On 14 July 2016 at 12:52, <m...@beroal.in.ua> wrote: > On 14.07.16 09:23, Jon Tullett wrote: >> >> On 14 July 2016 at 01:51, Nick Levinson <nick_levin...@yahoo.com> wrote: >>> >>> The FBI reportedly cracked Tor's security to crack a child porn case with >>> over 100 arrests of Tor users. >> >> I think what you'll find in such cases is that the FBI generally crack >> the servers hosting the illicit material, not Tor itself. > > It's still unclear to me whether there is a vulnerability in Firefox, in Tor > Browser, or in Tor.
These are separate issues with separate ramifications. Breaking Firefox is comparatively trivial. Breaking Tor would be extremely untrivial, both in effort and implication. Take one scenario; the FBI deploys malware on a server to identify its users. That doesn't require (or even benefit from) attacking the Tor network directly. It's about exploiting vulnerabilities in the hosting software for delivery, then about vulnerabilities in the users' browsers for infection. That may be browser vulnerabilities or Flash vulns or whatever, but again, nothing to do with Tor. Also worth separating Tor and TBB. Vulnerabilities in TBB would likely be flaws in Firefox or a bundled addon. Exploiting that is certainly plausible, but doesn't count as "cracking Tor" in the context of compromising the network or encryption. In the case of Freedom Hosting, it was reportedly a combination of both; the FBI cracked the server, then planted malware which exploited a vuln in Firefox (and therefore TBB) users. They didn't, it is believed, compromise Tor crypto in the process. https://www.wired.com/2013/09/freedom-hosting-fbi/ Should add that users with NoScript enabled would not have been vulnerable - I get the "noscript decreases privacy" argument, but I'd still kinda like it to be on by default to protect users. Maybe with a big red "Turn on Javascript because I'm happy to get pwned by malicious ads, FBI malware, and miscellaneous trackers" button :) Lastly, I should acknowledge that none of this is proof that Tor has NOT been compromised. Just that in the incident in question, it was probably not. >> There are frequently vulnerabilities in hosting services - content >> platforms, web forums, third-party Javascript libraries, file uploads, >> management interfaces...many sites, darkweb or not, have much broader >> attack surfaces than their owners understand. > > Exactly. Bugs in software. Or, as Dijkstra put it, incorrect software. Users > demand more features instead of more correctness because buggy software is > "good enough" and a rare glitch is no problem. Then they discover that they > lost control of their computers. Unfortunately, security is rarely a top priority for either developers or users. -J -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
