[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Tor Browser Linux_don't extract to root
On 04/14/2017 11:46 AM, Jonathan Marquardt wrote:
You're correct - installing it to a "non-writable" location isn't
necessarily the end of days. The rest of your argument against
improving security & anonymity contradicts some long standing practices
of Tor Project and some basic concepts of Linux. If there was / is no
value of Linux installing most programs & libraries to root, they
wouldn't do it.
Look, if you have malicous software running on the system with normal user
priviliges, you are in big trouble anyway. There's so many things that
malicous software could do even if TBB was installed at a non-writable
location. Just as a simple example, malware could just change the location in
your TBB desktop and launcher links and still trick you into launching
malicous software. That's just a really silly example, but the point is that
once the malware is running, it is too late. Storing software in non-writable
locations is such a small useless mitigation technique in contrast to what
malware could do. I agree that putting TBB to /opt would give you a tiny bit
of extra security. But for the price of the user not being able to install
updates, that might just not be worth it. Having software being stored in
central directories is not much of a security feature.
BTW: The user profile of TBB would still be located in the home directory. It
would have to be. Malware could insert malicous stuff in there too like custom
Tor circuit settings, browser setting, NoScript rules, Add-Ons... You get the
100's of changes & methods that Tor Project makes w/ TBB, individually
have small impact on overall anonymity or security. Collectively they
make a huge difference. If installing TBB to root directories adds -
some - protection, it seems as valid as 100's of changes & fixes made
over the yrs.
Many trac feature changes & bug fixes to change minor TBB behaviors
have no more impact than installing TBB to more protected Linux
directories. Some had zero impact on anonymity or security.
Tor Project could implement a script allowing auto-updating (or w/ a
click or 2), or they could use a PPA to install & update it.
For yrs, there was such an Ubuntu PPA / repo & small script, to allow
installing & auto-updating of Mozilla Fx releases, when installed to
/usr or /opt, etc. Seems like Tor Project could handle that.
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to