On Mon, 16 Mar 2015 11:48:34 +0100 "Lars Edman @ LinuxSuSE" lars.edman@bredband.net wrote:
I found they today absolutely discouraged from the use of such a "system installation" when using tor as a client. When it came to using tor as a node/relay or running a server they referred the question to you.
Do you consider this kind of installation insecure?
This is generally considered insecure. There are a few things that the TBB does that a default Firefox configuration routed through a SOCKS proxy (Tor) doesn't do.
For example, the TBB has NoScript (blocks JavaScript), HTTPSEverywhere (forces HTTPS on sites that support it), and the TBB also deletes cookies, history, and other data upon closing. And I'm sure there are a few other things that they wrap into the bundle (DNS leaks too); I don't follow TBB development closely enough to know the specific details.
These are all security issues. Javascript can be used to uniquely identify a machine and get your real IP address. If you use HTTP, in theory, a Tor exit relay can sniff your login credentials. Files on disk, such as history, cached website files, cookies, can all be used to identify the sites you visit if your computer were to be inspected.
TBB can also be run from removable media, so you can use a public library computer, for example, and run it from a USB drive.
I personally just use the TBB. I download the archive and the signature from torproject.org using wget. I verify the archive using GPG, and then I extract & run it. Not too difficult. There's also a project[1] that has a launcher to automate this process.