On 15 July 2016 at 05:36, Mirimir <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 07/14/2016 01:34 PM, Jon Tullett wrote:
>> If a law enforcement agency cracked Tor, it would be a very >> significant development indeed. The same agency using browser >> exploits doesn't move the security needle at all; we already know >> they do that. > > Sure, browser exploits are common. And yes, Freedom Hosting and > PlayPen users got pwned through Firefox bugs. However, the FBI malware > that deanonymized them exploited a trivial vulnerability in all > default Tor installs: That's right. It was a very small piece of malware - all it did was phone home on the clearweb. Very clearly targeted at Tor users, and a clever demonstration of reality: you don't need to crack crypto to attack an encrypted network. >> The issue of who should be responsible for alerting a user to >> possible risks is debatable. > Making Tor browser available without warning about leaks is just plain > irresponsible. <snip> > Is it too much to ask for a warning? Maybe a link to Whonix? No, I wouldn't think so. I'd quite like to see a very plain-language use-case breakdown either in the TBB homepage or linked off it - if you are using TBB for <this>, then you should do <that>. If you are using it in <this> environment, then you should read <this>. For a more complicated list of how agencies may attack you despite your use of Tor, read <this>. I'd volunteer to write such guides, if there was demand for it. -J -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
