[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] FBI cracked Tor security



On 15 July 2016 at 05:36, Mirimir <mirimir@riseup.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/14/2016 01:34 PM, Jon Tullett wrote:

>> If a law enforcement agency cracked Tor, it would be a very
>> significant development indeed. The same agency using browser
>> exploits doesn't move the security needle at all; we already know
>> they do that.
>
> Sure, browser exploits are common. And yes, Freedom Hosting and
> PlayPen users got pwned through Firefox bugs. However, the FBI malware
> that deanonymized them exploited a trivial vulnerability in all
> default Tor installs:

That's right. It was a very small piece of malware - all it did was
phone home on the clearweb. Very clearly targeted at Tor users, and a
clever demonstration of reality: you don't need to crack crypto to
attack an encrypted network.

>> The issue of who should be responsible for alerting a user to
>> possible risks is debatable.

> Making Tor browser available without warning about leaks is just plain
> irresponsible.
<snip>
> Is it too much to ask for a warning? Maybe a link to Whonix?

No, I wouldn't think so. I'd quite like to see a very plain-language
use-case breakdown either in the TBB homepage or linked off it - if
you are using TBB for <this>, then you should do <that>. If you are
using it in <this> environment, then you should read <this>. For a
more complicated list of how agencies may attack you despite your use
of Tor, read <this>. I'd volunteer to write such guides, if there was
demand for it.

-J
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk