[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TOR Browser safety practices



Thanks Wallichii and Conrad for your replies.



---- On Fri, 24 May 2019 09:18:19 -0700 Wallichii <mailto:wallichii@xxxxxxxxxx> wrote ----



On Fri, 24 May 2019 08:28:37 -0700 
npdflr <mailto:npdflr@xxxxxxxx> wrote: 
 
> 1. Is downloading files safe via TOR Browser? 
 
Yes, downloading files with Tor browser should be as safe as downloading 
them with firefox. You can open that pdf file safely on any computer 
that is not connected to the internet. 
 
> 2. Viewing insecure HTTP sites: 
> 
> Any suggestion which insecure HTTP sites one can visit even if one 
> gets the warning: 
> 
> "HTTPS 
>  Everywhere noticed you were navigating to a non-HTTPS page, and 
> tried to send you to the HTTPS version instead. The HTTPS version is 
> unavailable. ........." 
 
You can visit any website, it should be safe. When your traffic is 
routed through Tor it exits from someone else's computer so if you are 
visiting a website that doesn't start with https://, it can be 
monitored or even altered by that exit computer. If you are visiting 
websites that start with https:// then the exit computer cannot alter 
the contents of the website. 


> 3. Should one proceed when a website has an error like "invalid 
> certificate error"? 
 
Normally you shouldn't do that on websites that you don't control/host. 
Let's say I am hosting a website and I setup tls on server myself and 
noted down the fingerprint. Now in this case I can proceed if I forget 
to renew the certificate because I've noted down the fingerprint and as 
long as I verify it everytime, it should be pretty safe. (AFAIK) 
 
You can proceed but remember to treat that connection as http 
connection and you should assume that everything you 
enter/submit/request can be altered/monitored by the exit computer 
(more like every computer which routes the traffic). 
 
Simple answer: No, inform the operators and visit it after they fix 
this issue. 
 
> 4. I am able to open ftp sites without using TLS (only ftp not ftps) 
> 
> So, is it advisable to open sites having protocols such as ftp, smtp 
> etc but are not wrapped inside TLS? 
 
If its not encrypted in any form then your userid and password goes in 
plain text, it can be altered/monitored by any computer your traffic 
goes through. In this case the exit computer can save your plain text 
password and use it for malicious purpose. 





    

    >> So, for the questions 2. 3. and 4 if a user is just visiting the website

    >> for the purpose of viewing it not transferring any personal/sensitive data 

    >> then the exit computer can/may be able to alter/monitor the traffic but the

    >> user's browser data (excluding the current session with the website) and 

    >> the hard disk data should be safe, I hope I am right?





@Conrad: I am aware of the Tails operating system. I haven't used it yet.

I will use it soon but even when I would be using Tails, I should be aware of

some technical details of using TOR so that no sensitive data is stolen during

online activties.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk