Delivery-Date: Fri, 15 Aug 2014 12:32:18 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	FROM_LOCAL_NOVOWEL,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD autolearn=ham
	version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id D28851E0B61;
	Fri, 15 Aug 2014 12:32:16 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 741A730B1E;
	Fri, 15 Aug 2014 16:32:13 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 80C6430A3A
 for <tor-talk@lists.torproject.org>; Fri, 15 Aug 2014 16:32:09 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id FGJFVdENiwdI for <tor-talk@lists.torproject.org>;
 Fri, 15 Aug 2014 16:32:09 +0000 (UTC)
Received: from mout.gmx.com (mout.gmx.com [74.208.4.201])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 599EA309BA
 for <tor-talk@lists.torproject.org>; Fri, 15 Aug 2014 16:32:09 +0000 (UTC)
Received: from [127.0.0.1] ([99.190.181.188]) by mail.gmx.com (mrgmxus001)
 with ESMTPSA (Nemesis) id 0MDQYF-1XArFb29bp-00Gpt4 for
 <tor-talk@lists.torproject.org>; Fri, 15 Aug 2014 18:32:06 +0200
Message-ID: <53EE35EB.2010105@gmx.com>
Date: Fri, 15 Aug 2014 11:31:39 -0500
From: Joe Btfsplk <joebtfsplk@gmx.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64;
 rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <4dbf80e1a3ae8b182a15ea2af6fa10dc@openmailbox.org>
 <CAKkunMats8JoVc8wqYrMtWE4f0gTA7RVVWirhuJz6t9sA5dDQQ@mail.gmail.com>
 <53EBDEF5.7040804@gmail.com>
 <CAKkunMYRO-R_bs3MtOydCkZ9dJ0SmgSMT8-xVt-wCeuu22oniQ@mail.gmail.com>
 <53ED3CA8.8030705@gmail.com> <53ED43D8.4040302@riseup.net>
In-Reply-To: <53ED43D8.4040302@riseup.net>
X-Provags-ID: V03:K0:1q4iIqZ6vxrWFKhDeHSnWpzR4xrdXCzX6ulM5RCQVNeX5SYO1rr
 G+jBDPQ87l/5WJq+vNr7Na1V+1R74eTyMKokHHqNwtkeuoEAwa+3S1IxaIt2p8lCHc3/SwQ
 Y5aL8tk1JYgxOlKFMhrgotNKCJf/L9ckcRl6nFDHjHVF2tvvTfRMWpynna5alz/WKGC2gG5
 yyleZb9H2e4UVl8AihR0Q==
X-UI-Out-Filterresults: notjunk:1;
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] Wired Story on Uncovering Users of Hidden Services.
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="windows-1252"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 8/14/2014 6:18 PM, Mirimir wrote:
> On 08/14/2014 04:48 PM, Aymeric Vitte wrote:
>> I am "defensive" because you seem to make a general case of something
>> that can only happen in case of browser's/OS bug, and conveying to Tor
>> users that they should not use js is a non sense, you make believe them
>> that intrinsically js can easily leak their ip and/or mac addresses,
>> which is wrong, this can happen under extraordinary circumstances that
>> have nothing to do with js, here a windows/ff bug, which could have been
>> a css attack or whatever.
>>
>> Regards,
> This was indeed an extraordinary circumstance. And it is misleading to
> focus on the importance of blocking Javascript. It's also evidence for
> using the latest Tor browser release, avoiding Windows, etc.
>
> However, I do see a "told you so" here. It's foolish to think that
> simply using the Tor browser is adequate protection for doing stuff
> where there are serious consequences. Maybe the the comment "Everything
> you need to safely browse the Internet. This package requires no
> installation. Just extract it and run." on the download page needs a
> "don't do stupid stuff" warning. Also, maybe the "Want Tor to really
> work?" section needs to reiterate the "don't rely on Tor for strong
> anonymity" warning. Maybe even something about firewall rules. Yes?
Others can weigh in, but (as with most software) the information of what =

all one needs to do & not do, in order to *not potentially* compromise =

anonymity while using Tor is quite spread out.
It can take a long time for users to learn even the basics of what "else =

can go wrong," besides just installing TBB & hitting go.
Yes, there's a short, basic list / FAQ that warns of some of these =

things.  It's hardly complete or "sufficient for most users," IMO.

No doubt, anonymity w/ Tor is complicated - even for experts & putting =

together documentation (in one place) to cover most of the pitfalls is =

tough.  But perhaps not impossible.
Probably a better job could be done (than present) to revise / =

reorganize documentation on "what *else* you need to do / consider, to =

keep Tor more anonymous."
Unfortunately, most users don't have the deep knowledge of Tor & TBB =

necessary to write correct, concise documentation for many of the more =

involved topics.
>
>> Le 14/08/2014 11:06, Anders Andersson a =E9crit :
>>> On Wed, Aug 13, 2014 at 11:56 PM, Aymeric Vitte
>>> <vitteaymeric@gmail.com> wrote:
>>>
>>>>>     As
>>>>> someone who argues against using javascript in any context, I can only
>>>>> say "told you so", but that doesn't really help anyone. :)
>>>> No and you are wrong
>>>   From
>>> https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.=
html
>>>
>>> "An attack that exploits a Firefox vulnerability in JavaScript has
>>> been observed in the wild."
>>> People who didn't allow javascript were safe.
>>>
>>>
>>>>> Because they managed to get in to the client browser, they could learn
>>>>> the real IP address and MAC address
>>>> and the color of your shirt
>>> Why are you so defensive? Is it your code they broke? They could learn
>>> the color of my shirt if the browser user has access to a webcam,
>>> which is not uncommon. This is however highly irrelevant.
>>>
>>>
>>>>> , they didn't learn this through
>>>>> Tor.
>>>> Are you serious in your answer?
>>> Very much so. If you don't believe me, then maybe you'll believe these
>>> sources:
>>>
>>> https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.=
html
>>>
>>> https://www.mozilla.org/security/announce/2013/mfsa2013-53.html
>>>
>>> Nothing was exploited through Tor. In fact, they couldn't find out who
>>> was using the server *because* people used Tor. So they had to resort
>>> to javascript exploits.

-- =

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

