[tor-relays] About TBB downloadings

Lluís msl12 at sde12.jazztel.es
Thu Oct 16 19:35:48 UTC 2014

Very clear. I think I've got it.

God bless good old plain text files !!!


On 10/16/2014 05:21 PM, Naja Melan wrote:
>> By the way, applies the same to the already downloaded pdf docs ?
> yes.
> It applies to everything you download and feed to an application which 
> has internet access and which might connect to the internet based on 
> information within the file or the filename for that matter.
> For a more complete security analysis I think about it like this:
> - If I download a document not over https correctly certified: the 
> server, the last tor node and any routers between that last tor node 
> and the server can inject something in the document
> - If I download a document from a server with correct https: the server 
> (potentially hacked) could try to identify me, on top of any 
> reservations you might have about https
> By all means, that's a lot of leaks if you are concerned about your 
> security, so it is strongly adviced to open documents in Tails or in a 
> VM that has no internet access. On top of that, it could be difficult 
> to verify documents and clean them if you want to store them for later 
> use and distribution, so in that case use a clean tor connection not 
> related to other sensitive internet traffic.
> If you use tor for your everyday browsing as an extra privacy measure, 
> than downloading a random scientific paper and opening it will probably 
> be low risk. Just keep in mind that the last tor node is an extra MITM 
> that makes tor under quite a few circumstances less secure than direct 
> internet connection (since anyone can run one). So if your evince has a 
> buffer overflow bug for example, that's an extra person who could try 
> to exploit it (again unless you use valid https) and this sort of 
> exploit works on any document, regardless of whether the contents are 
> sensitive or not.
> It's up to you to figure out your security needs.
> Naja Melan
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

More information about the tor-relays mailing list