Tor users - vulnerability in JavaScript

[endless_blue_water]

I'm not sure why global script is turned on by default in all the new Tor versions, but it kind of goes against the concept of Tor.

Security announcement

https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html

Stop using Windows, disable JavaScript

http://www.pcworld.com/article/2046013/tor-project-stop-using-windows-disable-javascript.html

Sadly, many sites won't work without Java, such as the buttons at the top of this message applet.

 

[CodeGeek]

Is this still the case? On their site they write that JavaScript is disabled. And I think you don't need Java nowadays. Most things are solved by using Flash or JavaScript+CSS.

By the way: There is another TOR thread here:
http://www.akiba-online.com/threads...ng-with-tor-https-www-torproject-org.1155653/

 

[Ceewan]

Yeah, it is annoying. But you have to take some personal responsibility. Everytime TOR browser has an update I completely delete the old folder and start fresh. The very first thing I do is tweak my No Script settings. It is very imporrtant to note that Javascript can be used to track you and not that it does track you by default. Tracking is not the purpose of javascript (it is merely a programming code). The ability to bypass the anonymity that TOR offers by using javascript tracking methods is the reason No Script is an integral part of the TOR browser. Why the default settings on No Script are set to allow scripts globally is a mystrey but there are other setting in the TOR browser you should also change as well. I remove bookmarks, disable spell check, tweak privacy settings and probably one or two more. My point is to take nothing for granted, the TOR browser allows the user to tweak these settings as to their own needs (which is more than most browsers) and does not take upon itself to tell you what those needs are. You can even install additional add-ons from Mozilla ( I recently installed Ad Block Plus because of annoying ads at TPB).

 

[CodeGeek]

But you have to take some personal responsibility.

That's a given. You can the best security system at home, if you leave the door open ... .

Everytime TOR browser has an update I completely delete the old folder and start fresh.

Ah, that explains why they mentioned the export and import of bookmarks. I was wondering because I never did that before (also - of course - I know you can do that).

The very first thing I do is tweak my No Script settings. It is very imporrtant to note that Javascript can be used to track you and not that it does track you by default. Tracking is not the purpose of javascript (it is merely a programming code). The ability to bypass the anonymity that TOR offers by using javascript tracking methods is the reason No Script is an integral part of the TOR browser. Why the default settings on No Script are set to allow scripts globally is a mystrey but there are other setting in the TOR browser you should also change as well. I remove bookmarks, disable spell check, tweak privacy settings and probably one or two more.

I know, I know. I'm a developer. And from time to time I also have to deal with JavaScript. I guess the problem is if you want to have a nice and neat user interface nowadays you need maybe not Flash, but JavaScript+CSS. So I guess it depends on the sites you want to access. If they also work without JS (means they are still usable), it's better to deactivate these features.

My point is to take nothing for granted, the TOR browser allows the user to tweak these settings as to their own needs (which is more than most browsers) and does not take upon itself to tell you what those needs are. You can even install additional add-ons from Mozilla ( I recently installed Ad Block Plus because of annoying ads at TPB).

In my case I'm more interested to run my own service than to use TOR for everyday surfing. So my focus is more on the server side. I should make sure that the server doesn't send any data in the header or page (especially error pages) which can be a problem. And I maybe should use (and also force) HTTPS for the security of the users. Otherwise the traffic can be read by the introduction points of the client and the server. And I shouldn't use JavaScript because it would force users to enable it. I guess that is the best I can do from the server / service side.

 

[Summer-Time-Fun]

Is Tor still open source?

 

[Ceewan]

Occasionally it might be confused that I actually know something. There is a hell of a lot of documentation available at Torproject to sift from, I 'll let you do it. This might have some of the answers you were looking for though....might not/

https://www.torproject.org/docs/trademark-faq.html.en

 

[Totoro79]

Tor is still open source, in fact was wondering do people think its better to visit Akiba via tor?

I visit it thru a VPN just in case, but I guess under Tor it does make more sense for greater privacy and being more anonymous.

Whatcha all think ?

 

[Ceewan]

I guess one thing I am not short of is an opinion.


It really depends on your circumstances on whether you need, should or even want to use an anonymizer of some sort. If you are in a country where porn is illegal or that normally blocks this site then it would be a very good idea. If you share files here and are worried about being persecuted or prosecuted over it then again it would be a good idea. If you just visit to download porn then....it is debatable on whether you actually need an anonymizer of some sort. Personally I use one because it is no one elses business what sites I visit and I like to keep it that way.

 

[Totoro79]

Personally I use one because it is no one elses business what sites I visit and I like to keep it that way.

How did you get my headstone quote

Thanks certainly no right or wrong opinions, I will stick to VPN for my surfing and downloading via torrents via this site

 

[Little Chucky]

Use a vpn to connect to a vpn-service and setup the connection in your router
Make sure you use a save vpnservice witch is not located in the country where you live.
buy a high powered WiFi antenna and scan your neighborhood for open networks
Connect to a network but make sure you're connected to the vpn so nobody can scan (read) the WiFi data

Download Tails
https://tails.boum.org/
Download virtualbox
https://www.virtualbox.org/
Install virtualbox
Install Tails as a virtual image on your pc via virtualbox
Start Tails and connect to any site you want.
Just make sure you don,t install plug-ins or extensions or something like that

Install Truecrypt (nobody has yet to find any vulnerability,s in Truecrypt)
set up your pc so that everybody you download will be in your Truecrypt container
And just to be save you can put every video in a winrar container protected by a password/

above is how i would do it if i was scared they would come knocking on my door.

 

[Ceewan]

A bit overboard but a lot of good advice there. I mean if you are that petrified and there are some that have good reason to be, ( for instance long term imprisonment or being lined up in front of a firing squad), then keep a few things in mind:

1. I am not sure you can even use both a VPN and Tor but using both is fairly redundant. VPNs' are better at P2P support (if they support it! check with your VPN provider). Some VPN providers keep logs and some have been known to betray confidentially so do some research on your prospective VPN provider.

2. Only use encryption if the ends justify the means as in some countries using encryption itself is grounds for imprisonment itself. Know your countries laws. (Probably a better idea to get busted for porn than be suspected of treason/spying.)

3. I am not sure about the plug-ins warning when it comes to VPN networks but it is fair advice for Tor. Many plu-ins simply won't work with Tor by default.

4. Truecrypt is vulnerable to a bruteforce attack unless you use a password between 10 and 20 characters (20 preferable to 10 but anything over six would likely be sufficient).

 

[isityours]

javascript is a part of java that is employed to execute code within browsers. this essentially means that your browser is running little programmes, often without your knowledge of what exactly they are doing. like java it is a high level language and like java is very hard to write so it executes securely. it also gets access to most everything which is why it is so often exploited to leverage vulnerabilities.
as for TOR i assume that as some sites depend on javascript to function, it is left on by default. because i use the noscript addon in firefox as a matter of course, it is the first thing i install, and if it is installed, the first thing i make sure is enabled. also, not everyone that downloads TOR has even intermediate level knowledge of computing. if someone was told to download it to perform some action covertly and it didnt load a certain site or whatever, that would also defeatthe purpose of having anonymized internet access. look at glenn greenwald. he put off talking to snowden because he didnt understand how to use PGP and didnt feel the learning curve justified doing so.

try adblock edge. it doesnt have 'acceptable ads' so isnt filtering or using any information collection (not to say that adblock plus is).

firefox is open source and TOR is too.

i nver used to use anything when i came here. now i always have my vpn on, so i use it when i come here now.

when i use TOR, i run it through my vpn too so even if it was traced, it would lead back to the vpn server.

anything is technically vulnerable to brute force. the strength of the password only changes the amount of time it takes to crack it.

and tails + virtualbox + vpn + truecrypt? ridiculous. tails is originally designed to be used as a live OS so booting from it is the safest way to use it. if you just want to use your computer (torrent) safely then use a vpn that doesnt keep logs. set up the 'hidden operating system' feature in truecrypt and use that. or just set up your torrent client to use truecrypt volumes to download to. much simpler.

 

[Ceewan]

anything is technically vulnerable to brute force. the strength of the password only changes the amount of time it takes to crack it.

You should read up on that a bit. For a simplified explanation this would be sufficient:

https://en.wikipedia.org/wiki/Brute-force_attack


Chained supercomputers have failed at brute force attacks.

 

[Little Chucky]

and tails + virtualbox + vpn + truecrypt? ridiculous. tails is originally designed to be used as a live OS so booting from it is the safest way to use it. if you just want to use your computer (torrent) safely then use a vpn that doesnt keep logs. set up the 'hidden operating system' feature in truecrypt and use that. or just set up your torrent client to use truecrypt volumes to download to. much simpler.

its not how i would do it to download torrent stuff but its how i would send and receive data and i wanted nobody to know where i am or who i was

And i know a few extra measurements but they are even more extreme

But I digress.
Just use a vpn service but don't pay with your creditcard or paypal account.
Use a prepaid credit card or bitcoins to pay for the vpn-service so there is no money trail

 

[isityours]

You should read up on that a bit. For a simplified explanation this would be sufficient:

https://en.wikipedia.org/wiki/Brute-force_attack


Chained supercomputers have failed at brute force attacks.

either you didnt understand it, i didnt understand it or you are conflating password length with cryptographic implementation. in relation to truecrypt which uses 256AES i think, a password of 10 characters (again, this is a very oblique term) would be, say if you didnt have a spare million years, impractical to attack with brute force.

in case i am missing something else, please quote the text that says that passwords that are between 10 and 20 characters are invulnerable to brute-force.

all i said is that theoretically any password can be brute forced.

 

[Ceewan]

in case i am missing something else, please quote the text that says that passwords that are between 10 and 20 characters are invulnerable to brute-force.

all i said is that theoretically any password can be brute forced.

Ah! my most beloved Nemesis! we cross swords yet again! Have at ye then, most honored foe!

Seriously though, what you said is "anything is technically vulnerable to brute force" which means something different than "theoretically any password can be brute forced". Hopefully you read some of the Wiki on it, though they take a much larger view of the whole and so always leave many pertinent details out. A longer password makes brute force attacks less feasable without a supercomputer (or chain of them).


This is an example of what sites say about brute force attacks (similar examples run rampant on the net):

How much time is needed to crack a password by brute-force?

If the password cannot be guessed and is not found in a dictionary, the cracker has to try a brute-force attack. When brute-forcing, the time to crack the password depends on the amount of possible passwords that the cracker has to try. The amount of possible passwords increases with password length and with increasing diversity of characters being used (complexity).

Let’s take the scenario of a cracker trying 15 million passwords per second. This is currently the maximum speed being claimed by password cracker vendors. You need a pretty fast computer to achieve this. The following table shows the computed time to crack a password with 15 million tries per second. Notice the incredible increase in time to try all possible combinations when password length and complexity increase.

length: 4, complexity: a-z ==> less than 1 second

length: 4, complexity: a-zA-Z0-9 + symbols ==> 4.8 seconds

length: 5, complexity: a-zA-Z ==> 25 seconds

length: 6, complexity: a-zA-Z0-9 ==> 1 hour

length: 6, complexity: a-zA-Z0-9 + symbols ==> 11 hours

length: 7, complexity: a-zA-Z0-9 + symbols ==> 6 weeks

length: 8, complexity: a-zA-Z0-9 ==> 5 months

length: 8, complexity: a-zA-Z0-9 + symbols ==> 10 years

length: 9, complexity: a-zA-Z0-9 + symbols ==> 1000 years

length: 10, complexity: a-zA-Z0-9 ==> 1700 years

length: 10, complexity: a-zA-Z0-9 + symbols ==> 91800 years

What we see is that:

* any password shorter than 5 characters can be cracked within 5 seconds

* any password shorter than 7 characters can be cracked within a day.

* With the password length of 9, the cracking time goes to hundreds of years. In most cases this can be considered acceptable while mostly we need to keep a secret for a maximum of 30 years.

To be on the safe side, we recommend a minimum password length of 10 characters.

source:
http://www.toplinestrategies.com/cl...is-needed-to-crack-a-password-by-brute-force/

To be fair most computers cannot even come close to 15 million tries per second and password crackers will burn a CPU to dust trying ( I actually tried one and I could actually smell the heat from my CPU, very likely how I burned out my last computer). Even the newest form of passwordcracker developed to use the GPU instead of a CPU cannot crack a complex alphanumeric 10 character password in any reasonable time period and It achieves a 350 billion-guess-per-second speed.

 

[Summer-Time-Fun]

Hay, since we're all off topic, and talking about Brute force attacks: Have any of you tested, and noticed how much longer it takes VeraCrypt to mount encrypted drives/containers in comparison to TrueCrypt 7.1a??? I thought it was malfunctioning.

I found a post explaining that it's by design because of the increased iterations.
Kind of interesting. Second responce by idrassi

https://veracrypt.codeplex.com/discussions/549728

Note: The only thing is, it sounds like idrassi is talking about system encryption, while the OP was simply asking about mounting encrypted drives. But the PRF used in key derivation should still apply either way.

 

[Little Chucky]

But even if the brute force method is futile there is always a way



Just think about it.

 

[Summer-Time-Fun]

But even if the brute force method is futile there is always a way. Just think about it.

That's right LC. But only in an extreme case. Not for JI.
You have to be willing to protect your plausible deniability with your life. And if you're still alive after the event, hopefully you can walk away with a nice lawsuit. You just might not be able to have sex ever again.

Your password is only as good as your housekeeping upstairs ..above your shoulders. Or better yet, for a "Key" point, your house should not be doing the keeping.

They can have our body's, but they can never touch our souls...

 

[isityours]

Seriously though, what you said is "anything is technically vulnerable to brute force" which means something different than "theoretically any password can be brute forced".

im not sure how they are different but, whatever. and, i know that practically there is an upper limit but im just stating the obvious fact that there are no absolutes.

I found a post explaining that it's by design because of the increased iterations.

increasing iterations is a more commonly employed tactic now which exponentially increases attack time. assigning a calculative 'cost' to an action is a really easy way to increase protection.