The Tor-project responds to attack models with a big Warning
Mar 10th, 2007 by anonymous
Articles with headlines such as “Here is how to expose Tor-users” appear regularly in the mainstream press. Most of these articles have nothing to do with Tor itself and everything to do with users who by mistake allow their software to send personal information over the anonymous connection or allow their software to connect to the Internet without going through Tor. Like the recient “Hacker builds tracking system to nab Tor pedophiles” article which outlines how to “expose” the 0.001% of Tor-users who browse with Java enabled in their browser.
The Tor-project have now responded to the “attack” outlined in this article and articles like it: They’ve put up a WARNING!! WARNING!! section on the Tor download page. It outlines what was already clearly stated in the documentation: Tor makes your connection anonymous, but does not make your software act anonymous. This warning is a good move in the right direction:
Anonymous Internet-usage requires you to disable plugins such as flash, java, active x and other plugins who can seriously compromize your anonymity. And every Tor-user should know this. Now it’s not even possible to download the software without getting a basic understanding of the steps you need to take to actually make it work.
The warning should also put a stop to these “Here’s how to attack Tor-users… if they are extremely stupid”-articles since the warning being there makes it very clear that people who claim to be able to attack Tor are either knowingly ignoring that their attack doesn’t apply to anyone who’ve read the documentation or unable to read and/or understand English, in which case it should be apparent that their supposed attack probably ain’t going to work.
Oh, btw. Every Tor-user should take a look at the warning. The information there really is essential to making good decisions regarding which software is and isn’t safe to combine with Tor.
1. If NoScript is installed, is it OK to enable JS since NoScript stop all script launches (including Flash) dead in its tracks? With NoScript, the user allows only permitted scripts to run, hence no crippling the browsing experience at the expense of malware and security.
2. Could you elaborate on how Java poses risks to our anonymity with some howtos and examples. Some internet connection speed test require Java (eg Internet Frog). Should we enable Java to test our connection speed using our Tor-enabled browser? Should we play Java games through our Tor-enabled browsers?
3. Could you do a piece on Torpark? Technically unsavvy pundits have been recommending it to the uninformed masses.Personally, I have serious concerns about this unofficial portable apps version of Tor because:
a) It ships without Privoxy, which means Torpark users IPs are leaked through DNS requests.
b) It is now planned as a commercial service that promises broadband speed in excess of what the public Tor network is capable of. Is that even possible? Their site mentions about their own servers. So are they running their own sub-net? That would mean they own their users’ data.
c) It takes forever to build a circuit unlike the Tor bundle from http://tor.eff.org/download.html.en
4. Also, it has come to my attention that there is another portable apps version of Tor called Tor+Privoxy+Opera http://www.aplusproxy.com/opera.html) If offers NO source code, so anything could be hiding in there.
5. A comprehensive shake-down analysis + kick-the-tyres review on both these products would make informative, educational blog entries and is appreciated.
6. Will Roger Dingledine, Nick Mathewson, Paul Syverson, Sharva Nerad and the rest of Tor developers release a portable apps version of Tor (I only trust stuff from them)? Not that I would recommend it, IMO, since in the interest of security, we must prudently assume that keyboards of cybercafes and other machines are compromised by keyloggers installed by cyber criminals and identity thieves.
7. Are we to merely disable or completely uninstall plug-ins? Could you tell those of us who’re unsure how to so, since the about:plug-ins only show us what’s installed but no function to uninstall them. Is it as simple as Add and Remove Programs from the Control Panel? Wouldn’t that cripple our browsing experience? What if we need the plug-in functionality?
Cheers and keep up the good work.
Eh, I see you had the time for a fresh blog entry - and even use the Tor+Privoxy+Opera scoop THAT I THREW YOUR WAY!!! - but no time & respect to answer my queries, eh?
Hey, there’re more Tor & security blogs than yours around, and if you’re not interested in feedback, queries and interaction, I’ll just bring my business elsewhere.
You can be sure me & my pals won’t be visiting your blog to bump up your pageviews anymore.
Up your ass with broken glass!!! _|_ _|_
cyph32punk, thanks for your feedback, seriously.
You’ve gave me a very nice 7 point list. This list will likely turn into 7 posts!
NoScript? Haven’t tested it yet. I will. And I’ll write about it.
How Java is a risk? I don’t remember the exact page, but there is specifially in the API documents methods to by-pass any proxy settings! Which means that proxy or no proxy, Tor or no Tor, makes absolutely no difference at all when someone’s Java applet is running in your browser!
And Torpark… I know they don’t release the source, and I know they ship a modified version of Firefox Portable, and I don’t trust any product where I can’t read the source. How it works? Don’t know. I’ll do a piece on it, but the thing about that is that it doesn’t run in the WINE windows emulator, so I need a Windows-computer to test it.
4, well, I did a post on Tor+Privoxy+Opera - thanks to you. Thanks for the idea!!!
And “comprehensive shake-down analysis + kick-the-tyres review on both these products would make informative, educational blog entries and is appreciated.”, yes, excellent idea, but as mentioned, I need to spend time at someone with a Windows-computer to do that since I can’t get Torpark working in the Windows emulator.
Own Tor developers portable package release? They’ve said no to making one and I don’t think that’s changed. But I’m sure that they would be very happy if someone made a 100% open source bundle package which fits a USB stick. Their focus seems to be to make Tor excellent and rely on other people to do things like making bundles.
Are we to merely disable or completely uninstall plug-ins? Well, it depends. I’d say disable them all if you don’t know how they work. We really do need a big reference page which lists all of the availalbe plug-ins and How they Work, What They Do and most importantly, Do they Leak (mostly DNS) information? I know that, for example, those plug-ins who show pages “PageRank” are (as far as I’ve tested) all broken.
So to that: If you’re sure a plug-in is safe, use it, if you don’t know how it works, then you should disable it.
Anyway. Thanks for your feedback. I really am very interested in feedback, queries and interaction. However, I kind of.. read the comment, thought “Oh, this is something I really should write about” (OperaTor), and I wrote about that and then something else came up and - so sorry - I didn’t reply to your comment.
So…..
These people are putting up fake kiddy porn sites and luring pedos there?
Do they realise that they are likely breaking the law by putting up such a site and could find themselves in jail for running kiddy porn sites (fake or not it’s kiddy porn).
http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001466—A000-.html
They’d have to be very careful not to include any images of any kind. Even an 80 yo woman can be a risk when you put it next to the word “lolita”.
-Ben