CHATPRIVACYDONATELOGINREGISTER
DMT-Nexus
FAQWIKIHEALTH & SAFETYARTATTITUDEACTIVE TOPICS
12NEXT
Is TOR 8.0 broken and insecure? Options
 
Elrik
#1 Posted : 9/6/2018 11:04:32 PM

DMT-Nexus member


Posts: 195
Joined: 19-Aug-2017
Last visit: 14-Dec-2018
My TOR browser updated itself to 8.0.
After it did so it took me a minute to realize, but noscript was not functioning despite being turned on. I restarted TOR and I toggled noscript to allow all and back to block, it still wouldnt block anything. I decided I may have put an old TOR through one too many updates so I installed a new copy of 64-bit TOR in a new directory, not only was noscript still broken but it could not restore bookmarks from either backup type. I tried 32-bit TOR, same thing. I downgraded to a new copy of TOR 7.5.6, both noscript and bookmark import worked, but when it upgraded itself to 8.0 noscript was broken again.
64 bit system with windows 10 and up to date everything.
For now I'll downgrade to 7.5.6 and disallow updates.

Anyone else having this particular problem?
 
 
dreamer042
#2 Posted : 9/6/2018 11:17:14 PM

Dreamoar

Moderator | Skills: Mostly harmless

Posts: 3951
Joined: 10-Sep-2009
Last visit: 15-Dec-2018
Location: Rocky Mountain High
My TOR also did the autoupdate but noscript seems to be functioning just fine for me. I haven't tried importing bookmarks but the ones that were already there came through the update just fine. I notice my little onion icon option to trace my connection route and create a new route is gone which miffed me a little bit, but it is correctly masking my ip, so everything appears to be functioning as it should.

I'm on Ubuntu 18.04. If you are concerned about security why on earth are you using windoze? Razz
Row, row, row your boat, Gently down the stream. Merrily, merrily, merrily, merrily...

Visual diagram for the administration of dimethyltryptamine

Visual diagram for the administration of ayahuasca
 
Dogbark
#3 Posted : 9/20/2018 11:39:36 AM

DMT-Nexus member


Posts: 59
Joined: 07-Nov-2015
Last visit: 12-Nov-2018
If youre really concerned with security TOR isnt the best choice anyway. A lot of funding for TOR comes directly from the US government: https://www.torproject.org/about/sponsors.html.en

Also the NSA runs a lot of tor nodes apparently. I dont have a good source for this though.
 
Auxin
#4 Posted : 9/20/2018 6:20:51 PM

DMT-Nexus member


Posts: 425
Joined: 12-Jul-2012
Last visit: 15-Dec-2018
That the US funds TOR is not proof of its insecurity.
US agencies and military use TOR because its better than their security.
If you encrypt, you no doubt use encryption algorithms that are DoD level strong. So thy not use DoD level strong proxies?
TOR alone isnt enough to make you safe, but its usually a step in the right direction and if nothing else your ISP wont know what your doing.
 
brazilman
#5 Posted : 9/21/2018 8:59:08 AM
DMT-Nexus member


Posts: 81
Joined: 23-Jun-2018
Last visit: 17-Oct-2018
Location: São Paulo, Brazil
Forgive my tech ignorance but isn't the idea behind TOR that you form a network of "VPN"s so there is no way to pinpoint who is actually accessing what because things pass through a bunch of people before reaching the final user? Basically mixing everybody's internet use history? You use some other guy's IP to access dmt-nexus and some other guy uses your IP to access whatever, with a few added levels sure but is that not basically how it works? If that is basically right, why would you want to have your IP linked to the TOR network?
 
Auxin
#6 Posted : 9/21/2018 5:50:03 PM

DMT-Nexus member


Posts: 425
Joined: 12-Jul-2012
Last visit: 15-Dec-2018
Thats almost right, each user is in an interconnected network of users but only people who choose to be are 'exit nodes' out into the broader internet. Like a room full of people with one person at each door relaying messages to and from the outside, and people outside of the room can only hear that guy, you can choose if your one of those doormen.
 
tatt
#7 Posted : 9/21/2018 6:44:53 PM

InfoSec

ModeratorSenior Member

Posts: 4124
Joined: 17-Jan-2009
Last visit: 14-Dec-2018
Please don't set your home/personal pc as a tor exit relay. A fairly bad choice. Better to just use the tor client as is. Tors website specifically talks against doing this, for obvious reasons.

There's in depth discussion on all this on stackexchange's website, specifically their information security subforum which is a massive wealth of information with constant ongoing discussion about all this.
Thirty spokes meet in the hub, though the space between them is the essence of the wheel

 
nexalizer
#8 Posted : 9/25/2018 5:24:55 PM

DMT-Nexus member


Posts: 782
Joined: 18-Nov-2011
Last visit: 25-Nov-2018
tatt wrote:
Please don't set your home/personal pc as a tor exit relay. A fairly bad choice. Better to just use the tor client as is. Tors website specifically talks against doing this, for obvious reasons.


I like to imagine a world where most people would a) understand the necessity of Tor and b) not be afraid of the thought police and millions - hundreds of millions - would run exit relays at home.
This is the time to really find out who you are and enjoy every moment you have. Take advantage of it.
 
Nicita
#9 Posted : 9/25/2018 5:49:24 PM

DMT-Nexus member


Posts: 183
Joined: 31-May-2012
Last visit: 15-Dec-2018
It is important to realize that the TOR exit nodes can be used to collect unencrypted data. So make sure that you don't submit unprotected data through tor.

Also you ISP can see that you are connecting to the TOR network, which raises red flags by itself and might put you on a special watch list by any agency or cooperation that occupies itself with watching internet traffic.

Regular VPNs are much less suspicious, since they are widely used and not associated with the same crowd as TOR. You can also use a VPN to hide you are connecting to TOR.

The reason that so many people use tor is that the US-military and agencies use these people as cover for themselves (TOR comes out of the US-navy intelligence). If it was their network exclusively, everyone logging into the tor network would out themself as an agent. Now it can just be someone looking to buy viagra or being paranoid of surveillance.

If you are using TOR, please read about the known security risks and what to do about them.
 
Elrik
#10 Posted : 9/25/2018 9:22:16 PM

DMT-Nexus member


Posts: 195
Joined: 19-Aug-2017
Last visit: 14-Dec-2018
8.0.1 is out, complete with a purported noscript update.
And... it still cant block script. Back to 7.5.6
 
tatt
#11 Posted : 9/26/2018 3:43:36 AM

InfoSec

ModeratorSenior Member

Posts: 4124
Joined: 17-Jan-2009
Last visit: 14-Dec-2018
nexalizer wrote:
tatt wrote:
Please don't set your home/personal pc as a tor exit relay. A fairly bad choice. Better to just use the tor client as is. Tors website specifically talks against doing this, for obvious reasons.


I like to imagine a world where most people would a) understand the necessity of Tor and b) not be afraid of the thought police and millions - hundreds of millions - would run exit relays at home.


Totally understand. Unfortunately [specifically the U.S] - it's just not the world [specifically the society] we currently live in.

Tor's great, don't get me wrong, but to set yourself up [beyond it's typical usage] unbeknownst to the potential [and fairly heightened] implications, well ..have at it then I guess.

I wish [though a pretty trite statement 'wish'] things were different, and 'maybe' one day things could change enough to the point of not having things as tapped into as they are, but then again - I don't see it happening personally, just my opinion/ime.

Cops aren't necessarily the worry - they're the last step in the process - the end result - when you get that knock. But all the chain of event before that that leads into that final step - well.. that is something to have concern over, imo/ime.

Thirty spokes meet in the hub, though the space between them is the essence of the wheel

 
Elrik
#12 Posted : 10/1/2018 9:48:40 PM

DMT-Nexus member


Posts: 195
Joined: 19-Aug-2017
Last visit: 14-Dec-2018
I finally understand! Laughing
Over Here Rainner pointed out that the default has always been for noscript to be disabled. I knew that, but having it pointed out with the implication that noscript does work in TOR 8.x made me scrutinize it and I found the problem. When you click noscript it clearly shows 'Default' highlighted with the icon for blocked content. I had simply assumed default was blocked on TOR 8 [as it should be, so I didnt question it]. But, despite the icon for blocking, default is still set for allow-all. You have to go into the settings tab [above the default tab] and make all the block type selections for default match the settings for untrusted. There is no more 'forbid globally' option, but now the option to modify the properties of 'default'.
Thanks Rainner Smile
Elrik attached the following image(s):
Clipboard01.jpg (14kb) downloaded 190 time(s).
 
PsyDuckmonkey
#13 Posted : 10/11/2018 3:52:42 PM

WIZZARD


Posts: 266
Joined: 06-Dec-2015
Last visit: 14-Dec-2018
It's debatable what the default should be.

From a purists' point of view of course, everything should default to the highest level of security, ie. maximum lockdown, and every compromise toward usability would need to be enabled by hand.

From a practical point of view, having a sane compromise between security and usability is a good point to start for most, and the TOR developers assume that those in situations that require higher security will take the appropriate steps, as opposed to relying on defaults.
Do you believe in the THIRD SUMMER OF LOVE?
 
MachienDome
#14 Posted : 10/16/2018 9:39:43 AM

The Thrice Mediocre


Posts: 61
Joined: 13-May-2018
Last visit: 10-Dec-2018
Location: Dark Side of the Web
Auxin wrote:
That the US funds TOR is not proof of its insecurity.


No, but the fact that they abandoned it does.

Using TOR on top of an insecure system doesn't do anything. Using an outdated version is useless Stop. Use TAILS, it provides a bit more security.
PGP Key: https://www.dmt-nexus.me...amp;m=917969#post917969
Use TAILs OS or Tor Browser.

= = = = = = = = = = = = = = = = = = = = = = = = = = = =
In this secret room, from the past, I seek the future.
 
dreamer042
#15 Posted : 10/16/2018 4:05:18 PM

Dreamoar

Moderator | Skills: Mostly harmless

Posts: 3951
Joined: 10-Sep-2009
Last visit: 15-Dec-2018
Location: Rocky Mountain High
TAILS is just a liveboot linux session, it still uses TOR to connect.
Row, row, row your boat, Gently down the stream. Merrily, merrily, merrily, merrily...

Visual diagram for the administration of dimethyltryptamine

Visual diagram for the administration of ayahuasca
 
PsyDuckmonkey
#16 Posted : 10/18/2018 4:45:43 PM

WIZZARD


Posts: 266
Joined: 06-Dec-2015
Last visit: 14-Dec-2018
MachienDome wrote:
Auxin wrote:
That the US funds TOR is not proof of its insecurity.


No, but the fact that they abandoned it does.

Using TOR on top of an insecure system doesn't do anything. Using an outdated version is useless Stop. Use TAILS, it provides a bit more security.


Please don't perpetuate superstition. TOR is not broken, and Tails is not particularly better than the TBB for most common threat models. In fact, it has serious drawbacks as well as benefits. Every anonymization and encryption is defeatable by an appropriate sidechannel attack. It's worth reading up how they arrested Dread Pirate Roberts.

Your opsec needs to be appropriate to your level of threat. Expecting to be targeted specifically, with people expending effort to spy on you as an individual target, and generic efforts to avoid getting caught in a dragnet data collection are two very different things, and need different levels of commitment on your part.

I won't quote how TOR should be used to browse and communicate safely, there's plenty written about that. And it's mostly not about your technology stack (though that does play a part), but about your behavior, both online and offline.
Do you believe in the THIRD SUMMER OF LOVE?
 
Elrik
#17 Posted : 10/18/2018 7:42:11 PM

DMT-Nexus member


Posts: 195
Joined: 19-Aug-2017
Last visit: 14-Dec-2018
PsyDuckmonkey wrote:
TOR is not broken

Its unfortunate that I must correct you.
I just tested it again with a fresh TOR 8 install updated to the latest version and restarted. The current version of TOR still can not restore bookmarks from backups made before TOR 8 [I didnt try with a TOR 8 made backup].
Therefore my statement stands, its still broken.

I also checked and in the noscript drop down they are still deceptively using the block icon for default when default is allow-all and TOR browser still removes all user noscript security customization on restart without informing the user of this security altering action.
TOR is still insecure, to that extent.
 
PsyDuckmonkey
#18 Posted : 10/20/2018 2:05:16 PM

WIZZARD


Posts: 266
Joined: 06-Dec-2015
Last visit: 14-Dec-2018
Elrik wrote:
PsyDuckmonkey wrote:
TOR is not broken

Its unfortunate that I must correct you.
I just tested it again with a fresh TOR 8 install updated to the latest version and restarted. The current version of TOR still can not restore bookmarks from backups made before TOR 8 [I didnt try with a TOR 8 made backup].
Therefore my statement stands, its still broken.

Lol. That's like saying that the glove compartment of your truck is stuck, therefore the truck is broken. It's not. Really. It has a minor inconvenience. The bookmark backup should be some form of html link list, so don't worry too much about it, just open it via a text editor or browser...

Elrik wrote:
I also checked and in the noscript drop down they are still deceptively using the block icon for default when default is allow-all and TOR browser still removes all user noscript security customization on restart without informing the user of this security altering action.
TOR is still insecure, to that extent.

The TBB is a client bundle for TOR. TOR is secure to the extent that it does the job it is supposed to do. If users assume it does things it doesn't do, well... The TBB is secure if you use it securely.

Opsec is not a thing you can just lay on a piece of software and then forget. I mean, if it were that simple, being in a secret service wouldn't be a particularly hard job.

I am fully aware that TBB defaults to allow scripts. It's a sane default, 80% of the web no longer even displays without scripting. I don't know what you mean by "deceptively uses the block icon", I don't see any deceptive "block icon", and Security Settings under the onion button is clear enough.

If you're interested in the manner of data the TBB leaks by default, there are a number of pages online for testing it.
Do you believe in the THIRD SUMMER OF LOVE?
 
Elrik
#19 Posted : 10/21/2018 5:58:01 AM

DMT-Nexus member


Posts: 195
Joined: 19-Aug-2017
Last visit: 14-Dec-2018
I'm not a security IT professional and I'm not a paranoid that checks every setting every time TBB starts, nor am I a dim wit, I'm just your average TOR user who is using it for nexus type things and chemistry research. So let me walk you through my experience with TOR 8 upgrade.
TOR updated itself, no big thing it does that now and then, the color scheme was a little more ugly this time but these days most things look like a cellphone for a 12 year old japanese girl so I let it go and continued my usual routine. After logging in to several sites I noticed that scripts which I had forbidden ever since starting TOR 2 years before were running. I had gone half the way across the net with no security at all, beyond TORs inherent proxies. It was impossible to forbid scripts globally in the usual way but I eventually found where to redefine the default from allow-everything to block. I thought I had it fixed so I moved on. The next day I started it up and logged into a site and went to download a paper and russian AD panes I had never seen before popped up, thats when I discovered that, without warning the user, user customized security settings are reset on every program start- with no apparent way to fix it.
So they changed peoples security radically without clear warning, and then did it yet again. They knowingly compromised peoples usual security measures and did so more or less covertly.
That is what I call insecure.
Now that I know about these issues I can browse without being tricked by those issues again, but its very tempting to just roll back to 7.5.6 until persistent user defined security settings are allowed. I can understand their reason for changing the default, but the warnings should have been noticeable and their idea of security settings should be optional.
Your right, the bookmark glitch is a trivial thing, just back up again after upgrading to 8, but the other issues arent so trivial.

To clarify what I mean about the deceptive block icon, observe this pic. It says 'default' with the icon for block-all, while 'default' is actually the same as allow-all [a different icon].
Elrik attached the following image(s):
Clipboard01.jpg (11kb) downloaded 82 time(s).
 
PsyDuckmonkey
#20 Posted : 10/21/2018 5:40:25 PM

WIZZARD


Posts: 266
Joined: 06-Dec-2015
Last visit: 14-Dec-2018
Elrik wrote:
I'm not a security IT professional

Which is exactly why you shouldn't be finetuning TOR browser security settings.

Elrik wrote:
and I'm not a paranoid that checks every setting every time TBB starts

If you use TOR, and the impenetrability of your anonymous identity is important to you, a certain degree of paranoia is warranted. Then again, it would seem from your posts that you show a degree of paranoia where it's not rational, and lack it where it would be rational.

Elrik wrote:
nor am I a dim wit, I'm just your average TOR user who is using it for nexus type things and chemistry research.

Never said you were a dimwit, I'm just saying you're arguing about things you lack full understanding of, and therefore using flawed grounds for your arguments and actions.

Elrik wrote:
After logging in to several sites I noticed that scripts which I had forbidden ever since starting TOR 2 years before were running.

And what scripts are those?

Elrik wrote:
I had gone half the way across the net with no security at all, beyond TORs inherent proxies.

No security at all? That sounds like a grand statement from someone who admittedly doesn't fully understand security. I can assure you that you were protected by an adequate level of security for the use case of "nexus type things and chemistry research".

Now, federal agents wiretapping you personally, using zero-day browser exploits and government sponsored malware, that's an entirely different threat model, but let's hope you don't have that kind of heat on you.

The latest TBB is safe with its default in that no public exploit exists that would allow either high accuracy fingerprinting, or an unmasking of your real IP address, or accessing your hard drive, without active participation on your part (such as downloading and running malware outside the TOR browser).

You're safe.

Manually forbidding Russian ad scripts (perfectly harmless within the sandbox of the TOR browser) can, however, work against you by creating a unique browser fingerprint.

Elrik wrote:
It was impossible to forbid scripts globally in the usual way but I eventually found where to redefine the default from allow-everything to block.

Onion button > Security settings > "Safest"
That's it. Done.

Elrik wrote:
I thought I had it fixed so I moved on. The next day I started it up and logged into a site and went to download a paper and russian AD panes I had never seen before popped up, thats when I discovered that, without warning the user, user customized security settings are reset on every program start- with no apparent way to fix it.

That is a feature. Persistent unique settings will allow an attacker to generate a fingerprint of your browser, allowing you to be tracked throughout all your TOR operations. Disabling the persistence of user customizations and starting from a clean slate each time is actually very important for real (as opposed to imaginary) security.

Elrik wrote:
So they changed peoples security radically without clear warning, and then did it yet again. They knowingly compromised peoples usual security measures and did so more or less covertly.

They compromised imaginary and wrong security measures in favor of implementing a real security measure.

Elrik wrote:
That is what I call insecure.

And that is where you are wrong.

Elrik wrote:
Now that I know about these issues I can browse without being tricked by those issues again, but its very tempting to just roll back to 7.5.6 until persistent user defined security settings are allowed.

As I said, you are again paranoid where you shouldn't be, and ignoring real danger. Old versions of the TBB may have public exploits that allow the real IP address to be unmasked by a malicious site. Not all malware can be disabled by forbidding scripts.

Also, as I said, persistent user settings are insecure.

Elrik wrote:
I can understand their reason for changing the default, but the warnings should have been noticeable and their idea of security settings should be optional.

It is optional.
Again, Onion button > Security settings > "Safest"

Elrik wrote:
To clarify what I mean about the deceptive block icon, observe this pic. It says 'default' with the icon for block-all, while 'default' is actually the same as allow-all [a different icon].

Yea I'm not a huge fan of NoScript's interface, I'll give you that. But in the TBB, you're not supposed to use that interface, you're supposed to use Onion button > Security settings
Do you believe in the THIRD SUMMER OF LOVE?
 
12NEXT
 
Users browsing this forum
Guest

DMT-Nexus theme created by The Traveler
This page was generated in 0.060 seconds.