Changes between Version 556 and Version 557 of doc/TorifyHOWTO


Ignore:
Timestamp:
May 29, 2018, 6:20:13 AM (5 months ago)
Author:
Mori
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorifyHOWTO

    v556 v557  
    44This document explains how to configure a particular application for use with Tor and thus the Tor network. As Tor constantly evolves, the knowledge and understanding about anonymity online also evolves. Implementations and other aspects of online anonymity become more and more complex. In the past, an end user would just go ahead and "torify" applications like Mozilla Firefox - this is no longer recommended. As we learned more on the subject and implementation of online anonymity, we discovered it was increasingly easy for a user to leak sensitive information to those interested in obtaining it. We will be describing more details on such matters further into this article.
    55
    6 In short, do not torify any applications yourself unless you know exactly what you are doing. If, however, you wish to study the complexities surrounding the subject, then please feel free to indulge your self and even go as far as providing new instructions or implementations. In the meantime, see this article more as a reference for developers and advanced users. If you don't fall into one of these two categories then for your own security, stick with the Tor Browser Bundle from https://www.torproject.org.
     6In short, do not torify any applications yourself unless you know exactly what you are doing. If, however, you wish to study the complexities surrounding the subject, then please feel free to indulge yourself and even go as far as providing new instructions or implementations. In the meantime, see this article more as a reference for developers and advanced users. If you don't fall into one of these two categories then for your own security, stick with the Tor Browser Bundle from https://www.torproject.org.
    77
    88This article was originally written for a Linux/UNIX based environment. It should include some instructions for Windows and Mac users too. That being said, you should read the documentation at https://www.torproject.org before attempting to "torify" any applications yourself.
     
    9797
    9898== Software updaters ==
    99 Do not use automatic software updates over Tor that do not verify downloads. That being said, operating system updates are generally secure. If you use Linux and only your package management software suite, then you can consider your self safe. On the other hand, third party applications on Windows are likely problematic, for example if the updates aren't signed/authenticated, malevolent exit nodes can change what code is downloaded and installed and thereby gain remote code execution rights. This could potentially lead to your public IP address and your physical location being revealed. If you don't use a generic system (such as Tails or Whonix's Whonix-Workstation), then the software update can leak identifying fingerprints (what software and versions are installed) to exit nodes and repository mirrors.
     99Do not use automatic software updates over Tor that do not verify downloads. That being said, operating system updates are generally secure. If you use Linux and only your package management software suite, then you can consider yourself safe. On the other hand, third party applications on Windows are likely problematic, for example if the updates aren't signed/authenticated, malevolent exit nodes can change what code is downloaded and installed and thereby gain remote code execution rights. This could potentially lead to your public IP address and your physical location being revealed. If you don't use a generic system (such as Tails or Whonix's Whonix-Workstation), then the software update can leak identifying fingerprints (what software and versions are installed) to exit nodes and repository mirrors.
    100100
    101101Ubuntu software updates are vulnerable against [https://bugs.launchpad.net/launchpad/+bug/716535 "stale-proxy" attacks]. The exit node or exit node's ISP could prevent you from seeing new updates. To circumvent this, switch your identity after trying to update and check for updates again.