Silk Road forums
Discussion => Security => Topic started by: kmfkewm on March 30, 2013, 11:49 am
-
I see one poster (ato72543) in particular keeps posting clearnet links and suggesting that people do not open them with Tor. This is Bad Advice. In one case he had a somewhat plausible explanation, in that he linked to a flash video tutorial on using GPG, and flash CAN circumvent Tor. This fails to address the point that NOT USING TOR CIRCUMVENTS TOR IN ALL CASES. Better advice would be "don't look at flash videos people here post, period". In other cases he is giving links to .html sites and suggesting that people open them outside of Tor. In this case, there is no plausible explanation for why this would even potentially be considered good advice, and it is pretty obvious that he is confused about how Tor works if he thinks it is not meant for accessing the clearnet with it.
-
I don't understand the point of clearnet warnings. Tor Browser is primarily intended for browsing clearnet.
If you've enabled Flash or Java, it's your own fault, and in this case it doesn't make any difference at all if you visit a .onion site or a clearnet site. A Java applet on a .onion site can easily connect you to a clearnet server to find your IP.
I've never heard of Flash being able to circumvent Tor. Can you please elaborate? It can be used to fingerprint you but that's about it.
-
Flash plugins don't necessarily respect the browsers proxy settings. https://www.torproject.org/docs/faq.html.en#TBBFlash
-
When the Flash plugin is installed, it allows direct TCP connections back to the originating host. These connections may bypass the proxy server, leaking the real external address of the user's workstation.
The rest applies only to Java.
I think the problem is actually that Adobe Flash Player is not open source. Perhaps Gnash would be a safer option? https://en.wikipedia.org/wiki/Gnash
On Linux, you can set up user-specific rules in iptables to route all traffic through Tor, and run Firefox from the command line like this, completely avoiding the issue above:
sudo -u <username> ./start-tor-browser
-
When the Flash plugin is installed, it allows direct TCP connections back to the originating host. These connections may bypass the proxy server, leaking the real external address of the user's workstation.
The rest applies only to Java.
I think the problem is actually that Adobe Flash Player is not open source. Perhaps Gnash would be a safer option? https://en.wikipedia.org/wiki/Gnash
On Linux, you can set up user-specific rules in iptables to route all traffic through Tor, and run Firefox from the command line like this, completely avoiding the issue above:
sudo -u <username> ./start-tor-browser
The problem is exactly what you quoted, not that the plugin is not open source. Flash can be used for proxy by pass attacks. Using firewall rules and other techniques can make flash safer to use with Tor (and java as well), but with a vanilla configuration of Tor it is dangerous and can easily lead to deanonymization.
-
I don't understand the point of clearnet warnings. Tor Browser is primarily intended for browsing clearnet.
LOL. You mean the ones people post sometimes? Yeah. I was late to realize they were doing so because they didn't know what they were talking about.
--
In any case kmfkewm is 100% correct. I would add:
1. Don't google Silk Road or anything Silk Road related on a clearnet browser (your regular chrome or internet exploder or firefox etc).
2. Don't search for anything on a clearnet browser that is also what you're posting on here.
That might sound over the top. But it is easy to detect a Google request that came out of a Tor exit node, and since this is one of the largest hidden service forums you should be wary. Who knows what relationship LE really has with the search engines. LEO break the law all the time and call it "intelligence gathering" or "confidential informant" which it produces results.
You are being watched. Constantly. Both software agents trawling posts and real LE agents.
-
When the Flash plugin is installed, it allows direct TCP connections back to the originating host. These connections may bypass the proxy server, leaking the real external address of the user's workstation.
The rest applies only to Java.
I think the problem is actually that Adobe Flash Player is not open source. Perhaps Gnash would be a safer option? https://en.wikipedia.org/wiki/Gnash
On Linux, you can set up user-specific rules in iptables to route all traffic through Tor, and run Firefox from the command line like this, completely avoiding the issue above:
sudo -u <username> ./start-tor-browser
The problem is exactly what you quoted, not that the plugin is not open source. Flash can be used for proxy by pass attacks. Using firewall rules and other techniques can make flash safer to use with Tor (and java as well), but with a vanilla configuration of Tor it is dangerous and can easily lead to deanonymization.
As I understand it, it's not a feature but a bug (am I wrong here?). Since Gnash is open source, you can either file a bug report and wait for it to be fixed or start a fork. Of course, first you'd have to test if Gnash actually has this issue.
-
It isn't a feature or a bug, it is a design choice that overlooks anonymity. So I suppose it is the lack of a feature, but not a bug.
-
Also I suppose it is possible that Gnash or some other flash plugin has the feature of using the proxy settings of the browser, I am not sure which if any do. I just know that flash not respecting browser proxy settings was such a widespread problem at one point that Tor Project officially said that it is not secure to use Flash plugins with browsers configured to use Tor, unless transparent proxying or similar techniques are used to ensure it doesn't by pass Tor. I have also heard them say that even with such configurations, it is best practice to avoid using flash plugins anyway, as they are likely to be insecure in other ways as well.
-
Actually, the solution is pretty simple. Tor devs should pack Gnash (by forking it if necessary) as part of Tor Browser Bundle.