subject:"\[tor\-talk\] TOR Browser safety practices"

Re: [tor-talk] TOR Browser safety practices

2019-07-21 Thread Notopygos

On Sat, 20 Jul 2019 19:07:09 -0700
npdflr  wrote:

> What is the worst case that could happen if a malicious script
> (Javascript, XHR, other) or a malicious cookie runs?

afaik javascript exploits are rare and you already have noscript
enabled which makes it more unlikely, also if there exist an exploit
then why would someone use it on very small percentage of internet
users? If Tor Browser is affected then probably firefox is also
affected, they would use it on the internet and not some intranet (Tor
network).

You are thinking too much!

~Notopygos
--
1C24 ED06 365A 6045 C128
A1C0 FB0E 5321 5307 6E7D

pgp_IxL4ZeL4i.pgp
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TOR Browser safety practices

2019-07-20 Thread npdflr

Tor browser already contains a NoScript addon allowing user to prevent certain 
scripts from running.

What is the worst case that could happen if a malicious script (Javascript, 
XHR, other) or a malicious cookie runs?
Apart from username, password which could be stolen, can other data be 
stolen/corrupted? Data like:-
1. Bookmarks
2. Browser storage: IndexedDB, DOM Storage
3. Files in TOR download folder
4. Data in the hard disk apart from the folders used by TOR. 
(Tor by design does not write any browsing activity like history, session etc 
to disk. So I think data in other parts of hard disk should be safe.)
5. Current data held in RAM

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TOR Browser safety practices

2019-05-25 Thread npdflr

Thanks Wallichii and Conrad for your replies.

 On Fri, 24 May 2019 09:18:19 -0700 Wallichii  
wrote 

On Fri, 24 May 2019 08:28:37 -0700 
npdflr  wrote: 

> 1. Is downloading files safe via TOR Browser? 

Yes, downloading files with Tor browser should be as safe as downloading 
them with firefox. You can open that pdf file safely on any computer 
that is not connected to the internet. 

> 2. Viewing insecure HTTP sites: 
> 
> Any suggestion which insecure HTTP sites one can visit even if one 
> gets the warning: 
> 
> "HTTPS 
>  Everywhere noticed you were navigating to a non-HTTPS page, and 
> tried to send you to the HTTPS version instead. The HTTPS version is 
> unavailable. ." 

You can visit any website, it should be safe. When your traffic is 
routed through Tor it exits from someone else's computer so if you are 
visiting a website that doesn't start with https://, it can be 
monitored or even altered by that exit computer. If you are visiting 
websites that start with https:// then the exit computer cannot alter 
the contents of the website. 

> 3. Should one proceed when a website has an error like "invalid 
> certificate error"? 

Normally you shouldn't do that on websites that you don't control/host. 
Let's say I am hosting a website and I setup tls on server myself and 
noted down the fingerprint. Now in this case I can proceed if I forget 
to renew the certificate because I've noted down the fingerprint and as 
long as I verify it everytime, it should be pretty safe. (AFAIK) 

You can proceed but remember to treat that connection as http 
connection and you should assume that everything you 
enter/submit/request can be altered/monitored by the exit computer 
(more like every computer which routes the traffic). 

Simple answer: No, inform the operators and visit it after they fix 
this issue. 

> 4. I am able to open ftp sites without using TLS (only ftp not ftps) 
> 
> So, is it advisable to open sites having protocols such as ftp, smtp 
> etc but are not wrapped inside TLS? 

If its not encrypted in any form then your userid and password goes in 
plain text, it can be altered/monitored by any computer your traffic 
goes through. In this case the exit computer can save your plain text 
password and use it for malicious purpose. 

    >> So, for the questions 2. 3. and 4 if a user is just visiting the website

    >> for the purpose of viewing it not transferring any personal/sensitive 
data 

    >> then the exit computer can/may be able to alter/monitor the traffic but 
the

    >> user's browser data (excluding the current session with the website) and 

    >> the hard disk data should be safe, I hope I am right?

@Conrad: I am aware of the Tails operating system. I haven't used it yet.

I will use it soon but even when I would be using Tails, I should be aware of

some technical details of using TOR so that no sensitive data is stolen during

online activties.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TOR Browser safety practices

2019-05-25 Thread Wallichii

On Fri, 24 May 2019 08:28:37 -0700
npdflr  wrote:

> 1. Is downloading files safe via TOR Browser?

Yes, downloading files with Tor browser should be as safe as downloading
them with firefox. You can open that pdf file safely on any computer
that is not connected to the internet.

> 2. Viewing insecure HTTP sites:
> 
> Any suggestion which insecure HTTP sites one can visit even if one
> gets the warning:
> 
> "HTTPS
>  Everywhere noticed you were navigating to a non-HTTPS page, and
> tried to send you to the HTTPS version instead. The HTTPS version is 
> unavailable. ."

You can visit any website, it should be safe. When your traffic is
routed through Tor it exits from someone else's computer so if you are
visiting a website that doesn't start with https://, it can be
monitored or even altered by that exit computer. If you are visiting
websites that start with https:// then the exit computer cannot alter
the contents of the website.

> 3. Should one proceed when a website has an error like "invalid
> certificate error"?

Normally you shouldn't do that on websites that you don't control/host.
Let's say I am hosting a website and I setup tls on server myself and
noted down the fingerprint. Now in this case I can proceed if I forget
to renew the certificate because I've noted down the fingerprint and as
long as I verify it everytime, it should be pretty safe. (AFAIK)

You can proceed but remember to treat that connection as http
connection and you should assume that everything you
enter/submit/request can be altered/monitored by the exit computer
(more like every computer which routes the traffic).

Simple answer: No, inform the operators and visit it after they fix
this issue.

> 4. I am able to open ftp sites without using TLS (only ftp not ftps)
> 
> So, is it advisable to open sites having protocols such as ftp, smtp
> etc but are not wrapped inside TLS?

If its not encrypted in any form then your userid and password goes in
plain text, it can be altered/monitored by any computer your traffic
goes through. In this case the exit computer can save your plain text
password and use it for malicious purpose.

-- 
Wallichii 
0731 FCC1 D00B 2069 1F23
4D22 2032 F592 A338 B781

pgpF6wxH42AsK.pgp
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TOR Browser safety practices

2019-05-25 Thread Conrad Rockenhaus

Hello,

Sorry for top posting, but I can’t help but to ask, since you seem overtly 
cautious about your security, why don’t you utilize a solution such as booting 
Tails from a USB key (Higher degree of confidence of anonymity and prevention 
of leakage) or use Tails in a VirtualBox VM? (High degree of confidence of 
anonymity and prevention of leakage). I know it’s not directly Tor Browser, but 
it’s Tor Browser integrated into an isolated bootable Operating System for your 
security.

https://tails.boum.org/

Thanks,

Conrad

> On May 24, 2019, at 10:28 AM, npdflr  wrote:
> 
> I would like to ask for some safe practices to maximize security while using 
> TOR browser.
> 
> 
> 
> I understand some of the basics and have gone through the FAQ on pages 
> https://support.torproject.org/#faq and 
> https://2019.www.torproject.org/docs/faq.html.en
> 
> 
> 
> Here are some questions:
> 
> 1. Is downloading files safe via TOR Browser?
> 
> I got the follownig warning while downloading a PDF file:
> 
> "Tor Browser cannot display this file. You will need to open it with another 
> application.
> 
> Some types of files can cause applications to connect to the Internet without 
> using Tor.
> 
> To be safe, you should only open downloaded files while offline, or use a Tor 
> Live CD such as Tails."
> 
> 
> 
> 2. Viewing insecure HTTP sites:
> 
> Any suggestion which insecure HTTP sites one can visit even if one gets the 
> warning:
> 
> "HTTPS
> Everywhere noticed you were navigating to a non-HTTPS page, and tried 
> to send you to the HTTPS version instead. The HTTPS version is 
> unavailable. ."
> 
> 
> 
> 3. Should one proceed when a website has an error like "invalid certificate 
> error"?
> 
> 
> 
> 4. I am able to open ftp sites without using TLS (only ftp not ftps)
> 
> So, is it advisable to open sites having protocols such as ftp, smtp etc but 
> are not wrapped inside TLS?
> 
> 
> 
> Thank you.
> -- 
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] TOR Browser safety practices

2019-05-24 Thread npdflr

I would like to ask for some safe practices to maximize security while using 
TOR browser.



I understand some of the basics and have gone through the FAQ on pages 
https://support.torproject.org/#faq and 
https://2019.www.torproject.org/docs/faq.html.en



Here are some questions:

1. Is downloading files safe via TOR Browser?

I got the follownig warning while downloading a PDF file:

"Tor Browser cannot display this file. You will need to open it with another 
application.

Some types of files can cause applications to connect to the Internet without 
using Tor.

To be safe, you should only open downloaded files while offline, or use a Tor 
Live CD such as Tails."



2. Viewing insecure HTTP sites:

Any suggestion which insecure HTTP sites one can visit even if one gets the 
warning:

"HTTPS
 Everywhere noticed you were navigating to a non-HTTPS page, and tried 
to send you to the HTTPS version instead. The HTTPS version is 
unavailable. ."



3. Should one proceed when a website has an error like "invalid certificate 
error"?



4. I am able to open ftp sites without using TLS (only ftp not ftps)

So, is it advisable to open sites having protocols such as ftp, smtp etc but 
are not wrapped inside TLS?



Thank you.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] TOR Browser safety practices

Re: [tor-talk] TOR Browser safety practices

Re: [tor-talk] TOR Browser safety practices

Re: [tor-talk] TOR Browser safety practices

Re: [tor-talk] TOR Browser safety practices

[tor-talk] TOR Browser safety practices

6 matches

Site Navigation

Mail list logo

Footer information