CHATPRIVACYDONATELOGINREGISTER
DMT-Nexus
FAQWIKIHEALTH & SAFETYARTATTITUDEACTIVE TOPICS
Is TOR 8.0 broken and insecure? Options
 
Elrik
#1 Posted : 9/6/2018 11:04:32 PM

DMT-Nexus member


Posts: 178
Joined: 19-Aug-2017
Last visit: 19-Oct-2018
My TOR browser updated itself to 8.0.
After it did so it took me a minute to realize, but noscript was not functioning despite being turned on. I restarted TOR and I toggled noscript to allow all and back to block, it still wouldnt block anything. I decided I may have put an old TOR through one too many updates so I installed a new copy of 64-bit TOR in a new directory, not only was noscript still broken but it could not restore bookmarks from either backup type. I tried 32-bit TOR, same thing. I downgraded to a new copy of TOR 7.5.6, both noscript and bookmark import worked, but when it upgraded itself to 8.0 noscript was broken again.
64 bit system with windows 10 and up to date everything.
For now I'll downgrade to 7.5.6 and disallow updates.

Anyone else having this particular problem?
 

Ever have a personal encounter with an entity after taking DMT?
 
dreamer042
#2 Posted : 9/6/2018 11:17:14 PM

Dreamoar

Moderator | Skills: Mostly harmless

Posts: 3891
Joined: 10-Sep-2009
Last visit: 19-Oct-2018
Location: Rocky Mountain High
My TOR also did the autoupdate but noscript seems to be functioning just fine for me. I haven't tried importing bookmarks but the ones that were already there came through the update just fine. I notice my little onion icon option to trace my connection route and create a new route is gone which miffed me a little bit, but it is correctly masking my ip, so everything appears to be functioning as it should.

I'm on Ubuntu 18.04. If you are concerned about security why on earth are you using windoze? Razz
Row, row, row your boat, Gently down the stream. Merrily, merrily, merrily, merrily...

Visual diagram for the administration of dimethyltryptamine

Visual diagram for the administration of ayahuasca
 
Dogbark
#3 Posted : 9/20/2018 11:39:36 AM

DMT-Nexus member


Posts: 59
Joined: 07-Nov-2015
Last visit: 19-Oct-2018
If youre really concerned with security TOR isnt the best choice anyway. A lot of funding for TOR comes directly from the US government: https://www.torproject.org/about/sponsors.html.en

Also the NSA runs a lot of tor nodes apparently. I dont have a good source for this though.
 
Auxin
#4 Posted : 9/20/2018 6:20:51 PM

DMT-Nexus member


Posts: 409
Joined: 12-Jul-2012
Last visit: 20-Oct-2018
That the US funds TOR is not proof of its insecurity.
US agencies and military use TOR because its better than their security.
If you encrypt, you no doubt use encryption algorithms that are DoD level strong. So thy not use DoD level strong proxies?
TOR alone isnt enough to make you safe, but its usually a step in the right direction and if nothing else your ISP wont know what your doing.
 
brazilman
#5 Posted : 9/21/2018 8:59:08 AM
DMT-Nexus member


Posts: 81
Joined: 23-Jun-2018
Last visit: 17-Oct-2018
Location: São Paulo, Brazil
Forgive my tech ignorance but isn't the idea behind TOR that you form a network of "VPN"s so there is no way to pinpoint who is actually accessing what because things pass through a bunch of people before reaching the final user? Basically mixing everybody's internet use history? You use some other guy's IP to access dmt-nexus and some other guy uses your IP to access whatever, with a few added levels sure but is that not basically how it works? If that is basically right, why would you want to have your IP linked to the TOR network?
 
Auxin
#6 Posted : 9/21/2018 5:50:03 PM

DMT-Nexus member


Posts: 409
Joined: 12-Jul-2012
Last visit: 20-Oct-2018
Thats almost right, each user is in an interconnected network of users but only people who choose to be are 'exit nodes' out into the broader internet. Like a room full of people with one person at each door relaying messages to and from the outside, and people outside of the room can only hear that guy, you can choose if your one of those doormen.
 
tatt
#7 Posted : 9/21/2018 6:44:53 PM

DMT-Nexus member

ModeratorSenior Member

Posts: 4071
Joined: 17-Jan-2009
Last visit: 20-Oct-2018
Please don't set your home/personal pc as a tor exit relay. A fairly bad choice. Better to just use the tor client as is. Tors website specifically talks against doing this, for obvious reasons.

There's in depth discussion on all this on stackexchange's website, specifically their information security subforum which is a massive wealth of information with constant ongoing discussion about all this.
 
nexalizer
#8 Posted : 9/25/2018 5:24:55 PM

DMT-Nexus member


Posts: 782
Joined: 18-Nov-2011
Last visit: 06-Oct-2018
tatt wrote:
Please don't set your home/personal pc as a tor exit relay. A fairly bad choice. Better to just use the tor client as is. Tors website specifically talks against doing this, for obvious reasons.


I like to imagine a world where most people would a) understand the necessity of Tor and b) not be afraid of the thought police and millions - hundreds of millions - would run exit relays at home.
This is the time to really find out who you are and enjoy every moment you have. Take advantage of it.
 
Nicita
#9 Posted : 9/25/2018 5:49:24 PM

DMT-Nexus member


Posts: 180
Joined: 31-May-2012
Last visit: 20-Oct-2018
It is important to realize that the TOR exit nodes can be used to collect unencrypted data. So make sure that you don't submit unprotected data through tor.

Also you ISP can see that you are connecting to the TOR network, which raises red flags by itself and might put you on a special watch list by any agency or cooperation that occupies itself with watching internet traffic.

Regular VPNs are much less suspicious, since they are widely used and not associated with the same crowd as TOR. You can also use a VPN to hide you are connecting to TOR.

The reason that so many people use tor is that the US-military and agencies use these people as cover for themselves (TOR comes out of the US-navy intelligence). If it was their network exclusively, everyone logging into the tor network would out themself as an agent. Now it can just be someone looking to buy viagra or being paranoid of surveillance.

If you are using TOR, please read about the known security risks and what to do about them.
 
Elrik
#10 Posted : 9/25/2018 9:22:16 PM

DMT-Nexus member


Posts: 178
Joined: 19-Aug-2017
Last visit: 19-Oct-2018
8.0.1 is out, complete with a purported noscript update.
And... it still cant block script. Back to 7.5.6
 
tatt
#11 Posted : 9/26/2018 3:43:36 AM

DMT-Nexus member

ModeratorSenior Member

Posts: 4071
Joined: 17-Jan-2009
Last visit: 20-Oct-2018
nexalizer wrote:
tatt wrote:
Please don't set your home/personal pc as a tor exit relay. A fairly bad choice. Better to just use the tor client as is. Tors website specifically talks against doing this, for obvious reasons.


I like to imagine a world where most people would a) understand the necessity of Tor and b) not be afraid of the thought police and millions - hundreds of millions - would run exit relays at home.


Totally understand. Unfortunately [specifically the U.S] - it's just not the world [specifically the society] we currently live in.

Tor's great, don't get me wrong, but to set yourself up [beyond it's typical usage] unbeknownst to the potential [and fairly heightened] implications, well ..have at it then I guess.

I wish [though a pretty trite statement 'wish'] things were different, and 'maybe' one day things could change enough to the point of not having things as tapped into as they are, but then again - I don't see it happening personally, just my opinion/ime.

Cops aren't necessarily the worry - they're the last step in the process - the end result - when you get that knock. But all the chain of event before that that leads into that final step - well.. that is something to have concern over, imo/ime.

 
Elrik
#12 Posted : 10/1/2018 9:48:40 PM

DMT-Nexus member


Posts: 178
Joined: 19-Aug-2017
Last visit: 19-Oct-2018
I finally understand! Laughing
Over Here Rainner pointed out that the default has always been for noscript to be disabled. I knew that, but having it pointed out with the implication that noscript does work in TOR 8.x made me scrutinize it and I found the problem. When you click noscript it clearly shows 'Default' highlighted with the icon for blocked content. I had simply assumed default was blocked on TOR 8 [as it should be, so I didnt question it]. But, despite the icon for blocking, default is still set for allow-all. You have to go into the settings tab [above the default tab] and make all the block type selections for default match the settings for untrusted. There is no more 'forbid globally' option, but now the option to modify the properties of 'default'.
Thanks Rainner Smile
Elrik attached the following image(s):
Clipboard01.jpg (14kb) downloaded 104 time(s).
 
PsyDuckmonkey
#13 Posted : 10/11/2018 3:52:42 PM

Agnostic neognostic


Posts: 222
Joined: 06-Dec-2015
Last visit: 20-Oct-2018
It's debatable what the default should be.

From a purists' point of view of course, everything should default to the highest level of security, ie. maximum lockdown, and every compromise toward usability would need to be enabled by hand.

From a practical point of view, having a sane compromise between security and usability is a good point to start for most, and the TOR developers assume that those in situations that require higher security will take the appropriate steps, as opposed to relying on defaults.
Do you believe in the THIRD SUMMER OF LOVE?
 
MachienDome
#14 Posted : 10/16/2018 9:39:43 AM

DMT-Nexus member


Posts: 47
Joined: 13-May-2018
Last visit: 18-Oct-2018
Location: Dark Side of the Web
Auxin wrote:
That the US funds TOR is not proof of its insecurity.


No, but the fact that they abandoned it does.

Using TOR on top of an insecure system doesn't do anything. Using an outdated version is useless Stop. Use TAILS, it provides a bit more security.
Ask for PGP key (preferred for PM's).
Use TAILs OS & Tor Browser.
 
dreamer042
#15 Posted : 10/16/2018 4:05:18 PM

Dreamoar

Moderator | Skills: Mostly harmless

Posts: 3891
Joined: 10-Sep-2009
Last visit: 19-Oct-2018
Location: Rocky Mountain High
TAILS is just a liveboot linux session, it still uses TOR to connect.
Row, row, row your boat, Gently down the stream. Merrily, merrily, merrily, merrily...

Visual diagram for the administration of dimethyltryptamine

Visual diagram for the administration of ayahuasca
 
PsyDuckmonkey
#16 Posted : 10/18/2018 4:45:43 PM

Agnostic neognostic


Posts: 222
Joined: 06-Dec-2015
Last visit: 20-Oct-2018
MachienDome wrote:
Auxin wrote:
That the US funds TOR is not proof of its insecurity.


No, but the fact that they abandoned it does.

Using TOR on top of an insecure system doesn't do anything. Using an outdated version is useless Stop. Use TAILS, it provides a bit more security.


Please don't perpetuate superstition. TOR is not broken, and Tails is not particularly better than the TBB for most common threat models. In fact, it has serious drawbacks as well as benefits. Every anonymization and encryption is defeatable by an appropriate sidechannel attack. It's worth reading up how they arrested Dread Pirate Roberts.

Your opsec needs to be appropriate to your level of threat. Expecting to be targeted specifically, with people expending effort to spy on you as an individual target, and generic efforts to avoid getting caught in a dragnet data collection are two very different things, and need different levels of commitment on your part.

I won't quote how TOR should be used to browse and communicate safely, there's plenty written about that. And it's mostly not about your technology stack (though that does play a part), but about your behavior, both online and offline.
Do you believe in the THIRD SUMMER OF LOVE?
 
Elrik
#17 Posted : 10/18/2018 7:42:11 PM

DMT-Nexus member


Posts: 178
Joined: 19-Aug-2017
Last visit: 19-Oct-2018
PsyDuckmonkey wrote:
TOR is not broken

Its unfortunate that I must correct you.
I just tested it again with a fresh TOR 8 install updated to the latest version and restarted. The current version of TOR still can not restore bookmarks from backups made before TOR 8 [I didnt try with a TOR 8 made backup].
Therefore my statement stands, its still broken.

I also checked and in the noscript drop down they are still deceptively using the block icon for default when default is allow-all and TOR browser still removes all user noscript security customization on restart without informing the user of this security altering action.
TOR is still insecure, to that extent.
 
PsyDuckmonkey
#18 Posted : 10/20/2018 2:05:16 PM

Agnostic neognostic


Posts: 222
Joined: 06-Dec-2015
Last visit: 20-Oct-2018
Elrik wrote:
PsyDuckmonkey wrote:
TOR is not broken

Its unfortunate that I must correct you.
I just tested it again with a fresh TOR 8 install updated to the latest version and restarted. The current version of TOR still can not restore bookmarks from backups made before TOR 8 [I didnt try with a TOR 8 made backup].
Therefore my statement stands, its still broken.

Lol. That's like saying that the glove compartment of your truck is stuck, therefore the truck is broken. It's not. Really. It has a minor inconvenience. The bookmark backup should be some form of html link list, so don't worry too much about it, just open it via a text editor or browser...

Elrik wrote:
I also checked and in the noscript drop down they are still deceptively using the block icon for default when default is allow-all and TOR browser still removes all user noscript security customization on restart without informing the user of this security altering action.
TOR is still insecure, to that extent.

The TBB is a client bundle for TOR. TOR is secure to the extent that it does the job it is supposed to do. If users assume it does things it doesn't do, well... The TBB is secure if you use it securely.

Opsec is not a thing you can just lay on a piece of software and then forget. I mean, if it were that simple, being in a secret service wouldn't be a particularly hard job.

I am fully aware that TBB defaults to allow scripts. It's a sane default, 80% of the web no longer even displays without scripting. I don't know what you mean by "deceptively uses the block icon", I don't see any deceptive "block icon", and Security Settings under the onion button is clear enough.

If you're interested in the manner of data the TBB leaks by default, there are a number of pages online for testing it.
Do you believe in the THIRD SUMMER OF LOVE?
 
 
Users browsing this forum
Guest (2)

DMT-Nexus theme created by The Traveler
This page was generated in 0.038 seconds.