-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/14/2016 01:38 AM, Jon Tullett wrote: > On 14 July 2016 at 08:37, Mirimir <miri...@riseup.net> wrote: > >> On 07/14/2016 12:23 AM, Jon Tullett wrote: > >>> Having pwned the server, a malware component is then injected >>> to visiting computers. Ie: when the criminal visits the >>> infected site, his PC is infected (over that encrypted, secure, >>> etc) connection. Now infected, his PC will be under the control >>> of the FBI, and the investigation will proceed from there. As >>> soon as it's connected to the regular internet, that connection >>> will be traced, but that connection is not necessary - data on >>> the PC can be exfiltrated by the feds over Tor and used to >>> identify the user. >> >> Tor Project ought to inform users about this risk, and recommend >> countermeasures. It's not like this is new. I see nothing at >> <https://www.torproject.org/download/download.html.en#warning>. > > I agree - a warning of the dangers of visiting infected onion > sites could be useful (even though the problem is not specifically > a Tor one). There's the risk of feature creep - security is a big > space and it isn't really Tor's job to educate people on every risk > online. Perhaps a clarification that just as TBB is not all you > need to maintain privacy, it's also not all you need to stay > secure, with a pointer to some external tips?
There is an aspect of visiting hostile onion sites that's especially problematic: forcing direct clearnet connections that reveal users' ISP-assigned IP addresses. It's irresponsible to continue recommending only vulnerable setups, especially Tor browser in Windows. <SNIP> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXh1AuAAoJEGINZVEXwuQ+JxsIAK7NCDwsjp3LuP25p2V0CHpZ ceXd7yN7BFzFfsxgbErT68dWLYWSIGxm6ZBg4ZQBb3BzvPOoRU50LldmyXjf5+FS KC34TcqYnewyLTLe9g2vtcrttPoxbgcBoHuywe7Do5+hlPM/+I7Y4xjm8scIpNEf X7vOGh5BfzbWQ4umMXP7YKEDNaktnN5xTITcqDrDZF15ugyUNslmaZRqfBeOv+GA sfEhqa/puowXfJ0cOjuoPPGp/QApGKevYqL67/8XP8xhWbj3GK+ICk0i28dZK/ks f+KOVouFXa50gJvSlvRzZouUbkvc5o5mAwoC25WZ3/30C2eiTYHRMXSk+8H6MnE= =P3OR -----END PGP SIGNATURE----- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
