[tor-talk] FBI cracked Tor security
Nick Levinson
nick_levinson at yahoo.com
Fri Jul 15 00:33:43 UTC 2016
Law enforcement agencies exaggerate and lie publicly in order to mislead people, such as unidentified suspects or to weed out claimants to notorious crimes who didn't really do it (there are quite a few), but the recent news report appeared, as I recall, to be based on a court or other official document about the FBI's work, not a news interview. It was vague, but probably not exaggerated or false.
If it was an attack through a website that then led to an attack on Tor, that's still an attack on Tor, and thus serious.
We should not assume attack methods won't be shared. An agency may share with other government agencies that have equal or higher levels of secrecy and with international allies.
I assume a website can know what browser I'm using and that if Tor allowed me to change its ID string a deeper method for identifying my browser is available and unpreventable. Already, some websites deny some functionality (like payments) or block access altogether (they might deny it but when entering captchas 15 times fails with Tor but, I think, never more than twice with non-Tor then they're probably blocking).
On whether to tell users about security methods:
--- I read the warning on viewport size and therefore I don't adjust my viewport; otherwise, I would be.
--- Fairly advanced security advice should be offered by considering two major groups of users: Those who are doing legitimate work requiring anonymity and who are working with or for someone who needs them to stay anonymous. Those who are doing acceptable work and mainly are providing cover for the first group. The first group will likely be told to read this information, and it should be in the browser, so bandwidth need not be used to read it and set up accordingly. We don't want someone watching how a main-legitimate user interacts with a security website. The cover-providing users have less security concerns and, hopefully, are using Tor to hide their music preferences from their kid sisters/brothers, and they won't be deterred from use because of a link being somewhere. The Mars intelligence agency will learn about something called "country-and-western" music but the Martians probably won't blow their cover.
--- More general security discussions should not be posted in Tor, but should be posted on websites. The Tor Project can decide which websites it trusts and list them on the Project's website, which can be or is linked to from inside the Tor browser. It's easier to update a website than to update Tor itself, and websites may have to be updated quickly and often.
Users and developers of Tor are likely more security-conscious on average than average users/devs of Firefox or, especially, whatever Microsoft calls their browser these days. Tor users will tolerate more info on the subject, as long as those who are relatively careless are not much slowed from jumping ahead without reading, if they wish.
More information about the tor-talk
mailing list