[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #9195 [Tor bundles/installation]: Bad default setting in Tor Browser Bundle poses a severe privacy risk.

To: undisclosed-recipients:;
Subject: [tor-bugs] #9195 [Tor bundles/installation]: Bad default setting in Tor Browser Bundle poses a severe privacy risk.
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 02 Jul 2013 20:58:23 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 02 Jul 2013 16:58:36 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#9195: Bad default setting in Tor Browser Bundle poses a severe privacy risk.
--------------------------------------+-------------------------------------
 Reporter:  cypherpunks               |          Owner:  erinn
     Type:  defect                    |         Status:  new  
 Priority:  major                     |      Milestone:       
Component:  Tor bundles/installation  |        Version:       
 Keywords:  Tor Browser Bundle        |         Parent:       
   Points:                            |   Actualpoints:       
--------------------------------------+-------------------------------------
 I have found that the latest Tor Browser Bundle (tor-browser-2.3.25-10_en-
 US.exe), when installed as instructed, uses a default setting of:
 browser.download.manager.scanWhenDone;true

 Which can be found by:
 opening a tab with "about:config" in Tor Browser
 and typing 'scan' in the "Search:" field.

 The default setting should be set to false, and all Tor Browser Bundles
 should ship with this setting:
 browser.download.manager.scanWhenDone;false

 Why?

 Anyone who uses Microsoft Security Essentials or another cloud based AV
 product,
 will transmit the filename and hash of <b>EACH</b> downloaded file in the
 clear to be vacuumed up by the NSA or their own domestic stasi equivalent.
 If I were a Chinese or Syrian citizen I would soil my pants. (Not that our
 own governments are better.)

 To verify this:
 Obtain a windows box which uses MSE (with default settings).
 Install Wireshark.
 Install the latest Tor Browser Bundle.
 Start Wireshark and start capturing traffic.
 Start Tor Browser.
 Download any file that would trigger MSE, such as
 https://www.torproject.org/dist/torbrowser/tor-browser-2.3.25-10_en-US.exe
 Watch MSE transmitting info (filename & hash) about this file to
 Microsoft.

 Note: You can disable cloud scanning in MSE and other similar products,
 but this is too much to ask of most users. It is better to avoid this
 problem completely since we know that NSA has installed backdoors into
 Microsoft networks.

 The drawback is that users are, presumably, slightly less protected from
 viruses by not scanning files when downloaded. But if the user has any
 decent AV product and updates the definition files regularly, the file
 would be scanned when used.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9195>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #9195 [Tor bundles/installation]: Bad default setting in Tor Browser Bundle poses a severe privacy risk.
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #9195 [Tor bundles/installation]: Bad default setting in Tor Browser Bundle poses a severe privacy risk.
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #9195 [Tor bundles/installation]: Bad default setting in Tor Browser Bundle poses a severe privacy risk.
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #9195 [Tor bundles/installation]: Bad default setting in Tor Browser Bundle poses a severe privacy risk.
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #9195 [Tor bundles/installation]: Bad default setting in Tor Browser Bundle poses a severe privacy risk.
  - From: Tor Bug Tracker & Wiki

Prev by Author: [tor-bugs] #9194 [EFF-HTTPS Everywhere]: https rule for http://dna.ancestry.com/ may be buggy
Next by Author: Re: [tor-bugs] #9195 [Tor bundles/installation]: Bad default setting in Tor Browser Bundle poses a severe privacy risk.
Previous by thread: [tor-bugs] #9194 [EFF-HTTPS Everywhere]: https rule for http://dna.ancestry.com/ may be buggy
Next by thread: Re: [tor-bugs] #9195 [Tor bundles/installation]: Bad default setting in Tor Browser Bundle poses a severe privacy risk.
Index(es):
- Author
- Thread