[Crypto-chi] Tor at risk

Brian Kroll brian at fiberoverethernet.com
Wed Dec 24 16:06:46 CST 2014 

Good question.

Flash, Java, RealPlayer and all the other garbage that sites use for 
video are plug-ins that function outside of the site you're viewing and 
directly interfacing with these programs often being closed source or 
obscured code. The code is often buggy and full of holes. HTML5 video is 
a native part of the HTML5 code base in short meaning it does not 
require another program (like flash, java, ect.) to be used, and works 
within the browser.

It can be exploited if HTML5 is where the issue lies. As of right now 
there are no 'known' HTML5 security holes, but that doesn't mean they 
don't exist. This is where open source code is important for 
transparency and security allowing people to look for those holes, and 
patch them quickly.

A large threat is HTML5 Canvas fingerprinting. If you're using the TBB 
there are safeguards built-in that prevent this, but since there are new 
threats everyday that haven't been found your best bet would be to 
download the video, and play/open it off-line as you should with 
anything you get from sites such as PDF files. This will provide you 
better security to prevent someone from locating your IP or pin pointing 
you on your fingerprint by having that file 'phone home.'

If you want to see what your browser is giving out check this site by 
the EFF: https://panopticlick.eff.org/

And look at BrowserSpy that will provide even more detail: 
http://browserspy.dk/

Try both of them in your normal browser, and then again with the Tor 
Browser Bundle and see the difference.

ATB
-Brian

Tor is not really made for video, and if you can the

On 24-12-2014 15:24, joe fuentes wrote:
> Hmmmm,
> 
> And it's agreed, when using Tor don't enable javascript and don't use
> Flash.
> 
> The question remains with HTML 5 taking over the throne from Flash
> will HTML 5 video cough up your IP address the way Flash does?
> 
> -Joe
> 
>> Date: Wed, 24 Dec 2014 14:06:19 -0600
>> From: freddymartinez9 at gmail.com
>> To: cryptoparty-chi at groups.sshchicago.org
>> Subject: Re: [Crypto-chi] Tor at risk
>> 
>> Well,
>> 
>> This is a serious flaw in Flash (which is garbage software), not
> really Tor.
>> 
>> Here is what we know. The FBI identified a web server in operation
>> Torpedo (FWIW: that's a pretty clever portmanteau). Then they simply
>> logged
>> in to the webpage because the web server's admin username was
> "admin"
>> and the password was .... wait for it... not set. From there, they
>> installed an invisible iFrame that uses Flash to ping an FBI server
>> with the real IP of the Tor user. Eventually users noticed this and
>> quickly abandoned the webpage.
>> 
>> What was vulnerable? Tor users using an old version of TBB that was
>> outdated and allowed Flash to execute. (By default TBB ships with
>> NoScript (but disabled) and does NOT allow Flash to execute. There
>> have been discussions about shipping TBB with noscript enabled by
>> default but that breaks a lot of webpages. However, Flash shouldn't
>> have been able to execute anyways and the end-users allowed it to
>> execute.)
>> 
>> What remains to be decided / understood? Under what authority can
> the
>> FBI hack into webpages? Notice this was against all visitors to a
>> webpage. Related: the FBI is pushing the DoJ for greater latitude to
>> install RATs [0] in laptops.
>> 
>> tl;dr Keep your TBB up to date and don't run Flash
>> 
>> (actually good advice for all web browsers, tor or not...), Also
> don't
>> open PDFs while on Tor etc etc.
>> 
>> Freddy
>> 
>> [0]
> http://www.theatlantic.com/technology/archive/2014/12/the-webcam-hacking-epidemic/383998/
>> 
>> On Wed, Dec 24, 2014 at 12:03 PM, joe fuentes
> <joseph.fuentes at live.com> wrote:
>> > Especially today Christmas Eve day. Our rights to privacy at risk.
> Tor is
>> > the target.
>> >
>> > First, FBI was able to obtain some user IP addresses from Tor.
> This uses
>> > open source Metasploit from a security researcher Moore. See below
>> >
>> > http://www.wired.com/2014/12/fbi-metasploit-tor/?mbid=social_fb
>> >
>> > This in fact earned Moore a warning from law enforcement thus
> discouraging
>> > security researchers from performing their work. See below
>> >
>> >
> http://www.theguardian.com/technology/2014/may/29/us-cybercrime-laws-security-researchers
>> >
>> > And if this wasn't enough an report shows the NSA keeps track on
> who looks
>> > up Tor and visits website. Kinda like Santa Claus watching who's
> naughty or
>> > nice. See below
>> >
>> >
> http://www.theverge.com/2014/7/3/5868159/new-report-says-the-nsa-is-checking-who-visits-tors-website
>> >
>> > Wot are your thoughts on this everybody??
>> >
>> > - Joe
>> >
>> > _______________________________________________
>> > cryptoparty-chi mailing list
>> > cryptoparty-chi at groups.sshchicago.org
>> > http://groups.sshchicago.org/listinfo/cryptoparty-chi
>> >
>> _______________________________________________
>> cryptoparty-chi mailing list
>> cryptoparty-chi at groups.sshchicago.org
>> http://groups.sshchicago.org/listinfo/cryptoparty-chi
> 
> _______________________________________________
> cryptoparty-chi mailing list
> cryptoparty-chi at groups.sshchicago.org
> http://groups.sshchicago.org/listinfo/cryptoparty-chi

More information about the cryptoparty-chi mailing list