From mboxrd@z Thu Jan  1 00:00:00 1970
From: Christopher Lemmer Webber <cwebber@dustycloud.org>
Subject: Re: Recommendations for browsing via Tor pre tor-browser?
Date: Thu, 19 Jul 2018 12:23:23 -0400
Message-ID: <87in5bi490.fsf@dustycloud.org>
References: <87zhywl72t.fsf@dustycloud.org> <87muuvjwwj.fsf@gnu.org>
	<87tvp3l2eb.fsf@dustycloud.org> <87wotriunz.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44342)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <cwebber@dustycloud.org>) id 1fgBi9-0007NJ-Oy
	for help-guix@gnu.org; Thu, 19 Jul 2018 12:23:26 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <cwebber@dustycloud.org>) id 1fgBi8-0002yp-P0
	for help-guix@gnu.org; Thu, 19 Jul 2018 12:23:25 -0400
In-reply-to: <87wotriunz.fsf@gmail.com>
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: Chris Marusich <cmmarusich@gmail.com>
Cc: help-guix <help-guix@gnu.org>

Chris Marusich writes:

> I know what you mean, but I think having TOR listen on localhost is
> safer than having a Guile REPL listen on localhost.  In the case of
> Guile, the risk is arbitrary code execution.  In the case of TOR, I
> suppose the risks might be that an attacker would be able to make
> requests over TOR from your machine.  Perhaps by making such requests,
> they might also be able to infer that you are using TOR (although it's
> already possible to determine that a person is using TOR simply by
> watching their IP traffic).  In any case, since TOR is functioning as a
> proxy, not a Turing-complete programming language, the things an
> attacker could do or learn by making requests from your machine to the
> localhost TOR seem limited.  Compared to the risk of arbitrary code
> execution, it seems much safer to me.

What about sending messages to a specific .onion address to unmask you?
If you send a unique request to http://foobarbaz.onion/?id=50108560 (or
ip=...) you might be able to associate a specific address.

It may be that this is not as easily possible since I suspect Tor is not
as susceptable to a line-oriented attack, so maybe it's not a concern...
I dunno.