[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] TOR Browser safety practices
Thanks Wallichii and Conrad for your replies.
---- On Fri, 24 May 2019 09:18:19 -0700 Wallichii <mailto:wallichii@xxxxxxxxxx> wrote ----
On Fri, 24 May 2019 08:28:37 -0700
npdflr <mailto:npdflr@xxxxxxxx> wrote:
> 1. Is downloading files safe via TOR Browser?
Yes, downloading files with Tor browser should be as safe as downloading
them with firefox. You can open that pdf file safely on any computer
that is not connected to the internet.
> 2. Viewing insecure HTTP sites:
>
> Any suggestion which insecure HTTP sites one can visit even if one
> gets the warning:
>
> "HTTPS
> Everywhere noticed you were navigating to a non-HTTPS page, and
> tried to send you to the HTTPS version instead. The HTTPS version is
> unavailable. ........."
You can visit any website, it should be safe. When your traffic is
routed through Tor it exits from someone else's computer so if you are
visiting a website that doesn't start with https://, it can be
monitored or even altered by that exit computer. If you are visiting
websites that start with https:// then the exit computer cannot alter
the contents of the website.
> 3. Should one proceed when a website has an error like "invalid
> certificate error"?
Normally you shouldn't do that on websites that you don't control/host.
Let's say I am hosting a website and I setup tls on server myself and
noted down the fingerprint. Now in this case I can proceed if I forget
to renew the certificate because I've noted down the fingerprint and as
long as I verify it everytime, it should be pretty safe. (AFAIK)
You can proceed but remember to treat that connection as http
connection and you should assume that everything you
enter/submit/request can be altered/monitored by the exit computer
(more like every computer which routes the traffic).
Simple answer: No, inform the operators and visit it after they fix
this issue.
> 4. I am able to open ftp sites without using TLS (only ftp not ftps)
>
> So, is it advisable to open sites having protocols such as ftp, smtp
> etc but are not wrapped inside TLS?
If its not encrypted in any form then your userid and password goes in
plain text, it can be altered/monitored by any computer your traffic
goes through. In this case the exit computer can save your plain text
password and use it for malicious purpose.
>> So, for the questions 2. 3. and 4 if a user is just visiting the website
>> for the purpose of viewing it not transferring any personal/sensitive data
>> then the exit computer can/may be able to alter/monitor the traffic but the
>> user's browser data (excluding the current session with the website) and
>> the hard disk data should be safe, I hope I am right?
@Conrad: I am aware of the Tails operating system. I haven't used it yet.
I will use it soon but even when I would be using Tails, I should be aware of
some technical details of using TOR so that no sensitive data is stolen during
online activties.
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk