Critical Tor vulnerability: Attackers can deanonymize users. All users should upgrade

Discussion in 'privacy technology' started by Hungry Man, Oct 28, 2011.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    https://blog.torproject.org/blog/tor-02234-released-security-patches

    Critical Tor vulnerability: Attackers can deanonymize users. All users should upgrade.

     
  2. x942

    x942 Guest

    Wow. Thanks for the post. Have now upgraded my relay.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Thank you!
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
  5. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I saw it too yesterday. It's not a big issue for me, because I use the expert bundle in the rare cases I really need TOR. If they remove the Expert Bundle, I will compile TOR from source, and if they remove the source code I see no reason to use TOR anymore :)
    The problem is that it's a matter of choice, and they seem to not understand that. I believe that they want to make sure that every user runs a relay or exit node, but I'd try to educate the users to do that, not force them.
    Besides, the blog uses phrases like "This configures Tor to run as a non-exit relay by default" or "This configures Tor to run as an exit relay by default", so I am pretty sure that you will be able to edit torrc file in order to make it act as you want.
     
  6. black_sunrise

    black_sunrise Registered Member

    Joined:
    Oct 29, 2011
    Posts:
    1
    Tor is just a honeypot for the FBI, so unless you set up or rent your own private exit node it's worthless.
     
  7. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    How about no. Tor is not nor has it ever been a "honeypot". To monitor the entire system, it would have to be a honeynet, or a honeyfarm which obviously it isn't. All that being said, there are tons of honeypots connected to Tor, and yes, the FBI along with every other agency has a presence. Tor is open source, which would make it damn near impossible to be one large FBI or any agency trap. It's also impossible because of jurisdictional issues..remember the world uses it...and the FBI doesn't have jurisdiction everywhere. The FBI isn't even capable of undertaking such an operation, what you're suggesting would be in the realm of the CIA or NSA.
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The FBI may control a few of the exit nodes, as would just about every other government on the planet, but none of them control them all. That would be physically impossible. The exit node doesn't see the source IP of the traffic, only the previous relay it came through. It doesn't see the relay the user initially connects to. Unless the entire chain is compromised or both ends are being monitored and that specific traffic is being singled out, there's no way they can realistically track someone through the Tor network, unless the original users system is leaking data badly. If properly set up, your own browser won't know your internet IP and therefore can't leak it.
    worldIP.gif
     
Loading...
Thread Status:
Not open for further replies.