Downloading attachments with Tor - is this secure?

Matthew pumpkin at cotse.net
Sat Jun 19 14:09:41 UTC 2010 

Thank you all for this advice - I'm pleased that my question was not so 
basic.

I was not using Torbutton.  However, I had previously used 
www.decloak.net and it could not get my real IP.

I tried www.decloak.net again and I am still anonymous.  The reasons are 
(even in the absence of Torbutton) because I have no plugins functioning 
(e.g. Flash is off).  Also, no Java (JavaScript is on).  When 
www.decloak.net asks me to download a Word document (although I am using 
OpenOffice under Ubuntu so not the "normal" Word) irrespective of 
whether I open the document or save it then open it, www.decloak.net 
cannot get my IP.  When I expand the little icon in OpenOffice Writer 
(which starts http://) the IP address is that of the Tor exit node (for 
testing I am using StrictExitNodes so I know what my Tor IP is).

However, I am going to start using Torbutton. 

Thanks again.

Aplin, Justin M wrote:
>> Yes, if you use Torbutton, the attachment itself will be downloaded
>> only via Tor.
>>    
>
> I believe this is the short answer to your question, though everything 
> else Mike said is good to keep in mind as well, especially in 
> situations where paranoia is appropriate.
>
>> This is especially dangerous if you are using Yahoo Mail, because even
>> if you trust the person who sent you the document, your attachment
>> will be downloaded in plaintext (via http, not https).
>>    
>
> Watch out for this. Yahoo's *login* page for webmail and other 
> services may be HTTPS, but this reverts to plain HTTP once you're 
> actually viewing your mail and downloading attachments. A simple 
> solution for secure webmail at the moment is using Gmail and the new 
> Firefox addon "HTTPS-Everywhere" available from 
> https://www.eff.org/https-everywhere . This addon is *NOT* magic, as 
> it only works with the particular list of websites available on its 
> option page, but making sure "Google Services" is checked in it's 
> options will allow all Gmail connections (including downloading 
> attachments) to happen over HTTPS.
>
> ~Justin Aplin
> ***********************************************************************
> To unsubscribe, send an e-mail to majordomo at torproject.org with
> unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/
>
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

More information about the tor-talk mailing list