Tor browsing in Trisquel 7 is a BAD idea

29 replies [Last post]
Jimmy Douglas
Offline
Joined: 10/30/2014

Yes I do mean bad. For those who haven't tried it I'll explain. The default browser has an option which is set to on by default. That option uses tor to browse in private mode. It's easy to turn off but thats not the issue. The issue is users who have no idea are subjectived to attacks

Tor exit nodes (the way you access the internet from the tor network) can be malicious. As a real world example here is an article talking about patching binaries http://www.hotforsecurity.com/blog/tor-exit-node-patches-malware-on-executable-downloads-10690.html. I haven't looked over the details but IIRC VLC isn't signed and IDK if this code cares if binary is signed but you potionally will get malware if you download an exe through a malice tor node.

If you look into what the tor browser does you'll see it has various settings and addons for safety. One big thing is the tor button is disable some addons (like flash) so it doesn't comminicate w/o going through the proxy. Tor button also changes the user agent to a common string to make it more difficult to fingerprinting you (For example it will say I'm using firefox 31 on windows even though I'm on trisquel). It will block 3rd party tracking (cookies and I believe scripts) and from what I hear cleans out supcious javascript. Other addons include noscript (disable javascript) and SSL everywhere (switches to HTTPS on known sites).

The browser in private mode offer none of this. Because it doesn't a user is subjected to binary patching and attacks researchers or malices parties may do. A tor node is ran on a someones private server. They can monitor and modify traffic. It's different from the internet which is generally a connection from you to your ISP to mostly or entirely routers connecting you to your destination (an IP address).

So having a user by default not knowing what tor is or what may happen can potientally be hacked or have extra monitoring on them (fingerprinting or leaking IP address through flash or another addon since they aren't blocked). I suggest not allowing the feature at all or finding a way to enable torbutton and the other addon found in the tor browser when switching to private mode. I also suggest looking at the tor browser setting (about:config).

andrew
Offline
Joined: 04/19/2012

Actually all plaintext traffic can be subject to sniffing and attacks,
not just Tor traffic. I heard that the FinFisher software can already
generate malicious binaries for targets on-the-fly for HTTP traffic.

In terms of software integrity, most Trisquel users install software
from the repositories which are digitally signed using GnuPG, so that's
more or less a non-issue. If you download software over HTTP it's always
a good idea to check digital signatures if available, or not download
software over HTTP at all.

I heard Ruben has patched GNU IceCat so that it has a similar
fingerprint as Tor Browser, but I haven't used or tested it yet so I
don't know the details.

I agree that maybe some information should provided on the difference
that Private Browsing makes to web browsing. Perhaps you should file a
bug report and/or contact Ruben (quidam) over IRC?

If add-ons/plugins are enabled when the browser is using Tor and they
are not using Tor then perhaps you should file a second bug report for
that issue.

Andrew

Forna
Offline
Joined: 01/12/2014

In the latest IceCat fingerprint seems to be the same of Tor Browser's.
You can check this by testing if Tor is enabled; usually if the test page recognises you are using a browser different from TBB, it will tell you so with a short phrase coloured in yellow. However, with the latest modifications in IceCat I no longer get a yellow phrase but a green one.
I don't know for sure if the fingerprint is the same, but Ruben's tweaks seem to be trustworthy.

onpon4
Offline
Joined: 05/30/2012

https://check.torproject.org/?lang=en_US doesn't seem to check the fingerprint very much. In fact, IceCat's fingerprint is different from Tor Browser. With scripts enabled, it reports a different time zone than TBB, and it reports your actual screen resolution whereas TBB reports the window size (and sizes the window somewhat generically, always at a fixed width). With scripts disabled, it's still not the same, because the two browsers have slightly different values for HTTP_ACCEPT headers.

I checked with the EFF's tool:

https://panopticlick.eff.org/

Forna
Offline
Joined: 01/12/2014

Ok, thanks for the clarification!

Jodiendo
Offline
Joined: 01/09/2013

Jimmy

Question?

Does jimmy, the cricket uses Windox?

J/K

I agree eith andrew comments and advice...

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

I'm late on this one. Anyway.. Why would anyone use Tor this way. It seems to me very silly especially if the reason behind usin Tor is something important that requires true anonimity. Disable the feature completely in abrowser/icecat and if you need Tor than use Tails. Anyhow personally I wouldn't trust Tor for anything vital.. It has been proven several times that Tor is not that reliable in keeping you anonimous as one would think..

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

The NSA disagrees: http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document

With manual analysis we can de-anonymize a very small fraction of Tor users, however, no success de-anonymizing a user in response to a TOPI request/on demand.

The emphasis comes from the NSA.

onpon4
Offline
Joined: 05/30/2012

I'm getting a strong sense of deja vu here; that comment reminds me of this recent comment thread on Diaspora:

https://nerdpol.ch/posts/1075808

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

If you insinuate that I participated to that thread under another nickname, you are wrong.

onpon4
Offline
Joined: 05/30/2012

No, not you, the comment above you.

salparadise
Offline
Joined: 09/08/2013

You're not seriously quoting the NSA? Of all the people in the world to say "we can't catch people who use TOR" the NSA has got to be top of the list of 'Least Likely to be Telling the Truth'. The NSA helped to develop TOR!

TOR is a trap. It's already been shown that some of the routers are in Government buildings.
How many times do people have to be told? There is no such thing as anonymity online. When it suits "them" they can pull records of what you said, to whom, from years ago. This is endlessly hinted at but you have to read between the lines.
One of the biggest misunderstanding about the internet is that it was created by a bunch of wonderfully naive, well meaning scientists, intent on giving humanity the biggest material blessing it's ever seen. Step forward Mr Tim Berners-Lee - affable English backroom bod type - supposed to remind us all of Q from James Bond.
The internet was designed by the US Military, to survive multiple hits and still function. All the technology - chips, computers, etc, - all comes from US Military R&D. Laws exist that mandate that your ISP keeps records of all you do. So unless you're an IT Genius, using scrounged parts, assembled for one task and then disassembled, piggy backing on someone elses connection, they know who you are, where you are, what you do and what you say.

onpon4
Offline
Joined: 05/30/2012

Tor is secure. Short of security bugs, there are only three ways to subvert it:

1. Control or monitor *all* Tor nodes.

2. Directly attack the computer of the user trying to be anonymous.

3. Taking advantage of user stupidity.

I seriously doubt the NSA or any organization is succeeding at #1, and protecting yourself from #2 and #3 is not that hard.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

The NSA certainly does not control every Tor node. It controls some but that is not enough: see the slides 21 and 22 (a list of six questions) of http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document for what they consider(ed?) to try with their nodes.

I am not sure it is that easy to protect one's system from being directly attacked. Using a live system certainly is the best way but, then, you cannot use any large application absent from it.

As for taking advantage of user stupidity, it is indeed one of the NSA's programs. It is named EPICFAIL. See slide 9 of http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document

onpon4
Offline
Joined: 05/30/2012

It might not be easy, but it's not so hard as to make Tor meaningless, is what I meant.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

Complement: "stupid" is not really the proper adjective for the users falling into EPICFAIL. They are more ignorant of an issue: when you access the same site using Tor and not using it, you can be de-anonymized. That leads to a question: does the IceCat browser let the same bookmarks accessible from its private/Tor mode and from the regular mode. If it does (I do not know: I am not using IceCat), well, it should not! Even better, before loading a page, the private/Tor mode could warn the user if that URL that was recently accessed in the normal mode.

Another precision: when I was writing about a "live system", I was referring to a "live system without permanent storage".

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

I am serious. The NSA certainly lies in its rare public statements. What I linked to are internal top-secret slides that Edward Snowden revealed... using Tor for all his communications.

Chris

I am a member!

Offline
Joined: 04/23/2011

It's not quite that bad, but yes, it's not perfect. You have to understand what Tor provides and what it doesn't provide and follow the advice of the Tor developers to use it safely.

There was a two week period where you were told to assume your traffic had been deanonymized. I forget if this impacted onnion sites or just normal web traffic that passed through an exit node. In any event other than that if you followed the advice of the project you should be relatively safe most of the time. The core tenants are: make sure your connecting to onnion sites or at least using encryption between you and the server your connecting to. This will prevent typical attacks occurring in the situation an exit node is monitoring your activity. Don't reveal who you are over Tor. If you do that no anonymity system can protect you. Don't download software and other files that may contain infectious code (PDF, DOC, ODT, movies, etc).

If your not practicing these tips already your vulnerable to the same attacks any time you connect to a public access point. There simply is no solution to stupidity.

There are a few other common mistakes I have to point out. These are almost always how people get caught:

1. Using outdated software.
2. Using Tor Browser rather than Tails (Tails makes it much harder to screw up, but you still need to use your brain a little)
3. If your shipping something the receiver is going to be able to identify the area in which you shipped from. This is because the initial post office will mark its stamp on the package. It doesn't matter if you ship via a drop box, mail box, etc, or the post office itself. It has to go through that initial sorting facility which will identify at least the part of the state which your sending from.
4. If your in a large city its probably not enough to identify your vicinity as there are other Tor users, but if your in a rural area, they'll identify you as a potential suspect. They can do this because they'll likely be able to identify from log files that you were the only person using Tor at a given time in a given vicinity. That isn't enough to convict, but it is probably enough to get a warrant (if your adversary is a government entity).

All of the significant stings by government entities thus far have involved cases were users would have been protected by Tor had they taken the advice I've presented here, and that of the Tor project.

Some Examples: Those who have been selling illegal drugs online, those making death threats, those making bomb threats, etc have all made the mistake of either connecting to the Tor network without going through a bridge, identifying themselves off of Tor or using the same/similar uniquely identifiable nicknames, shipping from a vicinity in which is close to where they live, using out-of-date versions of the Tor Browser Bundle. If the Tor Browser Bundle or Tails version you have is out of date download the new version before you proceed. Otherwise you can't expect either to protect you.

Several specific examples: Freedom Hosting, Silk Road, a NJ high school bomb threat case, a Harvard bomb threat case.

I'm not suggesting anybody use Tor for illegal activities. The reason I'm using these examples is because the government is the ultimate adversary and as such these cases are perfect examples of tactics and what not to do if you don't want your adversary identifying you, your traffic being analyzed, or malicious parties interfering with it.

bitbit
Offline
Joined: 10/29/2012

https://www.eff.org/deeplinks/2014/10/7-privacy-tools-essential-making-citizenfour

^ in the link above the tools used by Snowden

isn't better use the tor bundlr rather than tor button? i'm asking cause https://www.torproject.org/docs/torbutton/

GNUtoo
Offline
Joined: 11/10/2009

> TOR is a trap.
I disagree.
But Tor is only part of the solution (it doesn't handle OS security for instance).
And Tor isn't perfect either(Learn about entry guards issues).
But it's the best we have right now for that kind of tasks.

> It's already been shown that some of the routers are in Government buildings.
Yes, how is that a problem?
Tor core developers do say that they handle bad/untrusted relays.
And it's not a secret that part of the US government(The NSA for instance, among others) is against Tor, while another part(The US Marine for instance) relies on Tor.

> How many times do people have to be told? There is no such thing as anonymity online.
Well, even if it was true, it's not a reason not to use Tor:
Tor makes de-annonimization harder. So Tor can be used to do regular browsing. It still provides a lot of nice security features:
* It changes routes every 10 minutes
* You're not alone in an exit node.

> When it suits "them" they can pull records of what you said, to whom, from years ago. This is endlessly hinted at but you have to read between the lines.
Yes, that is why you need to use Tor right now, and to use it well. They usually take quotes out of context to suit better their needs.

> One of the biggest misunderstanding about the internet is that it was created by a bunch of wonderfully naive, well meaning scientists, intent on giving humanity the biggest material blessing it's ever seen.
Well, I don't see it that way, but I might be mistaken. That's how I understand it.
The army wanted some attack resilient network.
So some "hippies" thought: resilient => cannot be censured. And they went to work for the army.
Given the lack of security concern, the power of the hardware at the time, and the fact that it had never been made to work before, they didn't make things secure at the time.
Unfortunately the mentality of security didn't catch up until very recently, and it still has lots of catchup to do.

> Step forward Mr Tim Berners-Lee - affable English backroom bod type - supposed to remind us all of Q from James Bond.
Well, Tim Berners-Lee did the Web, not the Internet. IPv4 was not done by Tim Berners-Lee.

> All the technology - chips, computers, etc, - all comes from US Military R&D.
Not sure about this one, but still companies can be forced to do things pretty easily.

> Laws exist that mandate that your ISP keeps records of all you do. So unless you're an IT Genius, using scrounged parts, assembled for one task and then disassembled, piggy backing on someone elses connection, they know who you are, where you are, what you do and what you say.
Yes, and that's not an excuse not to fight it.

Denis.

Jimmy Douglas
Offline
Joined: 10/30/2014

@andrew there is still a difference between plaintext traffic going through ISPs and routers VS going through someones private server. Your ISP may lose customers if they are found to be modifying wikipedia, a malice node may have something to gain by doing so.

If you don't know what tor is, how to use tor and have not read the warnings you SHOULDN'T BE USING TOR. How easy would it be for me to go into private mode to look up my illness, see a wiki page (plaintext) and found a link for drug treatment (malicous). What if I have a false sense of protection, sign into an email address I made outside of tor and emailed some sensitive information (medical, whistleblowing, bank, secrets to blackmail me on, etc).

IMO this is enough reason to not have that tor feature. I linked an article about binary patching so it's now well pass the point of modifying simple html pages. Remember, this isn't about you being hacked. It's about users who don't understand tor and use it because the browser made it appear like a good idea. It's stupid to have someone using tor when they haven't read the warnings. It's actually fucking stupid.

andrew
Offline
Joined: 04/19/2012

sdjfhasdufh wrote:
> @andrew there is still a difference between plaintext traffic going
> through ISPs and routers VS going through someones private server.
> Your ISP may lose customers if they are found to be modifying
> wikipedia, a malice node may have something to gain by doing so.

There is another difference, in that a private Tor server (end node),
unlike your ISP, doesn't necessarily know who the original person is,
especially if they are not identifying themselves over HTTP

Also, this type of attack is a lot more difficult with Tor:
http://www.wired.com/2014/10/verizons-perma-cookie/

The problem you are describing is a problem with many clients and
servers not using end-to-end encryption and/or authentication.

> If you don't know what tor is, how to use tor and have not read the
> warnings you SHOULDN'T BE USING TOR. How easy would it be for me to
> go into private mode to look up my illness, see a wiki page
> (plaintext) and found a link for drug treatment (malicous).

I completely agree, and I mentioned in my last post that more
documentation on Private Browsing mode and Tor would be a good idea.

> IMO this is enough reason to not have that tor feature. I linked an
> article about binary patching so it's now well pass the point of
> modifying simple html pages.

I pointed out that (1) binary patching is possible both on Tor and
clearnet, so that point is irrelevant, and that (2) Trisquel users
almost exclusively use signed packages so binary patching would trigger
an error anyway.

Andrew

Chris

I am a member!

Offline
Joined: 04/23/2011

The problem is ISPs are already interfering with your traffic. Try typing in a non-existent domain name for instance in the web address bar. Chances are you'll be redirected to an ISP web page. This violates the standards. Try downloading a torrent. It's likely you'll discover somebody it throttling your traffic. Maybe it won't happen right away, but it happens in a lot of scenarios. From university networks, to commercial ISPs (Comcast), to cellular-based "internet" service providers.

The question is probably more along the lines of a level of maliciousness. I'd like to think my ISP is not doing anything malicious, but the reality is otherwise. Many ISPs try and force you to install malicious software. They fraudulently return IP address for domains that don't exist. They inject code into web pages, torrents, etc. to cause disconnects, profit off your eyeballs (advertising), cut costs, etc.

Even software we generally respect includes features that leak data that may be privacy-sensitive. I believe both Canonical's Ubuntu and Google Chrome are good examples of this.

Jimmy Douglas
Offline
Joined: 10/30/2014

@SuperTramp83 Agreed but I'm interested in "proven several times that Tor is not that reliable in keeping you anonimous" annoymous*. So far I remember 3 instances, one before gaurds were implemented, 2nd because users use torrent clients and its just obvious and 3rd which IDK was spectated or not

@salparadise IDK what you're going on about but is encryption a trap? Do you know what beats militarys? Nature. Nature and physics. For the most part the way the tor network works appears to be secure. You can't break good encryption. You can't force a 3rd party to shape their traffic. You can't be everywhere at once and have unlimited spending money

@bitbit it's suggesting they can't keep modifying the button for every firefox version so don't add it to your firefox installion.

@GNUtoo great post

Chris

I am a member!

Offline
Joined: 04/23/2011

These examples are improper uses of Tor. If users took the advice of the Tor project then they would not be vulnerable. This isn't a problem with the Tor software. It is a problem with some Tor users thinking they know better than the experts.

salparadise
Offline
Joined: 09/08/2013

I'll tell you what beats the NSA - standing up and realising that you're not doing anything wrong, even in speaking out against Government murders and lies.
It's not for us to feel we have to hide from them. It is they who need to hide from us. Their whole reality is built around the notion that we're all stupid, they're all clever and they must oversee and monitor us. I do not accept this.
Governments, especially the US and UK ones, are deeply compromised with stupidity and pocket lining - I see no one in either Administration fit to tell the likes of us what we should and should not be doing online.
TOR seems to be about hiding from such people. I don't wish to hide from them, I wish to challenge them.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

From the Tor website:
"If your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your chosen destination, he can use statistical analysis to discover that they are part of the same circuit."
Don't get me wrong guyzz - tor is great software and under many circumstances it does work- but if you are using tor to anything illegal there are chances you'll get caught in the long run - if you duckduckgo a little around you'll find very unpleasant stories related to illegal tor use. I remember a couple of years ago and last year a lot of big deep-services disappeared overnight. many are in jail.. And we're talking about professional criminals here , the "silkroad" type of criminals..
If you value your privacy so much as to use tor for your every-day normal surfin' experience, well that's very cool and admirable.
If you think that in this post-9/11 brave new world something like tor can guarantee you a 100% anonymity all the time you are wrong. :-)

andrew
Offline
Joined: 04/19/2012

Just to point out that there are far more reasons to use Tor other than
avoiding government surveillance, e.g. avoiding corporate surveillance.

Andrew

Chris

I am a member!

Offline
Joined: 04/23/2011

I would hardly call these users professional criminals, or even technically competent. The processionals are raking in millions. Billions even. And they aren't hiding either like the master mind of Silk Road was. The processionals aren't even needing Tor as they operate from places with dysfunctional governments (and in some cases are in control of the government). The kinds of money the real professionals bring in dwarf what was pulled in via the operation of Silk Road for instance. The commissions from Silk Road for instance brought in a pittance relative what was laundered through the banking system (Silk Road had a mere $79.8 million in commissions). The drug cartels operate in the billions range.

Those with intelligence will evaluate the risks, and plan for them regardless of the legality of the business. Every business entails risk and the reward can often be connected to the risk factor. Be it a seemingly legal, but untested business model, or a completely illegal operation. Just because you've setup a legal operation doesn't mean there are no legal risks.

Jimmy Douglas
Offline
Joined: 10/30/2014

FYI everyone the default browser in trisquel 7 is not icecat and doesn't have the plugins and fingerprint modification that icecat does. Its incredibly bad. Basically trisquel 7 has a default browser using tor (in private mode) that is INCORRECTLY CONFIGURED and NO WARNINGS OR INFORMATION

Magic Banana also brings up what if you favorite a website and go to it in clearmode (outside of private browsing)? Tor should be used in a seperate browser, configured correctly and used after proper warning/information has been provided. A seperate browser makes it less likely you'll mess up such as logging into a personal email in tor, or access a advocate or crimal site (for research or law enforcement) by accident.

But seriously why did I really have to create this thread. It only takes a moment to realize why tor in private mode in the way trisquel 7 does it (even icecat but less worse) is a TERRIBLE idea.

@andrew

> Also, this type of attack is a lot more difficult with Tor:

Its one type of attack (planting cookies by your ISP) in exchange for another (malicious information, links or downloads).

> The problem you are describing is a problem with many clients and servers not using end-to-end encryption and/or authentication.

Hence why it's especially bad to use tor when not knowing what it is

@chris

> These examples are improper uses of Tor. If users took the advice of the Tor project then they would not be vulnerable. This isn't a problem with the Tor software. It is a problem with some Tor users thinking they know better than the experts.

Of course it's improper use. It's bundled on software installed by default and a simple google query may make you believe its an open proxy. It's not tor users thinking they know better, its tor users who have no idea what tor is because you gave it to them without any information which is why I created this thread.