Announcement

Collapse
No announcement yet.

Tor security

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Tor security

    In the article

    http://www.zdnet.com/beyond-silk-roa...bi-7000035604/

    is described how the FBI seized many darknet sites running within the Tor ecosystem.

    "On Sunday, the Tor Project group said they were 'as surprised as most of you' at the seizure, but have 'very little information about how this was accomplished.'

    The Tor Project said it has no idea how the hidden services were located, but 'is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents.' However, there are a number of plausible scenarios which could explain the mass takedown.

    The operators of hidden websites may have failed to use adequate operational security, or common web bugs like SQL injections or RFIs (remote file inclusions) may have been exploited by undercover agents. In addition, as Tor relays were potentially seized — according to the group — the Tor network may have been attacked in order to unveil the locations of these hidden services."

    Also see:

    http://www.newsroomamerica.com/story...websites_.html

    There are several well-known recent breaks in SSL security, too (example:

    http://www.linux-magazine.com/Online...ession-Cookies )

    and php security.

    Even worse, as has been my opinion for years, there is an overabundant use of Javascript / JQuery in web sites that are a fundamental security risk, IMO.

    I rarely allow Javascript (yet it is increasingly fundamental for trivial websites). I understand this shifts computing necessity from a backend server to the user's computer and is desirable to large websites, but it also easily allows "spyware" code snippets to constantly be downloaded to the user's computer.

    The FBI details having setting up honey-pot and fake websites with such code snippets aimed at "targets." Unless a target were using Tails 100% of the time and never connected using their unprotected IP address, a code snippet unwittingly remaining on their computer could then be used to triagulate their IP address / location without having to actually defeat Tor. (Of course, this is even easier to cross-correlate with the undoubted rogue Tor relays that security agencies likely have in place to monitor Tor traffic.)

    See:

    http://www.statecolumn.com/2014/10/f...-fake-website/

    In short, unless one uses all security measures at all times, security is not complete. No Javascript. Encryption at all times. Never use a secure computer only "part-time with (all) security enabled". The Tor developers have said this for years, and one does not need to assume a break in the Tor protocol to explain surveillance successes in tracking Tor users.

    As Javascript-requiring websites have become increasingly pervasive, I see end-users' security slipping and becoming sloppier and sloppier. They assume that if so many websites are using it, it must be safe, and are lulled into a false (self-deluded) sense of security. Big data and backend providers are hardly secure (witness increasingly common big-database thefts). "Functionality first, security second" has always been the software developers' mindset, but I think that mindset is dangerous.

    Here's an example. A fully functional, fast text-based email server named SquirrelMail has been around for years and is quite functional and rather secure (especially when used with encrypted messages). Most meaningful email is text-based anyway. Is there really a need for all the photos and links and texting and Facebook add-ons (all of which are security risks) built into the email server using Javascript extensions? MS Outlook was despised for a decade or so for being extremely insecure (largely due to all the scripted functions linking to extraneous services provided by Microsoft servers), but now we see Yahoo (now bought by MS) and Google and other email providers acting in the same fashion. Heck, they mine the messages just to provide ads! A lot of people may actually like this, but it is the furthest thing from private or secure.

    I am not particularly fond of (and am very against) Silk Road, and weapons and drug trading and other illegal activities, but I also realise government agencies are often corrupt, stupid, erroneous, and dangerous in their own measure ( cf. http://www.calgaryherald.com/technol...432/story.html ), and believe strongly in privacy and good security. Besides, there's a famous saying (I think it's from Greece): "If the government can spy on you, so can the criminals."

    Here's some initial basic security steps I like:

    http://ubuntuguide.org/wiki/Kubuntu_Trusty_Privacy
    Last edited by perspectoff; Nov 10, 2014, 02:40 PM.

    UbuntuGuide/KubuntuGuide

    Right now the killer is being surrounded by a web of deduction, forensic science,
    and the latest in technology such as two-way radios and e-mail.

    #2
    Thank you for your review.

    A small point about javascript. I use NoScript, and it shows how much javascript pervades much of the web. However, my use of NoScript is mostly defeated by persistence; dozens of scripts are run on typical pages, usually several layers deep, with the legitimate functionally hidden deep in those layers, so to get pages to function I end up clicking "temporarily allow all on this page". I suppose I need a service to automatically validate the javascript.
    Regards, John Little

    Comment


      #3
      jlittle, ditto here re NoScript vs javascript. Sometimes to do the simplest thing at a site, it is necessary to "temp allow all this page." I guess the NoScript does provide a layer of warning/information, it slows you down to think about it.
      An intellectual says a simple thing in a hard way. An artist says a hard thing in a simple way. Charles Bukowski

      Comment


        #4
        +10

        I do exactly the same with NoScript and am equally frustrated (but use it for security nevetheless).

        I wish websites indicated which scripts were absolutely needed to view content...

        UbuntuGuide/KubuntuGuide

        Right now the killer is being surrounded by a web of deduction, forensic science,
        and the latest in technology such as two-way radios and e-mail.

        Comment


          #5
          A web application is the union of a web server and a web browser. This is the reality of the modern web. To provide useful functionality, the traditional client-server model has been re-implemented: some code runs on the web server, some code runs in the browser. To do otherwise would invite extremely poor performance because of latency. Electrons and photons do have an upper bound: the speed of light.

          It is disingenuous to lay the blame on a tool, whether it's JavaScript or AJAX or PHP. Skilled developers can create secure and resilient software with these tools. Knowing how to write robust code that can withstand abuse must become more widely known. Equally important is to develop techniques for detection and response. Even the highest quality software will have bugs, and some of these could lead to exploits. IT security postures that concentrate most resources on prevention and ignore detection and response are poor postures indeed.

          Comment

          Working...
          X