[tor-talk] FBI cracked Tor security

Jon Tullett jon.tullett at gmail.com
Fri Jul 15 05:39:45 UTC 2016


On 15 July 2016 at 05:36, Mirimir <mirimir at riseup.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/14/2016 01:34 PM, Jon Tullett wrote:

>> If a law enforcement agency cracked Tor, it would be a very
>> significant development indeed. The same agency using browser
>> exploits doesn't move the security needle at all; we already know
>> they do that.
>
> Sure, browser exploits are common. And yes, Freedom Hosting and
> PlayPen users got pwned through Firefox bugs. However, the FBI malware
> that deanonymized them exploited a trivial vulnerability in all
> default Tor installs:

That's right. It was a very small piece of malware - all it did was
phone home on the clearweb. Very clearly targeted at Tor users, and a
clever demonstration of reality: you don't need to crack crypto to
attack an encrypted network.

>> The issue of who should be responsible for alerting a user to
>> possible risks is debatable.

> Making Tor browser available without warning about leaks is just plain
> irresponsible.
<snip>
> Is it too much to ask for a warning? Maybe a link to Whonix?

No, I wouldn't think so. I'd quite like to see a very plain-language
use-case breakdown either in the TBB homepage or linked off it - if
you are using TBB for <this>, then you should do <that>. If you are
using it in <this> environment, then you should read <this>. For a
more complicated list of how agencies may attack you despite your use
of Tor, read <this>. I'd volunteer to write such guides, if there was
demand for it.

-J


More information about the tor-talk mailing list