[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TOR Browser safety practices



On Fri, 24 May 2019 08:28:37 -0700
npdflr <npdflr@xxxxxxxx> wrote:

> 1. Is downloading files safe via TOR Browser?

Yes, downloading files with Tor browser should be as safe as downloading
them with firefox. You can open that pdf file safely on any computer
that is not connected to the internet.

> 2. Viewing insecure HTTP sites:
> 
> Any suggestion which insecure HTTP sites one can visit even if one
> gets the warning:
> 
> "HTTPS
>  Everywhere noticed you were navigating to a non-HTTPS page, and
> tried to send you to the HTTPS version instead. The HTTPS version is 
> unavailable. ........."

You can visit any website, it should be safe. When your traffic is
routed through Tor it exits from someone else's computer so if you are
visiting a website that doesn't start with https://, it can be
monitored or even altered by that exit computer. If you are visiting
websites that start with https:// then the exit computer cannot alter
the contents of the website.

> 3. Should one proceed when a website has an error like "invalid
> certificate error"?

Normally you shouldn't do that on websites that you don't control/host.
Let's say I am hosting a website and I setup tls on server myself and
noted down the fingerprint. Now in this case I can proceed if I forget
to renew the certificate because I've noted down the fingerprint and as
long as I verify it everytime, it should be pretty safe. (AFAIK)

You can proceed but remember to treat that connection as http
connection and you should assume that everything you
enter/submit/request can be altered/monitored by the exit computer
(more like every computer which routes the traffic).

Simple answer: No, inform the operators and visit it after they fix
this issue.
 
> 4. I am able to open ftp sites without using TLS (only ftp not ftps)
> 
> So, is it advisable to open sites having protocols such as ftp, smtp
> etc but are not wrapped inside TLS?

If its not encrypted in any form then your userid and password goes in
plain text, it can be altered/monitored by any computer your traffic
goes through. In this case the exit computer can save your plain text
password and use it for malicious purpose.

-- 
Wallichii <wallichi@xxxxxxxxxx>
0731 FCC1 D00B 2069 1F23
4D22 2032 F592 A338 B781

Attachment: pgp7D_JQju1Es.pgp
Description: OpenPGP digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk