• Members of the previous forum can retrieve their temporary password here, (login and check your PM).

Is TOR 8.0 broken and insecure?

Migrated topic.
Should preface by saying this isn't some scare-thing, just the reality of this type of thing.

There was a js exploit that was out a couple months back for the ns ff extension [bypass] in the tor bb. I think it had been released by zerodium. Easy to reproduce [&rev.engineer]. This was all for the previous tor bb versions before 8.xx. The exploit didn't do a whole lot in and of itself, but chained with a few other exploits [i.e: many different ff browser exploits out there] it's a different story.

Even though the patch was put in, it might go with some reasoning that if zerodium released this willy nilly without much thought [and w/o a pricetag] - that there's going to be continual vulnerabilities on the ns ff extension [if there aren't already].

Keep in mind zerodium pays some good $$ for bug bounties [&sells] relating to tor clientside vulnerabilities (for all parties involved & willing to pay).
 
PsyDuckmonkey said:
MachienDome said:
Auxin said:
That the US funds TOR is not proof of its insecurity.

No, but the fact that they abandoned it does.

Using TOR on top of an insecure system doesn't do anything. Using an outdated version is useless :!:. Use TAILS, it provides a bit more security.

Please don't perpetuate superstition. TOR is not broken, and Tails is not particularly better than the TBB for most common threat models. In fact, it has serious drawbacks as well as benefits. Every anonymization and encryption is defeatable by an appropriate sidechannel attack. It's worth reading up how they arrested Dread Pirate Roberts.

Your opsec needs to be appropriate to your level of threat. Expecting to be targeted specifically, with people expending effort to spy on you as an individual target, and generic efforts to avoid getting caught in a dragnet data collection are two very different things, and need different levels of commitment on your part.

I won't quote how TOR should be used to browse and communicate safely, there's plenty written about that. And it's mostly not about your technology stack (though that does play a part), but about your behavior, both online and offline.

Agree to disagree, but you may have to define "broken" first. I know how Dread really got caught, not the FBI lies that they tell the public and courts. I can assure you it has nothing to do with superstition, only technology. Believe me or don't, I'm just spreading the knowledge I myself have gained instead of repeating what I have heard. After the house came crashing down, I'm still here and thats no fluke. 8)

I do agree with the "Your opsec needs to be appropriate to your level of threat." statement, though. Its various federal agencies that are the threat on a forum like this, so dont forget that. Unfortunately, you cant go back in time and make it more secure once its too late so more security up-front is better. You seem to understand better than most how to successfully use the technology (as in, not the "install and I'm good forever no matter what I do" school of thought) which means surely you know that TAILs is more secure than Tor Browser.

I hope you dont hold those previous statements against me, I believe we are both on the same team here and have more common in the notion of security than it might seem from this post, I merely wanted to point out that from what I have experienced for myself, Tor Browser is way too easy to circumvent. TAILs is far from perfect but is a secure environment as opposed to a "secure" app on an insecure environment. There's no sense in locking the door if you just leave a window open anyway. I prefer security in layers, not a one-shot Hail Mary. Tor Browser is (or rather should be) only a piece of your over-all security posture.

Anyway, I won't be debating the issue further, I don't feel there is much thats constructive about it. I have seen many people hop on the "Tor isnt broken" bandwaggon and it seems to be either an agenda or a religious conviction at this poiont. The evidence is astounding that the TOR network is not nearly as secure as most assume it is and Tor Browser alone is hardly enough. Those that believe its impossible to find out who you are when using Tor Browser on a Windows machine, who downloaded it from home over WIFI without a VPN and never even checked/verified the Checksums are the ones who will just put their head in the sand and feel self-satisfied that they are completely secure now that they have one program to enter their selfies into because they were told so. Remember the old mantra of security: Verify, Install, CONFIG, and test.

Quick shout out to all my brothers and sisters MIA in the Drug War and in Federal Prison. I miss you :cry: Justice will prevail against their corrupt, immoral system. Redemption is upon the horizon and closer than it appears. Can't stop, won't stop.
 
MachienDome said:
Agree to disagree, but you may have to define "broken" first.
Haha. :) True that.

MachienDome said:
I know how Dread really got caught, not the FBI lies that they tell the public and courts. I can assure you it has nothing to do with superstition, only technology.
Are you in a position to share sources? Making a grand statement like this is best followed up by sharing knowledge.

MachienDome said:
I do agree with the "Your opsec needs to be appropriate to your level of threat." statement, though. Its various federal agencies that are the threat on a forum like this, so dont forget that.
Well, depends on your own activities. There's a level of threat when browsing and discussing psychedelics, there's a level of threat when sharing teks and photos, there's a level of threat when conducting business on the darknet... Also, the threat is not the same in all countries. But I basically do agree with you.

MachienDome said:
Unfortunately, you cant go back in time and make it more secure once its too late so more security up-front is better.
You can, though, build a more secure identity from the ground up.

MachienDome said:
You seem to understand better than most how to successfully use the technology (as in, not the "install and I'm good forever no matter what I do" school of thought) which means surely you know that TAILs is more secure than Tor Browser.
Of course it's more secure.

MachienDome said:
I hope you dont hold those previous statements against me
Why would I hold it against you? I really like to debate and discuss security, and I'm always open to learn. I would consider it good ethics though if you actually divulged the knowledge you claimed about the SR investigation that you hinted at possessing.

MachienDome said:
Those that believe its impossible to find out who you are when using Tor Browser on a Windows machine, who downloaded it from home over WIFI without a VPN and never even checked/verified the Checksums are the ones who will just put their head in the sand and feel self-satisfied that they are completely secure now that they have one program to enter their selfies into because they were told so. Remember the old mantra of security: Verify, Install, CONFIG, and test.
Amen.
 
Won't go in depth with sources, but I'd advise against the use of Tor. It could be vulnerable due to the exit node man-in-the-middle attack vector. Besides this, Tor traffic through your ISP raises red flags.

Best is to use a good trustworthy VPN and a separate dedicated browser for sensitive matter.

If your paranoid you could use Tor (Tails) inside your VPN connection. The remote server (website) only sees a Tor IP. The Tor exit node only sees your VPN IP. Your VPN provider doesn't see which website you are connecting to, only Tor. All this is covered up, as your ISP only sees a normal VPN connection.

But if your super paranoid you wouldn't trust Tor in the first place. And if your super super paranoid you wouldn't trust either Tor nor any VPN provider and just do your stuff on a secure system and https. But then again, how secure is https?

:lol:
 
Tails is a bitch. i set it up on a dedicated PC (YUK!) and it worked. i then realized the massive hoops i would have to go through to have it actually be a working, viable system for easy communication/commerce. and the instructions for doing so are, to say the least, weak or non-existent. importing keys (i mean, how do i get the keys from one computer to the Tails computer?), setting up email accounts and various other stuff just made me give it up. i have it on a USB drive and it works; honestly i don't think it's worth the bother. it was fun setting it up 'cause i'm kind-of a nerd, but once i did i was done.

there is, however, a VPN service that has a pretty cool thing - "double VPN" where you are bounced between two servers. by the time you get to the second server, you are as close as one can be to untraceable. this particular VPN's country is not part of the alliance between various countries that share security information. they keep no logs at all. the only "risk" is that your ISP provider sees you are using a VPN. that, i believe, is unavoidable unless using public wi-fi.

using double VPN and TOR is about as safe as it can get - yet it should be said that nothing is totally safe.
 
Interesting project, but Tails shouldn't be used as a persistent hard disk installed OS. Well it can be, but it's designed to be used as a non-persistent boot disk (iso burned to dvd or usb). To be booted clean with all default settings and all data erased on reboot. The reason for this is anti malware infection and anti fingerprinting. Any Tails setting that you change and alter can be used to identify you online easier. Tails even gives a warning if you full screen the internet browser for this reason. The main privacy tactic of Tails, besides using Tor, is that everyone using Tails has exactly the same system settings making it very hard for the other side to identify individual Tails users. This is what makes Tails much securer than running Tor Browser in you normal OS.

See: What is Browser Fingerprinting? What It Is And How To Stop It.
 
Back
Top Bottom