[tor-talk] A security concern about Tor.

[Jan]

Hei,

Am 16/12/2019 um 20.28 schrieb Jason Long:
> Hello Tor Team,
> I read some articles about Tor security 

Personally, I consider tor being a privacy tool and not a security tool:
To some extent, you can control to what extent personal information
(e.g. ip-address, browser) is known to the community.

Security is a process involving many steps (e.g. threat modelling), that
cannot be provided by tor alone. Maybe tor helps, maybe not. This is
context-depended.

> and some of them said that if the governments see your real IP address then they can't see
> the Tor traffic or websites that visited by Tor and if they can sniff Tor traffic then they can't see your real IP.
> Is it true?
> How Tor team members are sure about it? If the governments use any special devices for sniffing Tor traffics then why
> they should reveal it?

>From my (rather not-so-close) point of view, much users get identified
by compromised end-devices and by their habits.

Some governments are not that reluctant on expressing their ideas
regarding purchasing information on security vulnerabilities.
Some intelligence agencies are rather proud of their
"cyber-capabilities". Some platforms (e.g. Android) an very insecure (a
bunch of critical problems each and every month, hardly patched by
device vendors).

Habits can relate to side-channels (e.g. payment, credit-cards, e-mail
addresses logged into) or data mining (e.g. analyzing texts using
Support-Vector-Machines).

IMHO "special devices" can be placed at access or core networks,
injecting exploit-payload. Some ideas have been exposed in the recent
years (Snowden / Hacking team)

> If a user use the Telegram messenger with Sock5(Tor) proxy, then is it secure?

IMHO you cannot reason about security without having a threat model
defining it. Thus: no.

Greetz,
Jan

-- 
There's a ripped off cord
To my TV screen
With a note saying:
"Im not afraid to dream"
-- Donkey Boy, Crazy Something Normal