[tor-talk] Operating system updates / software installation behind Tor Transparent Proxy
proper at secure-mail.biz
proper at secure-mail.biz
Sat Mar 3 07:43:43 UTC 2012
<snip>
> But apt uses GPG
> (run with (necessarily) root privileges) to verify
> the files it downloads.
> Sucks to be a Debian user when someone finds
> another code-exec bug in GPG's
> parsing code.
Indeed. Encrypted updates would be handy. I support http://brainstorm.ubuntu.com/idea/26541/.
> > Or other package
> > systems? What about all of the
> other software that updates itself
> > automagically without a system package
> manager?
>
> This is a bigger risk to anonymity -- automatic update-related
>
> operations run in the background on a transparent-proxied system can
> link
> the traffic you intended to anonymize with properties of your
> operating-system
> installation (e.g. on Debian, /etc/cron.daily/apt
> leaks your system's time
> zone and the set of package repositories that
> you install software from to
> your circuits' exit node(s)). Windows
> users are at much greater
risk from
> this, because most people install
> lots of crap software, thereby marking
> their systems (and thus their
> Tor circuits) with a unique set of automatic
> updaters.
We use UTC as time zone, disable automatic updates and (soon) recommend to switch identity before/after updating.
>
> Of course, if you live in Iran, you're probably better off taking
> your
> chances with exit-node roulette than downloading unsigned, unverified
>
> updates directly through a known-malicious ISP. Just don't expect
> your transparently
> proxied traffic to stay anonymous.
Why? Switch identity before/after updating before/after updating should be sufficient.
______________________________________________________
powered by Secure-Mail.biz - anonymous and secure e-mail accounts.
More information about the tor-talk
mailing list