Downloading attachments with Tor - is this secure?

Mike Perry mikeperry at fscked.org
Sat Jun 19 11:04:50 UTC 2010 

Thus spake Matthew (pumpkin at cotse.net):

> When you are go into for example Yahoo webmail (without Tor) and 
> download an attachment (say a Word document or a photo) then your 
> browser asks you where on your hard drive you wish to save that 
> attachment. 
> 
> Then do the same thing using Tor (and Polipo).
> 
> I assume the attachment downloads from Yahoo Mail (or whatever) through 
> the three Tor nodes before being unencrypted at the final node and then 
> is downloaded to my computer.   In other words: the attachment (or for 
> that matter any file downloaded in the same way) is never downloaded 
> "outside" the Tor system - that is directly from the website to me 
> bypassing the Tor nodes?

Yes, if you use Torbutton, the attachment itself will be downloaded
only via Tor.

If you do not use Torbutton, your browser may autolaunch a plugin or
helper application to download the attachment and display it, which
may *not* happen via Tor. See
https://www.torproject.org/torbutton/design/#SingleStateTesting for
example exploits against non-Torbutton users.

Also, when you open your attachment after downloading it (either via
Tor or not), the program that opens it may be induced into making a
network connection outside of Tor. For example, .doc files, .pdf
files, .torrent files, and many many others can reference images,
urls, IP addresses, and other content from the Internet, which causes
the application that opened them to connect to a server outside of
Tor.

This is especially dangerous if you are using Yahoo Mail, because even
if you trust the person who sent you the document, your attachment
will be downloaded in plaintext (via http, not https). This means that
the exit node you use can replace or alter your document to unmask
you (or worse, exploit your document reader and run arbitrary code).


If you need to view these documents in a safe way, your best bet is to
use VirtualBox or some other virtualization software to run a VM that
you can disconnect from the network while you view the file, and roll
back to a safe snapshot after you have viewed the file.


Torbutton has a warning to attempt to explain all of this when you
download documents handled by external applications, but it is a lot
to get across in such a small amount of space.


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20100619/38a8834c/attachment.pgp>

More information about the tor-talk mailing list