:en2.png]]</iimg><iimg>[[Sicherheitshinweise]]![[Image:de2.png]]</iimg> [[Main_Page|Main Page (en)]] | [[tips and tricks|Information for JonDonym users]] | <iimg>[[Security notes]]![[Image:en2.png]]</iimg><iimg>[[Sicherheitshinweise]]![[Image:de2.png]]</iimg> [[Main_Page|Main Page (en)]] | [[tips and tricks|Information for JonDonym users]] | ||
| + | |||
== Security notes for anonymous web surfing == | == Security notes for anonymous web surfing == | ||
| + | |||
=== General notes about secure and anonymous web surfing === | === General notes about secure and anonymous web surfing === | ||
| Line 15: | Line 17: | ||
=== Enforce HTTPS websites list === | === Enforce HTTPS websites list === | ||
| − | + | ||
| + | You can access many websites with encrypted HTTPS connections, besides the default plain HTTP. The Firefox addon '''NoScript''' contains an '''Enforce HTTPS implementation'''. Here we provide an expansible list of domains you can include in the [http://anonymous-proxy-servers.net/en/help/jondofox2.html#noscript_ssl NoSript Enforce HTTPS configuration]. | ||
'''E-mail communication:''' | '''E-mail communication:''' | ||
| Line 106: | Line 109: | ||
Using NoScript Enforce HTTPS is easy to configure. But a complex rule for URL rewrite is not possible. It can only replace HTTP with HTTPS. For complex URL rewriting you may use the firefox addon [https://www.eff.org/https-everywhere HTTPSEverywhere]. A large ruleset for this addon ist online at [https://gitweb.torproject.org/https-everywhere.git/tree/HEAD:/src/chrome/content/rules collection of compatible domains for HTTPSEverywhere]. Download XML files of the rules you need and safe it in the subdirectory ''HTTPSEverywhereUserRules'' in your Firefox profil folder. Afterwards you have to restart Firefox. | Using NoScript Enforce HTTPS is easy to configure. But a complex rule for URL rewrite is not possible. It can only replace HTTP with HTTPS. For complex URL rewriting you may use the firefox addon [https://www.eff.org/https-everywhere HTTPSEverywhere]. A large ruleset for this addon ist online at [https://gitweb.torproject.org/https-everywhere.git/tree/HEAD:/src/chrome/content/rules collection of compatible domains for HTTPSEverywhere]. Download XML files of the rules you need and safe it in the subdirectory ''HTTPSEverywhereUserRules'' in your Firefox profil folder. Afterwards you have to restart Firefox. | ||
| + | |||
| + | === EMET === | ||
| + | |||
| + | The EMET tool allows to reduce risks of MS applications. | ||
| + | |||
| + | [https://www.microsoft.com/download/en/details.aspx?id=1677 Download EMET] | ||
| + | |||
| + | === Optimize Foxit PDF Reader security === | ||
| + | |||
| + | Download PDF Foxit Reader: [https://www.foxitsoftware.com/ FOXIT-PDF-READER] | ||
| + | |||
| + | Disable '''JavaScript''' | ||
| + | |||
| + | Enable '''Trust Manager''' | ||
| + | |||
| + | Disable '''Create Link from URL''' and '''Screen word-capturing''' | ||
=== Secure PDF documents: harden Adobe Acrobat against attacks === | === Secure PDF documents: harden Adobe Acrobat against attacks === | ||
| − | Using Edit->Preferences (key combination: | + | |
| + | Using Edit->Preferences (key combination: Ctl+K), you should disable various functions of your Adobe Reader in order to secure it against hackers. | ||
Multimedia Trust must not be allowed (prevents direct IP connections): | Multimedia Trust must not be allowed (prevents direct IP connections): | ||
Revision as of 06:21, 31 March 2012
Main Page (en) | Information for JonDonym users
Contents |
Security notes for anonymous web surfing
General notes about secure and anonymous web surfing
If you are surfing the web via JonDo using JonDoFox, your IP address and the characteristics of your browser are anonymized. But you should in any case pay attention to the following notes while surfing, because otherwise JonDonym is not able to protect you:
- If it is possible, enter personal data on web sites only if they are secured by HTTPS. JonDoFox shows for these sites a blue or green bar within the address bar.
- If it is possible, enter your correct personal data only if you want to order some physical product. In all the other cases you should use imagined identities and do not use login names more than once.
- Use different, randomly generated and preferably long passwords for each web service. You may use password programs like KeePass, in order to generate identities and passwords automatically and save them securely.
- Avoid Flash and Java applications. Download web videos instead of viewing them directly in your browser.
- For most attacs from the web modified PDF documents are used. Do not have displayed pdf-documents in your browser. Use an external application like the PDF viewers recommeded by PDFreaders.org. Time by time these viewers have security bugs too. Keep your reader up-to-date.
- Do not use Adobe Acrobat or if you have to use it, respect the security nodes settings of your Acrobat Reader.
- Allow JavaScript only if you need it necessarily.
- Allow cookies just temporarily. Do not use Google search if you have accepted cookies for Googlemail.
Enforce HTTPS websites list
You can access many websites with encrypted HTTPS connections, besides the default plain HTTP. The Firefox addon NoScript contains an Enforce HTTPS implementation. Here we provide an expansible list of domains you can include in the NoSript Enforce HTTPS configuration.
E-mail communication:
anonbox.net www.awxcnx.de certified.privnote.com www.cotse.net privacybox.de riseup.net aikq.de emkei.cz safe-mail.net *.safe-mail.net mail.yahoo.com login.yahoo.com *.bc.yahoo.com
Informations about privacy in the web:
anonymous-proxy-servers.net www.anonym-surfen.de www.datenschutzzentrum.de *.eff.org www.privacyfoundation.de www.torproject.org www.vorratsdatenspeicherung.de wiki.vorratsdatenspeicherung.de
Press:
www.aftenposten.no derstandard.at www.economist.com www.faz.net www.nytimes.com www.taz.de taz.de blogs.taz.de www.washingtonpost.com voices.washingtonpost.com www.securityweek.com
Blogs
*.wordpress.com blog.fefe.de www.lawblog.de www.netzpolitik.org www.schneier.com scusiblog.org
NGOs:
www.accessnow.org www.amnesty.org www.democracynow.org www.who.int
Social Media
flattr.com api.flattr.com twitpic.com twitter.com *.twitter.com t.co www.xing.com www.studivz.net www.facebook.com m.facebook.com ssl.facebook.com login.facebook.com developers.facebook.com
Software:
www.computerworld.com www.i2p2.de www.isc.org www.macworld.com www.phpbb.de ubuntuone.com
Other:
wuala.com *.wuala.com wiki.openstreetmap.org
Youtube
s.ytimg.com i.ytimg.com i1.ytimg.com i2.ytimg.com i3.ytimg.com i4.ytimg.com
Using NoScript Enforce HTTPS is easy to configure. But a complex rule for URL rewrite is not possible. It can only replace HTTP with HTTPS. For complex URL rewriting you may use the firefox addon HTTPSEverywhere. A large ruleset for this addon ist online at collection of compatible domains for HTTPSEverywhere. Download XML files of the rules you need and safe it in the subdirectory HTTPSEverywhereUserRules in your Firefox profil folder. Afterwards you have to restart Firefox.
EMET
The EMET tool allows to reduce risks of MS applications.
Optimize Foxit PDF Reader security
Download PDF Foxit Reader: FOXIT-PDF-READER
Disable JavaScript
Enable Trust Manager
Disable Create Link from URL and Screen word-capturing
Secure PDF documents: harden Adobe Acrobat against attacks
Using Edit->Preferences (key combination: Ctl+K), you should disable various functions of your Adobe Reader in order to secure it against hackers.
Multimedia Trust must not be allowed (prevents direct IP connections):
JavaScript must be deactivated (prevents hacker attacks):
Internet: Forbid displaying PDFs in the browser (prevents direct IP connections):
Trust Manager: Forbid to open external applications (prevents hacker attacks)
