* Do not use tor with browsers other than tor browser @ 2019-05-25 11:56 Alex Vong 2019-05-25 16:43 ` Raghav Gururajan ` (2 more replies) 0 siblings, 3 replies; 6+ messages in thread From: Alex Vong @ 2019-05-25 11:56 UTC (permalink / raw) To: help-guix [-- Attachment #1: Type: text/plain, Size: 1642 bytes --] Hello everyone, I've seen recommendations on this list of using tor with browsers other than tor browser, e.g. <https://lists.gnu.org/archive/html/help-guix/2019-04/msg00063.html>, <https://lists.gnu.org/archive/html/help-guix/2019-05/msg00024.html> and <https://lists.gnu.org/archive/html/help-guix/2019-05/msg00046.html>. It is a really bad idea, the tor project faq recommends against it: <https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser>. The reason is as followed: Tor allows you to browse the internet anonymously. It works by making users using the same version of tor browser indistinguishable (i.e. in the same anonymity set[0]). This only works if all the browsers have the same fingerprint. Using browsers other than tor browser makes you distinguishable from that anonymity set. Another reason is that modern browsers allows loads of way for fingerprinting: user agent string, screen resolution, canvas fingerprinting, webgl fingerprinting... This page: <https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-fingerprinting> should give you an idea how many fingerprinting issues exist in modern browsers. This page: <https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs> shows bugs specific to chromium-based browsers. My recommendation for now is to download tor browser from the tor project website. AFAIK, tor browser for GNU/Linux are built with free software only. In the future, we may want to build it ourselves, but of course we need to be careful not to introduce fingerprinting bugs. [0]: https://privacypatterns.org/patterns/Anonymity-set Thanks, Alex [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 227 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Do not use tor with browsers other than tor browser 2019-05-25 11:56 Do not use tor with browsers other than tor browser Alex Vong @ 2019-05-25 16:43 ` Raghav Gururajan 2019-05-25 21:16 ` oury.dustin 2019-05-26 2:39 ` Mike Gerwitz 2019-05-26 19:42 ` Ludovic Courtès 2 siblings, 1 reply; 6+ messages in thread From: Raghav Gururajan @ 2019-05-25 16:43 UTC (permalink / raw) To: Alex Vong, help-guix > It is a really bad idea, the tor project faq recommends against it: > <https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser>. True! Is it possible to making it directly available in guix? ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Do not use tor with browsers other than tor browser 2019-05-25 16:43 ` Raghav Gururajan @ 2019-05-25 21:16 ` oury.dustin 2019-05-26 6:38 ` Ricardo Wurmus 0 siblings, 1 reply; 6+ messages in thread From: oury.dustin @ 2019-05-25 21:16 UTC (permalink / raw) To: Raghav Gururajan; +Cc: Help guix This is interesting because on GuixSD 1.0.1 when I download tor browser and try to start it I receive an error ruki@guix ~/Downloads/tor-browser_en-US$ ./start-tor-browser.desktop bash: ./start-tor-browser.desktop: /usr/bin/env: bad interpreter: No such file or directory ruki@guix ~/Downloads/tor-browser_en-US$ So the way I usually start by clicking the desktop icon from when I used Trisquel doesn't work here. Maybe it has something to do with my PATH? On 25.05.2019 18:43, Raghav Gururajan wrote: >> It is a really bad idea, the tor project faq recommends against it: >> <https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser>. > > True! Is it possible to making it directly available in guix? ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Do not use tor with browsers other than tor browser 2019-05-25 21:16 ` oury.dustin @ 2019-05-26 6:38 ` Ricardo Wurmus 0 siblings, 0 replies; 6+ messages in thread From: Ricardo Wurmus @ 2019-05-26 6:38 UTC (permalink / raw) To: oury.dustin; +Cc: help-guix oury.dustin@posteo.net writes: > This is interesting because on GuixSD 1.0.1 when I download tor > browser and try to start it I receive an error > > ruki@guix ~/Downloads/tor-browser_en-US$ ./start-tor-browser.desktop > bash: ./start-tor-browser.desktop: /usr/bin/env: bad interpreter: No > such file or directory This is likely because the binary you have will expect the loader at /lib64/ld-linux….so (or similar), which doesn’t exist on Guix systems. The loader is provided by the GNU C library and you may need to patch the binary with patchelf to override the interpreter. An alternative might be to install the C library and link its loader binary to the expected location, but we can’t guarantee that this would work. -- Ricardo ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Do not use tor with browsers other than tor browser 2019-05-25 11:56 Do not use tor with browsers other than tor browser Alex Vong 2019-05-25 16:43 ` Raghav Gururajan @ 2019-05-26 2:39 ` Mike Gerwitz 2019-05-26 19:42 ` Ludovic Courtès 2 siblings, 0 replies; 6+ messages in thread From: Mike Gerwitz @ 2019-05-26 2:39 UTC (permalink / raw) To: Alex Vong; +Cc: help-guix [-- Attachment #1: Type: text/plain, Size: 5481 bytes --] Alex: On Sat, May 25, 2019 at 19:56:28 +0800, Alex Vong wrote: > I've seen recommendations on this list of using tor with browsers other > than tor browser, > e.g. <https://lists.gnu.org/archive/html/help-guix/2019-04/msg00063.html>, > <https://lists.gnu.org/archive/html/help-guix/2019-05/msg00024.html> and > <https://lists.gnu.org/archive/html/help-guix/2019-05/msg00046.html>. > > It is a really bad idea, the tor project faq recommends against it: > <https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser>. > > The reason is as followed: Tor allows you to browse the internet > anonymously. It works by making users using the same version of tor > browser indistinguishable (i.e. in the same anonymity set[0]). This only > works if all the browsers have the same fingerprint. Using browsers > other than tor browser makes you distinguishable from that anonymity > set. > > Another reason is that modern browsers allows loads of way for > fingerprinting: user agent string, screen resolution, canvas > fingerprinting, webgl fingerprinting... Using Tor Browser is a good idea. But this isn't a binary decision---it's far more nuanced than that. First: Tor is used for more than web browsing. Some people use it to do one-off things like download files, e.g. using `torify wget`, or via their package managers. Some people use it for setting up onion services for private use. Some people use it to hide their location when SSHing into a server. Others use it to hide their internet traffic from e.g. hotspot providers, hotel rooms, their ISP, and so on. Etc. There's also the issue of defining your threat model (which is the case for both web browsing and all of the above). Do I just want to stop my hotel's Wifi provider from snooping on me? Do I just want to hide my location when SSHing or pushing code to a Git host? Am I using it in place of a VPN to prevent metadata collection from my ISP? Am I trying to prevent tracking from advertisers and other malicious companies? Am I a dissident under an oppressive regime, risking my life to leak information? On top of all of that, you have to actually change your habits; using Tor alone is not enough.[0] Using Tor Browser alone may not be enough. I personally use Tor for all of my Internet traffic, using Icecat with NoScript, Privacy Badger, uBlock Origin, HTTPS Everywhere, Cookie AutoDelete, Third-Party Request Blocker, and FoxyProxy (to easily allow me to disable Tor for my home webserver). My browsing is generally burdensome, though I am able to work around most issues, sometimes with substantial effort (I'm a professional web developer). For some sites, I'll visit via the Internet Archive or other caches (still over Tor). I run Icecat within a container to control what it can see on the filesystem, ensure caches are wiped out, and to help defend against exploits. I don't log into any websites, and if I do, then I understand the consequences of doing so and how to mitigate that. And so on. If I want a higher level of privacy, maybe I'll boot Tails and use Tor Browser on entirely different hardware. Maybe I wouldn't be comfortable just using Tor Browser on my normal OS because a browser bug could still allow it to access my operating system or persist data. The point I'm trying to make here is: Tor Browser is good, but you still need to have some level of understanding of the problem and that Tor Browser does and does not solve. And once you have a certain level of understanding, you can decide whether you want to use Tor Browser. For most users, yes, it's easier to tell them to stick with Tails and Tor Browser. If your life depends on it, then you want a hardened, ephemeral system. But if you're just an average person fed up with corporate surveillance, you're not going to jump through a lot of hoops. You're going to stop using a system when it's inconvenient for you. So telling someone to use Tor with their existing browser and a handful of addons may be good enough, as long as that person understands that they may not be fully anonymous in that scenario. This is a complex topic, and I've just thrown some thoughts together in what little time I have. I would like still like to see it packaged for Guix at some point. Also note that Tor has been working with Firefox to upstream many of their changes.[1] [0]: I don't have time to dig up links right now, but for example: https://www.whonix.org/wiki/DoNot [1]: https://wiki.mozilla.org/Security/Fusion > > This page: > <https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-fingerprinting> > should give you an idea how many fingerprinting issues exist in modern > browsers. > > This page: > <https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs> > shows bugs specific to chromium-based browsers. > > My recommendation for now is to download tor browser from the tor > project website. AFAIK, tor browser for GNU/Linux are built with free > software only. In the future, we may want to build it ourselves, but of > course we need to be careful not to introduce fingerprinting bugs. > > [0]: https://privacypatterns.org/patterns/Anonymity-set > > Thanks, > Alex > -- Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05 https://mikegerwitz.com [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 818 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Do not use tor with browsers other than tor browser 2019-05-25 11:56 Do not use tor with browsers other than tor browser Alex Vong 2019-05-25 16:43 ` Raghav Gururajan 2019-05-26 2:39 ` Mike Gerwitz @ 2019-05-26 19:42 ` Ludovic Courtès 2 siblings, 0 replies; 6+ messages in thread From: Ludovic Courtès @ 2019-05-26 19:42 UTC (permalink / raw) To: Alex Vong; +Cc: help-guix Hi, Alex Vong <alexvong1995@gmail.com> skribis: > The reason is as followed: Tor allows you to browse the internet > anonymously. It works by making users using the same version of tor > browser indistinguishable (i.e. in the same anonymity set[0]). This only > works if all the browsers have the same fingerprint. Using browsers > other than tor browser makes you distinguishable from that anonymity > set. > > Another reason is that modern browsers allows loads of way for > fingerprinting: user agent string, screen resolution, canvas > fingerprinting, webgl fingerprinting... I agree with all this, but note that IceCat has options (turned on by default) to disable some of these things that make fingerprinting so easy. Ludo’. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-05-26 19:42 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-05-25 11:56 Do not use tor with browsers other than tor browser Alex Vong 2019-05-25 16:43 ` Raghav Gururajan 2019-05-25 21:16 ` oury.dustin 2019-05-26 6:38 ` Ricardo Wurmus 2019-05-26 2:39 ` Mike Gerwitz 2019-05-26 19:42 ` Ludovic Courtès
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).