On Mon, 22 Jan 2018 13:33:31 +0000, Mirimir wrote: ... > But it would be very cool if its vulnerabilities were clearly disclosed. > On the download page. There's already disclosure (but maybe not explicit > enough) that Tor isn't secure against global adversaries. So why not > disclosure that Tor browser isn't secure against Tor-bypassing malware?
Perhaps to not scare the potential users away, as in 'like not that much more secure to be worth the download'? Also, the GPA can attach tor/TBB as designed; the FBI's thing relies on vulnerabilities that are not in the design. But I'm not writing the download page. ... > As I understand it, FBI's NIT gets dropped through Firefox, but it > phones home through a standalone process. Yes, but the phoning home is necessary to locate the user. It could just as well access ifconfig.me via clearnet, and then relay the result home via tor, but that is an unnecessary step. If it were to just take control of the machine it could really do all its comm via tor. > So restricting Firefox to Tor > wouldn't be enough. But even if I'm wrong about existing malware, what I > describe is doable. It's already a risk when opening downloaded files. Yes. Basically, firefox, and everything it starts needs to be contained in a sandbox. (With the added difficulty that opening some documents on some systems will not start a new process but tell an existing one to open the doc.) ... > > I have to 'admit' that I have a TBB instance running > > partially so I can use putty to reach hidden services. > > Why not standalone Tor? Because windows. I had a proprietary windows service wrapper (that needs to be compiled into the service's, i.e. tor's, code), and remember the fickleness; I never looked into how to run tor as a windows service officially. And partly because I have TBB running all the time anyway. Also: Admin permissions, and update hassle. Self-updating tor as windows service? I don't think we even have a suitable download source for that. (My raspberries all do have tor as a service, in different ways, and different ages. Because no TBB for them, and because they have the hidden services to access.) - Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds <torvalds@*.org> Date: Fri, 22 Jan 2010 07:29:21 -0800 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
