From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christopher Lemmer Webber Subject: Re: Recommendations for browsing via Tor pre tor-browser? Date: Thu, 19 Jul 2018 12:23:23 -0400 Message-ID: <87in5bi490.fsf@dustycloud.org> References: <87zhywl72t.fsf@dustycloud.org> <87muuvjwwj.fsf@gnu.org> <87tvp3l2eb.fsf@dustycloud.org> <87wotriunz.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44342) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fgBi9-0007NJ-Oy for help-guix@gnu.org; Thu, 19 Jul 2018 12:23:26 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fgBi8-0002yp-P0 for help-guix@gnu.org; Thu, 19 Jul 2018 12:23:25 -0400 In-reply-to: <87wotriunz.fsf@gmail.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Chris Marusich Cc: help-guix Chris Marusich writes: > I know what you mean, but I think having TOR listen on localhost is > safer than having a Guile REPL listen on localhost. In the case of > Guile, the risk is arbitrary code execution. In the case of TOR, I > suppose the risks might be that an attacker would be able to make > requests over TOR from your machine. Perhaps by making such requests, > they might also be able to infer that you are using TOR (although it's > already possible to determine that a person is using TOR simply by > watching their IP traffic). In any case, since TOR is functioning as a > proxy, not a Turing-complete programming language, the things an > attacker could do or learn by making requests from your machine to the > localhost TOR seem limited. Compared to the risk of arbitrary code > execution, it seems much safer to me. What about sending messages to a specific .onion address to unmask you? If you send a unique request to http://foobarbaz.onion/?id=50108560 (or ip=...) you might be able to associate a specific address. It may be that this is not as easily possible since I suspect Tor is not as susceptable to a line-oriented attack, so maybe it's not a concern... I dunno.