[Trisquel-users] Tor browsing in Trisquel 7 is a BAD idea

Wed, 29 Oct 2014 17:15:17 -0700

Yes I do mean bad. For those who haven't tried it I'll explain. The default browser has an option which is set to on by default. That option uses tor to browse in private mode. It's easy to turn off but thats not the issue. The issue is users who have no idea are subjectived to attacks
Tor exit nodes (the way you access the internet from the tor network) can be malicious. As a real world example here is an article talking about patching binaries http://www.hotforsecurity.com/blog/tor-exit-node-patches-malware-on-executable-downloads-10690.html. I haven't looked over the details but IIRC VLC isn't signed and IDK if this code cares if binary is signed but you potionally will get malware if you download an exe through a malice tor node. 


If you look into what the tor browser does you'll see it has various settings  
and addons for safety. One big thing is the tor button is disable some addons  
(like flash) so it doesn't comminicate w/o going through the proxy. Tor  
button also changes the user agent to a common string to make it more  
difficult to fingerprinting you (For example it will say I'm using firefox 31  
on windows even though I'm on trisquel). It will block 3rd party tracking  
(cookies and I believe scripts) and from what I hear cleans out supcious  
javascript. Other addons include noscript (disable javascript) and SSL  
everywhere (switches to HTTPS on known sites).



The browser in private mode offer none of this. Because it doesn't a user is  
subjected to binary patching and attacks researchers or malices parties may  
do. A tor node is ran on a someones private server. They can monitor and  
modify traffic. It's different from the internet which is generally a  
connection from you to your ISP to mostly or entirely routers connecting you  
to your destination (an IP address).



So having a user by default not knowing what tor is or what may happen can  
potientally be hacked or have extra monitoring on them (fingerprinting or  
leaking IP address through flash or another addon since they aren't blocked).  
I suggest not allowing the feature at all or finding a way to enable  
torbutton and the other addon found in the tor browser when switching to  
private mode. I also suggest looking at the tor browser setting  
(about:config).
























					Reply via email to