[tor-talk] FBI cracked Tor security

Jon Tullett jon.tullett at gmail.com
Fri Jul 15 05:34:00 UTC 2016


On 15 July 2016 at 01:23, Joe Btfsplk <joebtfsplk at gmx.com> wrote:
> On 7/14/2016 2:34 PM, Jon Tullett wrote:
>>>
>>> 2.  Aren't statements (from anyone) like, "... generally crack the
>>> servers
>>> hosting the illicit material, not Tor itself," sort of a matter of
>>> semantics?
>>
>> Depends on the context, I guess. To the user, maybe, but in the
>> context of this (Tor) community, the distinction matters. Browser
>> vulns and server exploits are common. Tor's crypto is not, AFAIK,
>> known to be compromised.
>
> Thanks Jon.  I agree w/ most that you said.  Again, semantics. Whether they
> cracked Tor or Tor Browser won't change if the brutal dictator has you shot
> in the front or back of the head. :)

Again, remember that this conversation was in the context of Freedom Hosting.

Absolutely agree that the same style of investigation could (and
probably does) happen in a more brutal political regime. Users there,
being at greater risk, have a greater need to take further steps to
protect themselves.


> Unless one is using Tor w/ their own internet browsing application, an
> exploited weakness in Tor Browser - modified Firefox - has the same effect
> on users.  They're a package deal.

Well, no. Tor does make it clear you need to do more than just
downloading TBB to be anonymous and secure. If you think TBB is a
single-solution prepackaged silver bullet, you are at risk.

I don't think there's any debate whether Tor should try to be such a
silver bullet - clearly it can't and shouldn't - the question seems to
be around whether Tor should give more clear guidance/warnings. I'm
always in favour of that.


> You're not really suggesting that users under hostile dictatorships or ones
> trying to expose democratic government unconstitutional actions,  take full
> responsibility for the ongoing modifying, patching & constant reading about
> weaknesses of Tor Browser "for their own security?"

Yeah, I kinda am. Users in such hostile environments absolutely need
to take more care to keep themselves secure, and not just online. If
you are relying on any product to keep you alive, you definitely
should be constantly reading about it.


> That Tor Project is saying Tor is relatively anonymous; as for Tor Browser,
> everyone's on their own.

It's saying that the Tor network will help you stay anonymous, and the
browser bundle will help facilitate that, but you also need to take
further steps to stay anonymous and secure. I think that's realistic
and reasonable.

Also, remember there is no such thing as 100% security, and the
incremental usability/security tradeoffs become more severe the
further you go. Everyone has to decide for themselves where to draw
the line - how secure they want to be and how much compromise they can
accept. All a third party like Tor (or you and I) can do is educate.

-J


More information about the tor-talk mailing list