Very clear. I think I've got it. God bless good old plain text files !!!
Lluís Spain On 10/16/2014 05:21 PM, Naja Melan wrote: >> By the way, applies the same to the already downloaded pdf docs ? > > yes. > > It applies to everything you download and feed to an application which > has internet access and which might connect to the internet based on > information within the file or the filename for that matter. > > For a more complete security analysis I think about it like this: > > - If I download a document not over https correctly certified: the > server, the last tor node and any routers between that last tor node > and the server can inject something in the document > - If I download a document from a server with correct https: the server > (potentially hacked) could try to identify me, on top of any > reservations you might have about https > > By all means, that's a lot of leaks if you are concerned about your > security, so it is strongly adviced to open documents in Tails or in a > VM that has no internet access. On top of that, it could be difficult > to verify documents and clean them if you want to store them for later > use and distribution, so in that case use a clean tor connection not > related to other sensitive internet traffic. > > If you use tor for your everyday browsing as an extra privacy measure, > than downloading a random scientific paper and opening it will probably > be low risk. Just keep in mind that the last tor node is an extra MITM > that makes tor under quite a few circumstances less secure than direct > internet connection (since anyone can run one). So if your evince has a > buffer overflow bug for example, that's an extra person who could try > to exploit it (again unless you use valid https) and this sort of > exploit works on any document, regardless of whether the contents are > sensitive or not. > > It's up to you to figure out your security needs. > > Naja Melan > _______________________________________________ > tor-relays mailing list > [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
