Tor has its flaws and it should be noted on the site #343
-
DescriptionContent is encrypted between client and nodes but not from exit relay to server. HTTPS redirects can be blocked so Tor isn't a failsafe alternative. It's the closest we have but it's worth noting in the comments at the https redirect method can mean all of the difference. Using a browser addon that rewrites the URL request before it's sends a GET request is paramount to security. If relying on the initial request to redirect after the fact the resulting method could be overwritten by an exploited andpoint. Every. month Tor comes across a pretty severe CVEs. And yes these exploited get patched when noticed but the problem is real and can be exploited as new vulnerabilities come out. My suggestion is clarifying the HTTP redirects can't be trusted from the server due to how it would assume trust with the exit relay and that a trusted browser addon may be the best alternative if typing https instead of http is missed. "In May 2020 we found a group of Tor exit relays that were messing with exit traffic. Specifically, they left almost all exit traffic alone, and they intercepted connections to a small number of cryptocurrency exchange websites. If a user visited the HTTP version (i.e. the unencrypted, unauthenticated version) of one of these sites, they would prevent the site from redirecting the user to the HTTPS version (i.e. the encrypted, authenticated version) of the site. If the user didn't notice that they hadn't ended up on the HTTPS version of the site (no lock icon in the browser) and proceeded to send or receive sensitive information, this information could be intercepted by the attacker." - torproject URL of affected page: https://www.privacyguides.org/providers/vpn/ |
Beta Was this translation helpful? Give feedback.
Replies: 0 comments 5 replies
-
another link: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tor
That's harsh! The ratings aren't severe - they're (almost) all 5's (three lower and one at 5.8)
Every month?
And then consider this
If you're going to use this argument to stick up warnings about Tor, then you will also need to stick them up for gecko, chromium, blink .... who all have numerous security fixes (many with CVEs) from in-house hardening/testing in fact probably all recommended software .. just tell everyone to never use software and unplug the internet :) j/k What is more relevant here IMO (not that CVEs history should be ignored) is going to be other factors: bug bounties, history (of how they reacted to previous bugs), what they are doing to reduce exploits: linting, fuzzing, using rust, hardening C++ usage etc for example: chrome
Someone has to do it and you ultimately have to trust them :) VPN, exit relay, proxy ... IDK what that means in terms of changing the VPN page you linked to, but this is not a Tor only problem
these are more of the types of thing that are probably more pertinent than looking at self reported CVEs, and there's also these sorts of things - https://github.com/Attacks-on-Tor/Attacks-on-Tor - because why not :) |
Beta Was this translation helpful? Give feedback.
-
@Thorin-Oakenpants I think my comments may have come off wrong. I use the Tor network and I do suggest using it but I thought it should be important to give the sense that nothing (including the Tor network) is infallible. I think it would be important to make this a point when suggesting a security solution and that the user should never assume something is secure no matter how trusted it was at one point; flaws are introduced all the time in software solutions. So, yes the references I gave were old. A more recent reference found here a 2021 article referencing research from 2020 title: "Over 25% Of Tor Exit Relays Spied On Users' Dark Web Activities" https://thehackernews.com/2021/05/over-25-of-tor-exit-relays-are-spying.html Because of the nature of Tor it's used to subvert censorship, provide anonymity to resources and inherently provide an avenue for malicious actors it will always be a major target. People will always find flaws. Just because there is no known flaw in the network today does not mean there isn't a flaw currently being exploited within. It only means we aren't aware of any exploits as of yet. Taking and urging others to take a cautious approach is the wises approach I know. I don't suggest a "tin-foil hat paranoia" approach but recognising the "possibility" is there with evidence it's happened before and that it will likely happen again as software matures and gets ever increasingly more complex. |
Beta Was this translation helpful? Give feedback.
-
The "TROVE: Tor Registry Of Vulnerabilities and Exposures" page you referenced shows 7 security flaws patch in 2021 alone and with 1 in September getting a 7.3 severity. I feel like this validates the idea that the Tor network will (like everything else) have flaws and caution is advised. |
Beta Was this translation helpful? Give feedback.
-
my enumeration came from the linked CVEs
That is indeed valid, not arguing about that :) My point is where do you draw the line, and be consistent, with warnings - PG will end up looking like a joke, recommending everything but warning against them. Your second link (25% of tor relays) is related to the same link in OP (but as said, it's a valid point). Just trying to give some balance here so PG doesn't end up with extra cruft and unneeded detail/bloat, which is a concern some members have (in private, elsewhere) I'm not arguing for one or the other, or how easy/hard/theoretical some de-anonymizing attacks could be. Forget privacy (it's orthogonal). It makes more sense when you look at these in terms of anonymity
Personally, VPNs have more issues for de-anonymizing than Tor IMO, but we don't need to get into any details here |
Beta Was this translation helpful? Give feedback.
-
I completely get what you're saying and I agree that too much can undermine the efforts. |
Beta Was this translation helpful? Give feedback.
my enumeration came from the linked CVEs
That is indeed valid, not arguing about that :)
My point is where do you draw the line, and be consistent, with warnings - PG will end up looking like a joke, recommending everything but warning against them. Your second link (25% of tor relays) is related to the same link in OP (but as said, it's a valid point). Just trying to give some balance here so PG doesn't end up with extra cruft and unneeded detail/bloat, which is a concern some members have (in private, elsewhere)
I'm not arguing for one or the other, or how easy/hard/theoretical some de-anon…