[tor-talk] Wired Story on Uncovering Users of Hidden Services.

Joe Btfsplk joebtfsplk at gmx.com
Fri Aug 15 16:31:39 UTC 2014


On 8/14/2014 6:18 PM, Mirimir wrote:
> On 08/14/2014 04:48 PM, Aymeric Vitte wrote:
>> I am "defensive" because you seem to make a general case of something
>> that can only happen in case of browser's/OS bug, and conveying to Tor
>> users that they should not use js is a non sense, you make believe them
>> that intrinsically js can easily leak their ip and/or mac addresses,
>> which is wrong, this can happen under extraordinary circumstances that
>> have nothing to do with js, here a windows/ff bug, which could have been
>> a css attack or whatever.
>>
>> Regards,
> This was indeed an extraordinary circumstance. And it is misleading to
> focus on the importance of blocking Javascript. It's also evidence for
> using the latest Tor browser release, avoiding Windows, etc.
>
> However, I do see a "told you so" here. It's foolish to think that
> simply using the Tor browser is adequate protection for doing stuff
> where there are serious consequences. Maybe the the comment "Everything
> you need to safely browse the Internet. This package requires no
> installation. Just extract it and run." on the download page needs a
> "don't do stupid stuff" warning. Also, maybe the "Want Tor to really
> work?" section needs to reiterate the "don't rely on Tor for strong
> anonymity" warning. Maybe even something about firewall rules. Yes?
Others can weigh in, but (as with most software) the information of what 
all one needs to do & not do, in order to *not potentially* compromise 
anonymity while using Tor is quite spread out.
It can take a long time for users to learn even the basics of what "else 
can go wrong," besides just installing TBB & hitting go.
Yes, there's a short, basic list / FAQ that warns of some of these 
things.  It's hardly complete or "sufficient for most users," IMO.

No doubt, anonymity w/ Tor is complicated - even for experts & putting 
together documentation (in one place) to cover most of the pitfalls is 
tough.  But perhaps not impossible.
Probably a better job could be done (than present) to revise / 
reorganize documentation on "what *else* you need to do / consider, to 
keep Tor more anonymous."
Unfortunately, most users don't have the deep knowledge of Tor & TBB 
necessary to write correct, concise documentation for many of the more 
involved topics.
>
>> Le 14/08/2014 11:06, Anders Andersson a écrit :
>>> On Wed, Aug 13, 2014 at 11:56 PM, Aymeric Vitte
>>> <vitteaymeric at gmail.com> wrote:
>>>
>>>>>     As
>>>>> someone who argues against using javascript in any context, I can only
>>>>> say "told you so", but that doesn't really help anyone. :)
>>>> No and you are wrong
>>>   From
>>> https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
>>>
>>> "An attack that exploits a Firefox vulnerability in JavaScript has
>>> been observed in the wild."
>>> People who didn't allow javascript were safe.
>>>
>>>
>>>>> Because they managed to get in to the client browser, they could learn
>>>>> the real IP address and MAC address
>>>> and the color of your shirt
>>> Why are you so defensive? Is it your code they broke? They could learn
>>> the color of my shirt if the browser user has access to a webcam,
>>> which is not uncommon. This is however highly irrelevant.
>>>
>>>
>>>>> , they didn't learn this through
>>>>> Tor.
>>>> Are you serious in your answer?
>>> Very much so. If you don't believe me, then maybe you'll believe these
>>> sources:
>>>
>>> https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
>>>
>>> https://www.mozilla.org/security/announce/2013/mfsa2013-53.html
>>>
>>> Nothing was exploited through Tor. In fact, they couldn't find out who
>>> was using the server *because* people used Tor. So they had to resort
>>> to javascript exploits.



More information about the tor-talk mailing list