|
Tor is glacially slow, it's an active target for the FBI, NSA, and other surveillance organizations, and exit nodes are a perfect place to run man-in-the-middle attacks. The point isn't to keep your information secure; it's to keep you anonymous (which you immediately throw out the window if you're accessing a bank account tied to your personal information). Avoid Tor, and Tails, unless you have a very good reason to use it. If you worry about online banking over untrusted networks, either wait until you get home to do your banking, or use a cheap Chromebook and SSL.
|
#
¿
Aug 2, 2014 20:31
|
|
|
|
| # ¿ May 17, 2024 20:56 |
|
|
xtal posted:For what it's worth, it's not terribly slow anymore (you can get a couple megabytes of download, which is enough to saturate my lovely Internet) and MITMs aren't an issue if you use HTTPS or hidden services only. I would definitely hope a banking website is using HTTPS. I encourage everybody to use Tor, but I would never encourage anybody to use plaintext communication like HTTP. The MITM concern with Tor is that you're letting a single untrusted node control your communication with the internet at large. Even if you're running an SSL implementation with some vulnerability, the chances for someone to exploit it are generally pretty small - either the attacker needs to have control over the local network (router, DNS server, or something similar), or national-agency level resources to pick your traffic out of backbone networks and gently caress with it. When you use Tor, the "local network" includes some node that you don't know, who can do whatever they please to your traffic. Using Tor is effectively similar to finding an open ethernet jack in a shady alley, and connecting to the internet through it. You're effectively anonymous (any attempt to trace your use will come back to "shady alley ethernet jack" rather than your home), but you don't know what the person using that ethernet jack might be doing to monitor or even modify your traffic. If you use SSL for everything, you're probably safe, but if there's an unknown/undisclosed vulnerability in your implementation that the jack's owners have access to, you're screwed. The fact that you're using the shady alley instead of your home certainly didn't make you any safer for everyday internet stuff. It's only helpful if you're already a target for some reason, and you think your home's being monitored. Hidden services are a different thing entirely, but for the online banking and email mentioned in the OP, it's not really relevant. Banks and email providers generally don't provide Tor access to their services.
|
|
#
¿
Aug 2, 2014 21:45
|
|
|
Bob Morales posted:What kind of discovery would have to be made that would be worth revealing Tor has been backdoored this whole time, and who's decision would it be to expose it? Releasing that kind of information doesn't always come down to a calculated decision about what's "worth revealing." Snowden had access to a huge amount of internal NSA materials, including a lot of things they really didn't want out in public. It included a lot of ways to mitigate Tor anonymization (browser attacks, fingerprinting, etc), but nothing that would even hint at a wide-open break. Unless you think that the NSA's hypothetical Tor attack is so secret that they'd go to huge lengths to hide it even among trusted employees who get access to politically sensitive intercept information and the spy-gadget catalog, it doesn't make sense for them to have a generally useful Tor exploit. The most likely scenario is that the NSA runs exit nodes and actively investigates and modifies traffic, but they can't just arbitrarily reverse Tor anonymity at will. XenJ posted:My intention was to present an easy-to-use operating system that boots from a USB stick and is used under the face point that one just does not have his own computer there. This program leaves on third-party computers no data. The whole point of Tails (and Liberte) is to have a pre-rolled Linux distribution that routes as much traffic as possible over Tor. This means that, if you use them, you're exposing yourself to the Tor vulnerabilities we're discussing, plus any subtle vulnerabilities in the configuration of those distributions. If you're just concerned about spyware on the local machine stealing your online banking password (a very real concern in places like internet cafes!) then you're likely better off using some mainstream Linux live image that doesn't try to put everything through Tor. Ubuntu is a good choice: it has a wide support base, good learning resources, and lots of eyes on any security issues that might come up. By the way, if you're looking for media with a hardware write-protect, remember that SD cards don't have one. The write-protect switch is just a polite request to the drivers to not send write commands; if some rootkit is messing with things, then it's free to ignore the switch. The good news is that cross-OS malware that can pick up, "oh, the user is on Windows right now but that card has a Linux image, I'll hit it with a Linux attack" is incredibly rare.
|
|
#
¿
Aug 3, 2014 18:50
|
|