[tor-talk] Tor and TBB Issues Needing Good Advice

Andreas Krey a.krey at gmx.de
Thu Jan 25 05:21:11 UTC 2018

On Mon, 22 Jan 2018 13:33:31 +0000, Mirimir wrote:
> But it would be very cool if its vulnerabilities were clearly disclosed.
> On the download page. There's already disclosure (but maybe not explicit
> enough) that Tor isn't secure against global adversaries. So why not
> disclosure that Tor browser isn't secure against Tor-bypassing malware?

Perhaps to not scare the potential users away, as in 'like not that much
more secure to be worth the download'?

Also, the GPA can attach tor/TBB as designed; the FBI's thing relies
on vulnerabilities that are not in the design. But I'm not writing
the download page.

> As I understand it, FBI's NIT gets dropped through Firefox, but it
> phones home through a standalone process.

Yes, but the phoning home is necessary to locate the user. It could
just as well access ifconfig.me via clearnet, and then relay the result
home via tor, but that is an unnecessary step.

If it were to just take control of the machine it could really do
all its comm via tor.

> So restricting Firefox to Tor
> wouldn't be enough. But even if I'm wrong about existing malware, what I
> describe is doable. It's already a risk when opening downloaded files.

Yes. Basically, firefox, and everything it starts needs to be contained
in a sandbox. (With the added difficulty that opening some documents
on some systems will not start a new process but tell an existing one
to open the doc.)

> > I have to 'admit' that I have a TBB instance running
> > partially so I can use putty to reach hidden services.
> Why not standalone Tor?

Because windows. I had a proprietary windows service wrapper (that
needs to be compiled into the service's, i.e. tor's, code), and remember
the fickleness; I never looked into how to run tor as a windows service
officially. And partly because I have TBB running all the time anyway.

Also: Admin permissions, and update hassle. Self-updating tor as windows service?
I don't think we even have a suitable download source for that.

(My raspberries all do have tor as a service, in different ways, and
different ages. Because no TBB for them, and because they have the
hidden services to access.)

- Andreas

"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800

More information about the tor-talk mailing list