[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] About TBB downloadings



Very clear. I think I've got it.

God bless good old plain text files !!!

Lluís
Spain

On 10/16/2014 05:21 PM, Naja Melan wrote:
>> By the way, applies the same to the already downloaded pdf docs ?
> 
> yes.
> 
> It applies to everything you download and feed to an application which 
> has internet access and which might connect to the internet based on 
> information within the file or the filename for that matter.
> 
> For a more complete security analysis I think about it like this:
> 
> - If I download a document not over https correctly certified: the 
> server, the last tor node and any routers between that last tor node 
> and the server can inject something in the document
> - If I download a document from a server with correct https: the server 
> (potentially hacked) could try to identify me, on top of any 
> reservations you might have about https
> 
> By all means, that's a lot of leaks if you are concerned about your 
> security, so it is strongly adviced to open documents in Tails or in a 
> VM that has no internet access. On top of that, it could be difficult 
> to verify documents and clean them if you want to store them for later 
> use and distribution, so in that case use a clean tor connection not 
> related to other sensitive internet traffic.
> 
> If you use tor for your everyday browsing as an extra privacy measure, 
> than downloading a random scientific paper and opening it will probably 
> be low risk. Just keep in mind that the last tor node is an extra MITM 
> that makes tor under quite a few circumstances less secure than direct 
> internet connection (since anyone can run one). So if your evince has a 
> buffer overflow bug for example, that's an extra person who could try 
> to exploit it (again unless you use valid https) and this sort of 
> exploit works on any document, regardless of whether the contents are 
> sensitive or not.
> 
> It's up to you to figure out your security needs.
> 
> Naja Melan
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays