wiki:doc/TorBOX/ApplicationWarningsAndNotes

Version 6 (modified by proper, 6 years ago) (diff)

expanded IRC-clients

https://trac.torproject.org/projects/tor/wiki/doc/TorBOX

Tor inside Tor

It is possible to start a TOR session from the client as well as from the transparent proxy, creating a "tor over tor" scenario. Doing so produces undefined and potentially unsafe behavior, see "MultiTor" for more information.

Skype

Skype usage is highly discouraged. It was used for leak testing purposes only as it's very good with firewall tunneling. Skype is closed source and users have no control over the encryption keys used. Skype can therefore decrypt and monitor communications arbitrarily. It is unwise to communicate in an unsafe manner over Tor. Skype also collects a large amount of personal data and reports back to a central server.
Source: Skype reads your BIOS.

Web-browser

Do not be tempted to use Firefox standard edition (or any other browser), even when you are protected by TorBOX. Why? The Tor Dev Team transformed Firefox into the Tor Browser, to help achieve better anonymity:

To use the Tor Browser without Tor/Vidalia (because you are now using a transparent proxy: TorBOX)

./App/vidalia --datadir Data/Vidalia/

to

./App/Firefox/firefox -profile ./Data/profile
  • right click on Tor Button -> preferences -> use custom proxy settings -> delete everything

check.torproject.org may tell you that a new update is available even if there isn't. That's because Tor Check doesn't support TorBOX. Manually check for updates every now and then. (Tor and Gateway need to separately be kept up to date.)

BitTorrent

Even though p2p over TorBOX is anonymous it is still discouraged. Tor is not really designed for it and file sharing through Tor excessively wastes everyone's bandwidth.

Apt-get, other software updaters

Same as BitTorrent. Only install small and infrequent security updates via Tor. For everything else use update and install disks or offline updates.

Metadata

metadata can be as risk. Click MAT and read 'What is a metadata ?' and 'Why metadata can be a risk for your privacy ?'

Writing Style Analysis

When you post some stuff online using Tor and some while you are not on Tor, you are at risk, for example if you make the same mistakes.

Exit Nodes

In the Tor FAQ you must read the section "Can't the third server see my traffic?". In short: every exit node can spy your unencrypted exit traffic and even worse, inject malicious code into the stream. Be aware of that.

TorBOX's Tor-Workstation is firewalled

This means:

  • does not support incoming connections
    • however, if you make an outgoing connections, the following incoming connections are accepted (web browsing, irc, etc. works)
    • so called server ports
    • or also called open ports
    • Ident Protocol / web server listening port is not reachable, unless you explicitly configure it
  • you can host hidden services
  • the firewall can be found on the Tor-Gateway /etc/firewall.sh

SSH

'ssh some.host' will leak your unix username. That's why TorBOX by default suggests to use "user" as username. If you do 'ssh theloginyouwant@…' it will also not leak "user".

IRC-clients

(The Ident Protocol is automatically blocked because TorBOX is firewalled.

Still, for most IRC clients, unix username = default ident and a "fake" ident with leading tilde (example: "~user") is used. The ident is seen by most clients during channel join and when doing whois. So better be sure to change your ident before you connect to any servers.

TODO; NOT DONE YET; further reading about the problems