[tor-talk] Operating system updates / software installation behind Tor Transparent Proxy

proper at secure-mail.biz proper at secure-mail.biz
Sat Mar 3 07:43:43 UTC 2012

> But apt uses GPG
> (run with (necessarily) root privileges) to verify
> the files it downloads.
>  Sucks to be a Debian user when someone finds
> another code-exec bug in GPG's
> parsing code.

Indeed. Encrypted updates would be handy. I support http://brainstorm.ubuntu.com/idea/26541/.

> > Or other package
> > systems? What about all of the
> other software that updates itself
> > automagically without a system package
> manager?
> This is a bigger risk to anonymity -- automatic update-related
> operations run in the background on a transparent-proxied system can
> link
> the traffic you intended to anonymize with properties of your
> operating-system
> installation (e.g. on Debian, /etc/cron.daily/apt
> leaks your system's time
> zone and the set of package repositories that
> you install software from to
> your circuits' exit node(s)).  Windows
> users are at much greater
risk from
> this, because most people install
> lots of crap software, thereby marking
> their systems (and thus their
> Tor circuits) with a unique set of automatic
> updaters.

We use UTC as time zone, disable automatic updates and (soon) recommend to switch identity before/after updating.

> Of course, if you live in Iran, you're probably better off taking
> your
> chances with exit-node roulette than downloading unsigned, unverified
> updates directly through a known-malicious ISP.  Just don't expect
> your transparently
> proxied traffic to stay anonymous.

Why? Switch identity before/after updating before/after updating should be sufficient.

powered by Secure-Mail.biz - anonymous and secure e-mail accounts.

More information about the tor-talk mailing list