[tor-talk] Tor Browser Linux_don't extract to root
Jonathan Marquardt
mail at parckwart.de
Fri Apr 14 16:46:08 UTC 2017
Look, if you have malicous software running on the system with normal user
priviliges, you are in big trouble anyway. There's so many things that
malicous software could do even if TBB was installed at a non-writable
location. Just as a simple example, malware could just change the location in
your TBB desktop and launcher links and still trick you into launching
malicous software. That's just a really silly example, but the point is that
once the malware is running, it is too late. Storing software in non-writable
locations is such a small useless mitigation technique in contrast to what
malware could do. I agree that putting TBB to /opt would give you a tiny bit
of extra security. But for the price of the user not being able to install
updates, that might just not be worth it. Having software being stored in
central directories is not much of a security feature.
BTW: The user profile of TBB would still be located in the home directory. It
would have to be. Malware could insert malicous stuff in there too like custom
Tor circuit settings, browser setting, NoScript rules, Add-Ons... You get the
idea.
--
4096R/1224DBD299A4F5F3
47BC 7DE8 3D46 2E8B ED18 AA86 1224 DBD2 99A4 F5F3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20170414/859729fc/attachment.sig>
More information about the tor-talk
mailing list