[tor-relays] Tor-node/relay: System installation vs. TorBrowser

Stephen R Guglielmo srguglielmo at gmail.com
Mon Mar 16 21:24:39 UTC 2015


On Mon, 16 Mar 2015 11:48:34 +0100
"Lars Edman @ LinuxSuSE" <lars.edman at bredband.net> wrote:
> I found they today absolutely discouraged from the use of such a
> "system installation" when using tor as a client. When it came to
> using tor as a node/relay or running a server they referred the
> question to you.
> 
> Do you consider this kind of installation insecure?

This is generally considered insecure. There are a few things that the
TBB does that a default Firefox configuration routed through a SOCKS
proxy (Tor) doesn't do.

For example, the TBB has NoScript (blocks JavaScript), HTTPSEverywhere
(forces HTTPS on sites that support it), and the TBB also deletes
cookies, history, and other data upon closing. And I'm sure there are a
few other things that they wrap into the bundle (DNS leaks too); I
don't follow TBB development closely enough to know the specific
details.

These are all security issues. Javascript can be used to uniquely
identify a machine and get your real IP address. If you use HTTP, in
theory, a Tor exit relay can sniff your login credentials. Files on
disk, such as history, cached website files, cookies, can all be used
to identify the sites you visit if your computer were to be inspected.

TBB can also be run from removable media, so you can use a public
library computer, for example, and run it from a USB drive.

I personally just use the TBB. I download the archive and the signature
from torproject.org using wget. I verify the archive using GPG, and
then I extract & run it. Not too difficult. There's also a project[1]
that has a launcher to automate this process.

[1] https://github.com/micahflee/torbrowser-launcher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20150316/029c5030/attachment.sig>


More information about the tor-relays mailing list