Tor Browser considered harmful

Posted on Fri 16 September 2016 in Security

Since people often ask me about anonymity and Tor, I'd like to write something more complete than a few tweets. It's a nice time with @movrcx's last overhyped 0day and bullshit conspiracy too.
Don't trust titles. It's great software but not enough for correct anonymity.
By the way, ioerror was an asshole and was fired for a good reason. Get the fuck over it y'all.


If you look closely at how anyone get caught behind Tor, it gets obvious encryption and Tor itself is not the weak link: Most of the time it's a very stupid opsec failure or a browser exploit.
Both can be avoided with discipline and the right tools. Let's talk about the tools.

Isolation is key

Exploits that affected or accessed the OS/filesystem from a browser or compromised the browser itself have been seen recently, each time doing huge damage. Something as simple Flash has been used to ruin Tor Browser's users anonymity and will be used again.

We can sum up the danger by a few simple facts:

  • Your browser could access the Internet without Tor.
  • Your browser could access personal informations.
  • Your browser could store persistent data that can identify you later.
  • Your browser will, in one way or another, parse or execute foreign and untrusted data.

We can't easily make the browser safer because it's one of the largest and messiest piece of software we commonly use. The Tor Browser will already help you disable dangerous plugins like Flash, JavaScript, and other features that may be a risk, but it's hard to remove every sharp edge on a structure that big. It only takes one new unexpected way to get out of that browser to compromise your anonymity, and it will inevitably happen. (like, buffer overflow in an image parsing lib)

We can, however, greatly reduce the risks by limiting what it's able to do on a lower level:

  • The browser should be completely isolated from the Internet, except through Tor.
  • The browser should not be able to read any personal data, except what it has stored.
  • The browser should be running in a secure environment you can entirely store encrypted and/or erase securely.

Also, these limits should be enforced on multiple layers. That's defense in depth. It's a lot less likely that an attacker can breach the Tor Browser and Tails at the same time, for example. And if it happens, you will have more time and options to react than with the Tor Browser alone.

Basically, you want to draw the cleanest line possible between your secret session/identity and your environment. The Tor Browser alone cannot guarantee any of those, but virtual machines are great at that. A separate computer too, if you can.

A few practical solutions

Tails

Tails, "The Amnesic Incognito Live System".
This is probably the best anonymity tool ever made. If you don't have a good reason not to, use it. Even if you run it inside VirtualBox, it will already protect you for most of the threats you could imagine. It's very strict and limited, and that's what makes it secure.
The live and amnesic part will give you a clean system every time you start it, and it won't leave any useful evidence behind.

Whonix

Whonix is a set of two images that can be way more powerful. Unlike Tails, it's not live or amnesic. It's what I would recommend if a persistent workstation is a requirement.

There's the Gateway, that routes everything from one interface through Tor and isn't to be used for anything else; and the Workstation, that you can use. You can easily build a custom Workstation yourself.
The idea is to only let the Gateway access the Internet, and link the two VMs with an internal network. Even if your Workstation gets 100% compromised, unless the Gateway or the hypervisor is broken, the problem stays contained and you stay mostly anonymous.