[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] FBI cracked Tor security

Hash: SHA1

On 07/14/2016 01:38 AM, Jon Tullett wrote:
> On 14 July 2016 at 08:37, Mirimir <mirimir@riseup.net> wrote:
>> On 07/14/2016 12:23 AM, Jon Tullett wrote:
>>> Having pwned the server, a malware component is then injected
>>> to visiting computers. Ie: when the criminal visits the
>>> infected site, his PC is infected (over that encrypted, secure,
>>> etc) connection. Now infected, his PC will be under the control
>>> of the FBI, and the investigation will proceed from there. As
>>> soon as it's connected to the regular internet, that connection
>>> will be traced, but that connection is not necessary - data on
>>> the PC can be exfiltrated by the feds over Tor and used to
>>> identify the user.
>> Tor Project ought to inform users about this risk, and recommend 
>> countermeasures. It's not like this is new. I see nothing at 
>> <https://www.torproject.org/download/download.html.en#warning>.
> I agree - a warning of the dangers of visiting infected onion
> sites could be useful (even though the problem is not specifically
> a Tor one). There's the risk of feature creep - security is a big
> space and it isn't really Tor's job to educate people on every risk
> online. Perhaps a clarification that just as TBB is not all you
> need to maintain privacy, it's also not all you need to stay
> secure, with a pointer to some external tips?

There is an aspect of visiting hostile onion sites that's especially
problematic: forcing direct clearnet connections that reveal users'
ISP-assigned IP addresses. It's irresponsible to continue recommending
only vulnerable setups, especially Tor browser in Windows.


Version: GnuPG v2.0.22 (GNU/Linux)

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to