Tor security - browsing/downloading over http
61 views
Skip to first unread message
js...@riseup.net
Apr 3, 2018, 7:24:06 PM4/3/18
to qubes...@googlegroups.com
Hi everyone,
I've been thinking about ways i can increase security when using tor in
a whonix vm, and i had a few questions about the security risks of
browsing/downloading files over http.
I've looked up some info about it and i know it presents a security
risk, but i don't really know what i'm talking about so i thought i'd
ask you guys. Please let me know if i'm wrong about anything here (which
is likely!) Sorry this is so long!
Anyways, let's say i want to use a site that doesn't use https (http
only) that i can do 3 things on:
1. general browsing/reading content
2. download small files
3. log into an account, which is required to download large files
I'm browsing the site in a relatively unsecure vm that i don't
necessarily care much about, but i'll probably want to move some of the
files to another vm to use elsewhere, or to a usb stick to transfer to
another machine.
If i use the site over tor, the exit node operator can read all the
unencrypted traffic, and possibly maliciously modify files downloaded,
which is why it's recommended to always use https when possible over
tor. Qubes helps with this since i can do all my browsing on the site in
a separate vm, but there's still a security risk especially if i
transfer files elsewhere.
It seems to me that i basically have 4 options:
1. Do everything over tor, including downloading files and logging into
the account. This is bad because the exit node operator can see my
username/password, and i don't think there's any way of really reducing
the risk from this.
2. Browse the site and download small files (without logging in) over
tor, but use a non-tor VM to log into the account to download larger
files. This is better than option 1 because exit node operators never
see me log into the account, but still presents a security risk because
they can maliciously modify files i download.
It seems to me that exit node operators doing something like this
(modifying files downloaded over http to compromise my vm) is something
that would have to be done manually, in real time, but please let me
know if i'm wrong about that! I also don't know how likely this is to
actually happen.
But it seems to me that a way to reduce the risk here is to use the "get
a new tor circuit" option right before downloading the file. That way
the new exit node operator would have not much warning/time to do
something bad before i download the file. Would that help?
3. Do general browsing in tor, but download all files outside of tor.
This is better than option 2 from a security standpoint because i'm not
downloading files in a risky way over tor that will then be transfered
elsewhere, and if the vm i'm browsing the site in using tor gets
compromised, i don't really care. But it's a pain to have to switch to a
non-tor vm every time to download a file (and i know it's recommended
not to have tor and non-tor connections to the same site at the same time).
4. Do everything on the site outside of tor because the site doesn't
support https. This is best from a security perspective, but worst from
a privacy/anonymity perspective because i can't use tor to browse the site.
If i really wanted to only use https over tor, i could enable the "block
http connections" option in https everywhere, but couldn't this increase
fingerprintability of browser since most tor users don't block http
connections? The same reason it's recommended not to use additional
browser plugins in tor browser.
What do you guys think is the best way to go about it? Am i wrong about
anything here or missing something?
I know this may be too long to read, sorry!
-Jackie
I've been thinking about ways i can increase security when using tor in
a whonix vm, and i had a few questions about the security risks of
browsing/downloading files over http.
I've looked up some info about it and i know it presents a security
risk, but i don't really know what i'm talking about so i thought i'd
ask you guys. Please let me know if i'm wrong about anything here (which
is likely!) Sorry this is so long!
Anyways, let's say i want to use a site that doesn't use https (http
only) that i can do 3 things on:
1. general browsing/reading content
2. download small files
3. log into an account, which is required to download large files
I'm browsing the site in a relatively unsecure vm that i don't
necessarily care much about, but i'll probably want to move some of the
files to another vm to use elsewhere, or to a usb stick to transfer to
another machine.
If i use the site over tor, the exit node operator can read all the
unencrypted traffic, and possibly maliciously modify files downloaded,
which is why it's recommended to always use https when possible over
tor. Qubes helps with this since i can do all my browsing on the site in
a separate vm, but there's still a security risk especially if i
transfer files elsewhere.
It seems to me that i basically have 4 options:
1. Do everything over tor, including downloading files and logging into
the account. This is bad because the exit node operator can see my
username/password, and i don't think there's any way of really reducing
the risk from this.
2. Browse the site and download small files (without logging in) over
tor, but use a non-tor VM to log into the account to download larger
files. This is better than option 1 because exit node operators never
see me log into the account, but still presents a security risk because
they can maliciously modify files i download.
It seems to me that exit node operators doing something like this
(modifying files downloaded over http to compromise my vm) is something
that would have to be done manually, in real time, but please let me
know if i'm wrong about that! I also don't know how likely this is to
actually happen.
But it seems to me that a way to reduce the risk here is to use the "get
a new tor circuit" option right before downloading the file. That way
the new exit node operator would have not much warning/time to do
something bad before i download the file. Would that help?
3. Do general browsing in tor, but download all files outside of tor.
This is better than option 2 from a security standpoint because i'm not
downloading files in a risky way over tor that will then be transfered
elsewhere, and if the vm i'm browsing the site in using tor gets
compromised, i don't really care. But it's a pain to have to switch to a
non-tor vm every time to download a file (and i know it's recommended
not to have tor and non-tor connections to the same site at the same time).
4. Do everything on the site outside of tor because the site doesn't
support https. This is best from a security perspective, but worst from
a privacy/anonymity perspective because i can't use tor to browse the site.
If i really wanted to only use https over tor, i could enable the "block
http connections" option in https everywhere, but couldn't this increase
fingerprintability of browser since most tor users don't block http
connections? The same reason it's recommended not to use additional
browser plugins in tor browser.
What do you guys think is the best way to go about it? Am i wrong about
anything here or missing something?
I know this may be too long to read, sorry!
-Jackie
Giulio
Apr 3, 2018, 7:42:06 PM4/3/18
to qubes...@googlegroups.com
Just a note, it all depends on your threat model. Be careful that most of the solutions you explained have each very different implications:
1) Most website with a login do have https. If they are hidden services they do not need it as traffic does not go through an exit node. If none of the above apply you could still use a VPN or a tunnel on top of tor but you will loose some anonimity
2) Which type of files are you talking about? If we are not talking about executables (i hope not) then Qubes do have disposable vms which should prevent an attacker from accessing sensitive files or gaining persistance. Also even for attacking the disposable vm the attacker would need an exploit for a reader software (evince, libreoffice etc).
3) Not using tor in order to download files prevent only man in the middles attack coming from the tor network, your provider, your neighbors, your dns server etc may still tricks you the same way.
As a general rule, mixing any of your tor activities with your non tor activities do break the very purpose of tor, especially if you use the same accounts in and out. My suggestion is to first try to understand what the purpose of tor is and against which type of adversary you need protection and then make your choices on that basis.
Giulio
1) Most website with a login do have https. If they are hidden services they do not need it as traffic does not go through an exit node. If none of the above apply you could still use a VPN or a tunnel on top of tor but you will loose some anonimity
2) Which type of files are you talking about? If we are not talking about executables (i hope not) then Qubes do have disposable vms which should prevent an attacker from accessing sensitive files or gaining persistance. Also even for attacking the disposable vm the attacker would need an exploit for a reader software (evince, libreoffice etc).
3) Not using tor in order to download files prevent only man in the middles attack coming from the tor network, your provider, your neighbors, your dns server etc may still tricks you the same way.
As a general rule, mixing any of your tor activities with your non tor activities do break the very purpose of tor, especially if you use the same accounts in and out. My suggestion is to first try to understand what the purpose of tor is and against which type of adversary you need protection and then make your choices on that basis.
Giulio
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Sent from my Android device with K-9 Mail. Please excuse my brevity.
awokd
Apr 3, 2018, 11:30:14 PM4/3/18
to Giulio, qubes...@googlegroups.com
On Tue, April 3, 2018 11:42 pm, Giulio wrote:
> Just a note, it all depends on your threat model. Be careful that most of
> the solutions you explained have each very different implications: 1) Most
> website with a login do have https. If they are hidden services they do
> not need it as traffic does not go through an exit node. If none of the
> above apply you could still use a VPN or a tunnel on top of tor but you
> will loose some anonimity
I think you're saying many otherwise HTTP only sites still use HTTPS for
> Just a note, it all depends on your threat model. Be careful that most of
> the solutions you explained have each very different implications: 1) Most
> website with a login do have https. If they are hidden services they do
> not need it as traffic does not go through an exit node. If none of the
> above apply you could still use a VPN or a tunnel on top of tor but you
> will loose some anonimity
the login step (but not all)!
> 3) Not using tor in order to download files prevent only man in the
> middles attack coming from the tor network, your provider, your
> neighbors, your dns server etc may still tricks you the same way.
attacker could have a selection of files already modified, then watch for
anyone trying to download it and substitute the poisoned one. Probably
other ways to dynamically patch filetypes (like all .EXE for example) on
the fly too. Check out "Quantum Insert". Tor helps here because it's much
more difficult to target specific recipients for poisoned files, so they
have to be sent to everyone who requests them which increases the
likelihood they will get discovered. Of course, that's not the case if
you're logging in to something.
> As a general rule, mixing any of your tor activities with your non tor
> activities do break the very purpose of tor, especially if you use the
> same accounts in and out. My suggestion is to first try to understand
> what the purpose of tor is and against which type of adversary you need
> protection and then make your choices on that basis.
various weaknesses and trade-offs.
js...@riseup.net
Apr 4, 2018, 4:05:17 PM4/4/18
to qubes...@googlegroups.com
Hi Giulio,
Giulio:
unfortunately!
> 2) Which type of files are you talking about? If we are not talking about executables (i hope not) then Qubes do have disposable vms which should prevent an attacker from accessing sensitive files or gaining persistance.
Mostly pdfs/documents and maybe media files, but maybe also things like
game roms to play in an emulator. Nothing super important but i still
want to avoid compromise especially if i'm transfering files to a usb
stick/another computer.
I need to get in the habit of opening files in dispvms tho.
> As a general rule, mixing any of your tor activities with your non tor activities do break the very purpose of tor, especially if you use the same accounts in and out.
Yea using the same accounts for things in and out of tor is pretty
pointless. It seems pretty safe tho to use the same site in and out of
tor if you're doing different things and therefore not linked? (as long
as it's not at the same time)
> My suggestion is to first try to understand what the purpose of tor is and against which type of adversary you need protection and then make your choices on that basis.
As far as what kind of adversary i'm thinking about here i guess ones
with alot of resources, who think using tor is inherently
bad/suspicious, and so operate exit nodes to scoop up data on tor users,
and try to compromise random users to see what they're up to.
-Jackie
Giulio:
> 1) Most website with a login do have https.
Yea especially now compared with a few years ago. Some still don't
unfortunately!
> 2) Which type of files are you talking about? If we are not talking about executables (i hope not) then Qubes do have disposable vms which should prevent an attacker from accessing sensitive files or gaining persistance.
game roms to play in an emulator. Nothing super important but i still
want to avoid compromise especially if i'm transfering files to a usb
stick/another computer.
I need to get in the habit of opening files in dispvms tho.
> As a general rule, mixing any of your tor activities with your non tor activities do break the very purpose of tor, especially if you use the same accounts in and out.
pointless. It seems pretty safe tho to use the same site in and out of
tor if you're doing different things and therefore not linked? (as long
as it's not at the same time)
> My suggestion is to first try to understand what the purpose of tor is and against which type of adversary you need protection and then make your choices on that basis.
with alot of resources, who think using tor is inherently
bad/suspicious, and so operate exit nodes to scoop up data on tor users,
and try to compromise random users to see what they're up to.
-Jackie
js...@riseup.net
Apr 4, 2018, 4:15:09 PM4/4/18
to qubes...@googlegroups.com
'awokd' via qubes-users:
not doing anything really suspicious, but i guess what i'm concerned
about is dragnet attempts to compromise everyone and anyone, tho it
makes sense that would increase the chance they'd be caught which makes
it less likely.
-Jackie
> On Tue, April 3, 2018 11:42 pm, Giulio wrote:
>> 3) Not using tor in order to download files prevent only man in the
>> middles attack coming from the tor network, your provider, your
>> neighbors, your dns server etc may still tricks you the same way.
>
> To jsnow's question on this, file modifications can be automated. The
> attacker could have a selection of files already modified, then watch for
> anyone trying to download it and substitute the poisoned one. Probably
> other ways to dynamically patch filetypes (like all .EXE for example) on
> the fly too. Check out "Quantum Insert". Tor helps here because it's much
> more difficult to target specific recipients for poisoned files, so they
> have to be sent to everyone who requests them which increases the
> likelihood they will get discovered. Of course, that's not the case if
> you're logging in to something.
Ok yea that makes sense. I guess i'm partially protected by the fact i'm
>> 3) Not using tor in order to download files prevent only man in the
>> middles attack coming from the tor network, your provider, your
>> neighbors, your dns server etc may still tricks you the same way.
>
> To jsnow's question on this, file modifications can be automated. The
> attacker could have a selection of files already modified, then watch for
> anyone trying to download it and substitute the poisoned one. Probably
> other ways to dynamically patch filetypes (like all .EXE for example) on
> the fly too. Check out "Quantum Insert". Tor helps here because it's much
> more difficult to target specific recipients for poisoned files, so they
> have to be sent to everyone who requests them which increases the
> likelihood they will get discovered. Of course, that's not the case if
> you're logging in to something.
not doing anything really suspicious, but i guess what i'm concerned
about is dragnet attempts to compromise everyone and anyone, tho it
makes sense that would increase the chance they'd be caught which makes
it less likely.
-Jackie
Reply all
Reply to author
Forward
0 new messages