[tor-relays] Tor-node/relay: System installation vs. TorBrowser

Dave Warren davew at hireahit.com
Mon Mar 16 23:29:52 UTC 2015 

On 2015-03-16 14:24, Stephen R Guglielmo wrote:
> On Mon, 16 Mar 2015 11:48:34 +0100
> "Lars Edman @ LinuxSuSE"<lars.edman at bredband.net>  wrote:
>> >I found they today absolutely discouraged from the use of such a
>> >"system installation" when using tor as a client. When it came to
>> >using tor as a node/relay or running a server they referred the
>> >question to you.
>> >
>> >Do you consider this kind of installation insecure?
> This is generally considered insecure. There are a few things that the
> TBB does that a default Firefox configuration routed through a SOCKS
> proxy (Tor) doesn't do.
>
> For example, the TBB has NoScript (blocks JavaScript), HTTPSEverywhere
> (forces HTTPS on sites that support it), and the TBB also deletes
> cookies, history, and other data upon closing. And I'm sure there are a
> few other things that they wrap into the bundle (DNS leaks too); I
> don't follow TBB development closely enough to know the specific
> details.
>
> These are all security issues. Javascript can be used to uniquely
> identify a machine and get your real IP address. If you use HTTP, in
> theory, a Tor exit relay can sniff your login credentials. Files on
> disk, such as history, cached website files, cookies, can all be used
> to identify the sites you visit if your computer were to be inspected.

Note, however, that while these are all potential security issues, 
they're not all issues that apply to every situation. If your safety or 
livelihood depend on privacy or anonymity, obviously you need to be 
paranoid, and TBB is definitely the wise choice.

However, if you just use Tor to surf geographically restricted websites, 
or to offer you moderate privacy from a snoopy ISP (hotel or public wifi 
hotspot access) and don't mind the stray request leaking, the proxy 
level application may well be sufficient, especially since you can 
configure applications to use system-wide proxy settings, giving you a 
one-click on-and-off switch.

I suspect both uses are common use cases, and just using SOCKS proxies 
may well be good enough for some users, but if you value safety, 
security, privacy and anonymity, TBB is a much stronger solution.

-- 
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

More information about the tor-relays mailing list