[tor-talk] Wired Story on Uncovering Users of Hidden Services.

Aymeric Vitte vitteaymeric at gmail.com
Fri Aug 15 20:32:10 UTC 2014 

I would love to think that it's not impossible but it seems to be, 
whatever documentation exists (which most of Tor users will not read), 
it can not predict OS and FF hazards, even if the Tor Browser forbids 
everything that is potentially dangerous (and in that case most of the 
sites will just not work still without insuring you are safe), one 
alternative is to fetch (like peersm), not to browse but then the use is 
different.

Regards,

Le 15/08/2014 18:31, Joe Btfsplk a écrit :
> On 8/14/2014 6:18 PM, Mirimir wrote:
>> On 08/14/2014 04:48 PM, Aymeric Vitte wrote:
>>> I am "defensive" because you seem to make a general case of something
>>> that can only happen in case of browser's/OS bug, and conveying to Tor
>>> users that they should not use js is a non sense, you make believe them
>>> that intrinsically js can easily leak their ip and/or mac addresses,
>>> which is wrong, this can happen under extraordinary circumstances that
>>> have nothing to do with js, here a windows/ff bug, which could have 
>>> been
>>> a css attack or whatever.
>>>
>>> Regards,
>> This was indeed an extraordinary circumstance. And it is misleading to
>> focus on the importance of blocking Javascript. It's also evidence for
>> using the latest Tor browser release, avoiding Windows, etc.
>>
>> However, I do see a "told you so" here. It's foolish to think that
>> simply using the Tor browser is adequate protection for doing stuff
>> where there are serious consequences. Maybe the the comment "Everything
>> you need to safely browse the Internet. This package requires no
>> installation. Just extract it and run." on the download page needs a
>> "don't do stupid stuff" warning. Also, maybe the "Want Tor to really
>> work?" section needs to reiterate the "don't rely on Tor for strong
>> anonymity" warning. Maybe even something about firewall rules. Yes?
> Others can weigh in, but (as with most software) the information of 
> what all one needs to do & not do, in order to *not potentially* 
> compromise anonymity while using Tor is quite spread out.
> It can take a long time for users to learn even the basics of what 
> "else can go wrong," besides just installing TBB & hitting go.
> Yes, there's a short, basic list / FAQ that warns of some of these 
> things.  It's hardly complete or "sufficient for most users," IMO.
>
> No doubt, anonymity w/ Tor is complicated - even for experts & putting 
> together documentation (in one place) to cover most of the pitfalls is 
> tough.  But perhaps not impossible.
> Probably a better job could be done (than present) to revise / 
> reorganize documentation on "what *else* you need to do / consider, to 
> keep Tor more anonymous."
> Unfortunately, most users don't have the deep knowledge of Tor & TBB 
> necessary to write correct, concise documentation for many of the more 
> involved topics.
>>
>>> Le 14/08/2014 11:06, Anders Andersson a écrit :
>>>> On Wed, Aug 13, 2014 at 11:56 PM, Aymeric Vitte
>>>> <vitteaymeric at gmail.com> wrote:
>>>>
>>>>>>     As
>>>>>> someone who argues against using javascript in any context, I can 
>>>>>> only
>>>>>> say "told you so", but that doesn't really help anyone. :)
>>>>> No and you are wrong
>>>>   From
>>>> https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html 
>>>>
>>>>
>>>> "An attack that exploits a Firefox vulnerability in JavaScript has
>>>> been observed in the wild."
>>>> People who didn't allow javascript were safe.
>>>>
>>>>
>>>>>> Because they managed to get in to the client browser, they could 
>>>>>> learn
>>>>>> the real IP address and MAC address
>>>>> and the color of your shirt
>>>> Why are you so defensive? Is it your code they broke? They could learn
>>>> the color of my shirt if the browser user has access to a webcam,
>>>> which is not uncommon. This is however highly irrelevant.
>>>>
>>>>
>>>>>> , they didn't learn this through
>>>>>> Tor.
>>>>> Are you serious in your answer?
>>>> Very much so. If you don't believe me, then maybe you'll believe these
>>>> sources:
>>>>
>>>> https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html 
>>>>
>>>>
>>>> https://www.mozilla.org/security/announce/2013/mfsa2013-53.html
>>>>
>>>> Nothing was exploited through Tor. In fact, they couldn't find out who
>>>> was using the server *because* people used Tor. So they had to resort
>>>> to javascript exploits.
>

-- 
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms

More information about the tor-talk mailing list