Re: [qubes-users] Tor security - browsing/downloading over http

2018-04-04 Thread js...@riseup.net 
'awokd' via qubes-users:
> On Tue, April 3, 2018 11:42 pm, Giulio wrote:
>> 3) Not using tor in order to download files prevent only man in the
>> middles attack coming from the tor network, your provider, your
>> neighbors, your dns server etc may still tricks you the same way.
> 
> To jsnow's question on this, file modifications can be automated. The
> attacker could have a selection of files already modified, then watch for
> anyone trying to download it and substitute the poisoned one. Probably
> other ways to dynamically patch filetypes (like all .EXE for example) on
> the fly too. Check out "Quantum Insert". Tor helps here because it's much
> more difficult to target specific recipients for poisoned files, so they
> have to be sent to everyone who requests them which increases the
> likelihood they will get discovered. Of course, that's not the case if
> you're logging in to something.

Ok yea that makes sense. I guess i'm partially protected by the fact i'm
not doing anything really suspicious, but i guess what i'm concerned
about is dragnet attempts to compromise everyone and anyone, tho it
makes sense that would increase the chance they'd be caught which makes
it less likely.

-Jackie

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/268ec220-23ef-bc66-4951-0a9c870f2b6e%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Tor security - browsing/downloading over http

2018-04-04 Thread js...@riseup.net 
Hi Giulio,

Giulio:
> 1) Most website with a login do have https.
Yea especially now compared with a few years ago. Some still don't
unfortunately!

> 2) Which type of files are you talking about? If we are not talking about 
> executables (i hope not) then Qubes do have disposable vms which should 
> prevent an attacker from accessing sensitive files or gaining persistance.

Mostly pdfs/documents and maybe media files, but maybe also things like
game roms to play in an emulator. Nothing super important but i still
want to avoid compromise especially if i'm transfering files to a usb
stick/another computer.

I need to get in the habit of opening files in dispvms tho.

> As a general rule, mixing any of your tor activities with your non tor 
> activities do break the very purpose of tor, especially if you use the same 
> accounts in and out.

Yea using the same accounts for things in and out of tor is pretty
pointless. It seems pretty safe tho to use the same site in and out of
tor if you're doing different things and therefore not linked? (as long
as it's not at the same time)

> My suggestion is to first try to understand what the purpose of tor is and 
> against which type of adversary you need protection and then make your 
> choices on that basis.

As far as what kind of adversary i'm thinking about here i guess ones
with alot of resources, who think using tor is inherently
bad/suspicious, and so operate exit nodes to scoop up data on tor users,
and try to compromise random users to see what they're up to.

-Jackie

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c71de19c-0510-0b00-d1a0-2d8c98e026c6%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Tor security - browsing/downloading over http

2018-04-03 Thread 'awokd' via qubes-users 
On Tue, April 3, 2018 11:42 pm, Giulio wrote:
> Just a note, it all depends on your threat model. Be careful that most of
> the solutions you explained have each very different implications: 1) Most
> website with a login do have https. If they are hidden services they do
> not need it as traffic does not go through an exit node. If none of the
> above apply you could still use a VPN or a tunnel on top of tor but you
> will loose some anonimity

I think you're saying many otherwise HTTP only sites still use HTTPS for
the login step (but not all)!

> 3) Not using tor in order to download files prevent only man in the
> middles attack coming from the tor network, your provider, your
> neighbors, your dns server etc may still tricks you the same way.

To jsnow's question on this, file modifications can be automated. The
attacker could have a selection of files already modified, then watch for
anyone trying to download it and substitute the poisoned one. Probably
other ways to dynamically patch filetypes (like all .EXE for example) on
the fly too. Check out "Quantum Insert". Tor helps here because it's much
more difficult to target specific recipients for poisoned files, so they
have to be sent to everyone who requests them which increases the
likelihood they will get discovered. Of course, that's not the case if
you're logging in to something.

> As a general rule, mixing any of your tor activities with your non tor
> activities do break the very purpose of tor, especially if you use the
> same accounts in and out. My suggestion is to first try to understand
> what the purpose of tor is and against which type of adversary you need
> protection and then make your choices on that basis.

What Giulio said. Sounds like the OP has a good understanding of the
various weaknesses and trade-offs.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/beceebd3874c8acc07bf44741deef8b1.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Tor security - browsing/downloading over http

2018-04-03 Thread Giulio 
Just a note, it all depends on your threat model. Be careful that most of the 
solutions you explained have each very different implications:
1) Most website with a login do have https. If they are hidden services they do 
not need it as traffic does not go through an exit node. If none of the above 
apply you could still use a VPN or a tunnel on top of tor but you will loose 
some anonimity

2) Which type of files are you talking about? If we are not talking about 
executables (i hope not) then Qubes do have disposable vms which should prevent 
an attacker from accessing sensitive files or gaining persistance. Also even 
for attacking the disposable vm the attacker would need an exploit for a reader 
software (evince, libreoffice etc).

3) Not using tor in order to download files prevent only man in the middles 
attack coming from the tor network, your provider, your neighbors, your dns 
server etc may still tricks you the same way.

As a general rule, mixing any of your tor activities with your non tor 
activities do break the very purpose of tor, especially if you use the same 
accounts in and out. My suggestion is to first try to understand what the 
purpose of tor is and against which type of adversary you need protection and 
then make your choices on that basis.

Giulio

On April 4, 2018 1:23:56 AM GMT+02:00, "js...@riseup.net"  
wrote:
>Hi everyone,
>
>I've been thinking about ways i can increase security when using tor in
>a whonix vm, and i had a few questions about the security risks of
>browsing/downloading files over http.
>
>I've looked up some info about it and i know it presents a security
>risk, but i don't really know what i'm talking about so i thought i'd
>ask you guys. Please let me know if i'm wrong about anything here
>(which
>is likely!) Sorry this is so long!
>
>Anyways, let's say i want to use a site that doesn't use https (http
>only) that i can do 3 things on:
>
>1. general browsing/reading content
>2. download small files
>3. log into an account, which is required to download large files
>
>I'm browsing the site in a relatively unsecure vm that i don't
>necessarily care much about, but i'll probably want to move some of the
>files to another vm to use elsewhere, or to a usb stick to transfer to
>another machine.
>
>If i use the site over tor, the exit node operator can read all the
>unencrypted traffic, and possibly maliciously modify files downloaded,
>which is why it's recommended to always use https when possible over
>tor. Qubes helps with this since i can do all my browsing on the site
>in
>a separate vm, but there's still a security risk especially if i
>transfer files elsewhere.
>
>It seems to me that i basically have 4 options:
>
>1. Do everything over tor, including downloading files and logging into
>the account. This is bad because the exit node operator can see my
>username/password, and i don't think there's any way of really reducing
>the risk from this.
>
>2. Browse the site and download small files (without logging in) over
>tor, but use a non-tor VM to log into the account to download larger
>files. This is better than option 1 because exit node operators never
>see me log into the account, but still presents a security risk because
>they can maliciously modify files i download.
>
>It seems to me that exit node operators doing something like this
>(modifying files downloaded over http to compromise my vm) is something
>that would have to be done manually, in real time, but please let me
>know if i'm wrong about that! I also don't know how likely this is to
>actually happen.
>
>But it seems to me that a way to reduce the risk here is to use the
>"get
>a new tor circuit" option right before downloading the file. That way
>the new exit node operator would have not much warning/time to do
>something bad before i download the file. Would that help?
>
>3. Do general browsing in tor, but download all files outside of tor.
>This is better than option 2 from a security standpoint because i'm not
>downloading files in a risky way over tor that will then be transfered
>elsewhere, and if the vm i'm browsing the site in using tor gets
>compromised, i don't really care. But it's a pain to have to switch to
>a
>non-tor vm every time to download a file (and i know it's recommended
>not to have tor and non-tor connections to the same site at the same
>time).
>
>4. Do everything on the site outside of tor because the site doesn't
>support https. This is best from a security perspective, but worst from
>a privacy/anonymity perspective because i can't use tor to browse the
>site.
>
>If i really wanted to only use https over tor, i could enable the
>"block
>http connections" option in https everywhere, but couldn't this
>increase
>fingerprintability of browser since most tor users don't block http
>connections? The same reason it's recommended not to use additional
>browser plugins in tor browser.
>
>What do you guys think is the best way to go about it? Am i

[qubes-users] Tor security - browsing/downloading over http

2018-04-03 Thread js...@riseup.net 
Hi everyone,

I've been thinking about ways i can increase security when using tor in
a whonix vm, and i had a few questions about the security risks of
browsing/downloading files over http.

I've looked up some info about it and i know it presents a security
risk, but i don't really know what i'm talking about so i thought i'd
ask you guys. Please let me know if i'm wrong about anything here (which
is likely!) Sorry this is so long!

Anyways, let's say i want to use a site that doesn't use https (http
only) that i can do 3 things on:

1. general browsing/reading content
2. download small files
3. log into an account, which is required to download large files

I'm browsing the site in a relatively unsecure vm that i don't
necessarily care much about, but i'll probably want to move some of the
files to another vm to use elsewhere, or to a usb stick to transfer to
another machine.

If i use the site over tor, the exit node operator can read all the
unencrypted traffic, and possibly maliciously modify files downloaded,
which is why it's recommended to always use https when possible over
tor. Qubes helps with this since i can do all my browsing on the site in
a separate vm, but there's still a security risk especially if i
transfer files elsewhere.

It seems to me that i basically have 4 options:

1. Do everything over tor, including downloading files and logging into
the account. This is bad because the exit node operator can see my
username/password, and i don't think there's any way of really reducing
the risk from this.

2. Browse the site and download small files (without logging in) over
tor, but use a non-tor VM to log into the account to download larger
files. This is better than option 1 because exit node operators never
see me log into the account, but still presents a security risk because
they can maliciously modify files i download.

It seems to me that exit node operators doing something like this
(modifying files downloaded over http to compromise my vm) is something
that would have to be done manually, in real time, but please let me
know if i'm wrong about that! I also don't know how likely this is to
actually happen.

But it seems to me that a way to reduce the risk here is to use the "get
a new tor circuit" option right before downloading the file. That way
the new exit node operator would have not much warning/time to do
something bad before i download the file. Would that help?

3. Do general browsing in tor, but download all files outside of tor.
This is better than option 2 from a security standpoint because i'm not
downloading files in a risky way over tor that will then be transfered
elsewhere, and if the vm i'm browsing the site in using tor gets
compromised, i don't really care. But it's a pain to have to switch to a
non-tor vm every time to download a file (and i know it's recommended
not to have tor and non-tor connections to the same site at the same time).

4. Do everything on the site outside of tor because the site doesn't
support https. This is best from a security perspective, but worst from
a privacy/anonymity perspective because i can't use tor to browse the site.

If i really wanted to only use https over tor, i could enable the "block
http connections" option in https everywhere, but couldn't this increase
fingerprintability of browser since most tor users don't block http
connections? The same reason it's recommended not to use additional
browser plugins in tor browser.

What do you guys think is the best way to go about it? Am i wrong about
anything here or missing something?

I know this may be too long to read, sorry!

-Jackie

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3d12c7d6-4b38-4356-9f80-fa749db2280b%40riseup.net.
For more options, visit https://groups.google.com/d/optout.