Re: [tor-talk] catastrophe: ip-api.com sees me

[Seth David Schoen]

Dash Four writes:

> Roger Dingledine wrote:
> >Using any browser with Tor besides Tor Browser is usually a bad idea:
> >https://www.torproject.org/docs/faq#TBBOtherBrowser
> I disagree with that statement. It is certainly _not_ a bad idea, provided 
> you know what you are doing.

As the documentation says, there are a couple of different things that
can go awry here.

* Your non-Tor Browser can be vulnerable to a proxy bypass (because
  other browsers don't necessarily consider that a very serious
  problem).  E.g., an attacker can serve you some HTML that uses
  some kind of browser feature that goes directly over the Internet,
  not via Tor.

* Your non-Tor Browser can be vulnerable to various kinds of
  tracking and fingerprinting, because other browsers haven't done as
  much to mitigate that.  E.g., an attacker can use some kind of
  supercookie to recognize you across sessions, or serve some kind
  of Javascript that queries various system properties that produce a
  unique long-term fingerprint that Tor Browser might have prevented.

* Your non-Tor Browser can be inherently distinctive because very
  few people are using any given other configuration.  E.g., you might
  be the only person in the world currently using Tor with a particular
  browser version, OS, language, and browser window size (even if a
  site doesn't use elaborate or complex Javascript to find out about
  your system's properties).

Your particular setup has probably mitigated the first of these
effectively, but maybe not the other two.

Now, there are ways that the Tor Browser may also have failed to fully
mitigate each of these risks.  And there could be other benefits to
using a different browser in terms of adversaries who know of zero-day
vulnerabilities in Tor Browser that might not be present in other
browsers.  (Some critics have pointed out that more potential attackers
probably have zero-days against the current Tor Browser at a given
moment than against, say, the current Google Chrome; at least, they
typically wouldn't have to pay as much money to buy them.)  But you
probably can't mitigate the second two concerns above on your own, which
might always mean more trackability and less anonymity of a certain kind
when using another browser with Tor.

Also,

* If you use something other than Tor Browser, you can get confused
  about when you are or aren't using Tor, or accidentally enable or
  disable it in the middle of some other activity, leading to several
  kinds of contamination between Tor and non-Tor sessions.

Very sophisticated and disciplined users might not trip over this
particular issue, but it's a relatively high risk and a lot of people
using the old TorButton setup definitely ran into this kind of problem.

-- 
Seth Schoen  
Senior Staff Technologist   https://www.eff.org/
Electronic Frontier Foundation  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109   +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] catastrophe: ip-api.com sees me

[Dash Four]

Roger Dingledine wrote:

Using any browser with Tor besides Tor Browser is usually a bad idea:
https://www.torproject.org/docs/faq#TBBOtherBrowser

I disagree with that statement. It is certainly _not_ a bad idea, provided you 
know what you are doing.

I don't use TBB, except when I am in "internet cafe" setup/environment (which 
is pretty rare in my case).

For all other cases, I use regular browser, which routes all traffic locally (using the loopback device only) and traverses it over encrypted tunnel to my tor 
machine (all using 2 distinctly different subnets), which in turn routes it out via a 3rd machine that is connected to the real world via a VPN.


My "browser traffic" passes through 3 different firewalls before it gets out, 
so the chances of something going astray are close to nil.

I tend to keep tor at arms length - in my DMZ subnet - and that is how it should be. OK, admittedly, not the garden-variety setup, but it served me well over 
the years and I have no complaints.


As far as ip-api.com goes, they use the old "rawsocket" trick to bypass normal 
traffic/firewall rules - pretty amateurish.



You can read more about all the fixes in Tor Browser here:
https://www.torproject.org/projects/torbrowser/design/

Chrome, Opera, and others all have bugs that allow a website to route
traffic around the configured proxy -- and in some cases allow a website
to bypass VPNs too.

Stay safe out there,
--Roger




--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk