Torpark is now XeroBank Browser
Torpark, the customized version of Firefox for Windows that included a built-in Tor network has been rebranded as XeroBank Browser and gone semi-commercial.
I wrote a review of the original product last year and even created an enhanced version that improved privacy protections. Now so it’s time for an update to see what’s improved:
Basic configuration
When this article was written, XeroBank Browser was based on Firefox 2.0.0.4. That’s good because the previous Torpark product was stuck at 1.5.0.7 for many months, leaving users exposed to several security vulnerabilities discovered in that version of Firefox.
As with Torpark, XeroBank Browser strives to reduce info left behind on the host computer by changing the following standard Firefox config options:
- No disk cache
- No browser history
- No saved forms
- No saved passwords
- Download history removed upon successful download
- Cookies accepted from all sites (except yahoo.com) then deleted when the browser closes
- Checking for updates to Firefox, extensions and search engine options is also disabled.
DNS
As before, since Torpark has a Tor client built into the browser, no separate Socks proxy is needed to prevent leakage of DNS requested onto the local network. As confirmed confirmed this using tcpdump, all DNS requests are properly tunnelled out to Tor so the local network admin cannot trace where you are browsing by capturing DNS lookups.
Start page
In Torpark the browser automatically loaded www.google.com at startup, meaning you started off with several Google cookies that could be used to track you. This is fixed in XeroBank Browser: it now loads an info page at xerobank.com. Conceivably the folks at Xerobank could use this to install their own cookies so it’s still best to change this setting to start the browser with a blank page.
Flash and other plugins
The browser does not come with Flash Player installed, which is a good thing for both security and privacy. Flash can store a form of cookie that is not cleared when the browser exits. Flash can also be used to gather a great deal of other identifying information, including your actual IP address.
Java and Javascript are now both disabled by default in XeroBank… not by the Firefox options but rather by using the NoScript extension. NoScript was also included with Torpark, but was disabled by default, allowing Javascript and Java to run.
HTTP Headers
The browser seems to send exactly the same HTTP request headers as normal Firefox: http_referer, User agent, operating system info, etc. are all there. However, this time the PrefBar extension is installed with two options enabled on the toolbar: change user agent and disable loading of images. This lets you easily send a fake user agent to the web sever. Providing an easy way to disabling images is a nice touch… loading graphics-heavy pages through Tor can be painfully slow, so this provides a quick way to just see the text.
Though not enabled by default, PrefBar also provides a way to control sending of the http_referer header, which discloses to web site owners the previous site you were viewing before you came to their site.
The RefControl extension is better for controlling http_referer: in addition to enabling and disabling that header, RefControl allows you to forge the header to the top URL of the site you’re on, and optionally whitelist the referrer for sites you trust. Unfortunately, RefControl is not included with XeroBank Browser.
Conclusions
XeroBank Browser is an incremental improvement to the original Torpark. The default settings are much better at protecting privacy. Hopefully the product will also be kept up to date as new versions of Firefox and the Tor client are released, which Torpark unfortunately was not.
Torpark Enhanced: The shortcomings in the original Torpark were such that we created a version with better default settings and the RefControl extension and called it “Torpark Enhanced “. Now that XeroBank Browser uses the current version of Firefox, and has more sensible default settings there is no need for our enhanced version. Given the published vulnerabilities in Firefox 1.5.0.7 on which Torpark Enhanced was based, using it could even be dangerous. As such, Torpark Enhanced is no longer be available for download. Instead, download XeroBank Browser and install RefControl.
Related posts:
- Torpark anonymous web browser: a good start that needs help
- Torpark Enhanced
- Finding the real address of Tor clients
5 Responses to “Torpark is now XeroBank Browser”:
July 19th, 2007 at 9:35 am
We will be updating to xB Browser 2.0.0.5a today.
Best regards,
Steve Topletz
August 17th, 2007 at 2:49 am
where can I download it …. FILEFORUM gives me a site that my sysadmin has banned.
August 17th, 2007 at 9:38 am
@Greg:
Not sure what FILEFORUM is, but the official download site is as stated in the article: http://xerobank.com/xB_browser.html and there are no mirror sites that I can find.
You could always download the EXE from home and bring it in, but if your system administrator has banned the Xerobank site, doing so is probably not a good idea. If you’re trying to run it at your workplace there are (hopefully) policies against running your own programs on the company network, and also (hopefully) policies about circumventing security safeguards like URL filters, which Tor and Xerobank can do.
September 16th, 2007 at 8:52 am
Avoid XeroBank. It does not use Privoxy, is not easily configurable (It has a proprietary configuration file that is incompatible with the documented tor configuration.), no support or community, and a very poor set of features.
For a far better, completely portable Firefox/Tor/Privoxy solution, get Firefox Portable at http://portableapps.com/ , Portable Tor at http://portabletor.sourceforge.net/ and the TorButton add-on at https://addons.mozilla.org/firefox/2275/ .
Have a great day!
January 26th, 2008 at 3:10 am
[...] ×œ× ×• ××™× ×˜×¨× ×˜, ולכן יש ×“×¤×“×¤× ×™× × ×”×“×¨×™× ×›×ž×• TorPark (שעכשיו × ×§×¨× XeroBank שמ××¤×©×¨×™× ×œ× ×• לגלוש בצורה ×× ×•× ×™×ž×™×ª ×¢× ×¤×¨×•×§×¡×™ ×ž×•×‘× ×” [...]