warning.mdwn 14.7 KB
Newer Older
1
2
[[!meta title="Warning"]]

BitingBird's avatar
BitingBird committed
3
Even though we do our best to offer you good tools to protect your
4
5
privacy while using a computer, **there is no magic or perfect solution to such
a complex problem**. Understanding well the limits of such tools is a crucial
BitingBird's avatar
BitingBird committed
6
7
step to, first, decide whether Tails is the right tool for you, and second,
make a good use of it.
8

9
10
[[!toc levels=2]]

sajolida's avatar
sajolida committed
11
<a id="compromised_hardware"></a>
12

13
Tails does not protect against compromised hardware
14
===================================================
15
16
17

If the computer has been compromised by someone having physical access
to it and who installed untrusted pieces of hardware (like a
sajolida's avatar
sajolida committed
18
keylogger), then it might be unsafe to use Tails.
19
20
21

<a id="untrusted_system"></a>

sajolida's avatar
sajolida committed
22
Tails can be compromised if installed or plugged in untrusted systems
23
24
=====================================================================

25
26
27
When starting your computer on Tails, it cannot be compromised by a virus in your usual operating
system, but:

sajolida's avatar
sajolida committed
28
* Tails should be installed from a trusted system. Otherwise it might
sajolida's avatar
sajolida committed
29
  be corrupted during installation.
sajolida's avatar
sajolida committed
30

31
* Plugging your Tails USB stick in a
sajolida's avatar
sajolida committed
32
  compromised operating system might corrupt your Tails installation,
sajolida's avatar
sajolida committed
33
  and destroy the protection that Tails provides. Only use your
34
  Tails USB stick to start Tails.
35

36
See the [[corresponding FAQ|support/faq#compromised_system]].
37

sajolida's avatar
sajolida committed
38
<a id="bios"></a>
39
40
41
42

Tails does not protect against BIOS or firmware attacks
=======================================================

43
44
It is also impossible for Tails to protect against attacks made through
the BIOS or other firmware embedded in the computer. These are
sajolida's avatar
Clarify  
sajolida committed
45
46
not managed or provided by the operating system directly, and no operating system can protect against
such attacks.
47

sajolida's avatar
sajolida committed
48
49
50
See for example, this [attack on BIOS by
LegbaCore](https://www.youtube.com/watch?v=sNYsfUNegEA).

Tails developers's avatar
Tails developers committed
51
52
<a id="exit_node"></a>

Tails developers's avatar
Tails developers committed
53
Tor exit nodes can eavesdrop on communications
Tails developers's avatar
test2  
Tails developers committed
54
==============================================
55

56
57
**Tor is about hiding your location, not about encrypting your communication.**

Tails developers's avatar
Tails developers committed
58
59
60
61
Instead of taking a direct route from source to destination, communications
using the Tor network take a random pathway through several Tor relays that
cover your tracks. So no observer at any single point can tell where the data
came from or where it's going.
62

63
[[!img htw2-tails.png link=no alt="A Tor connection usually goes through 3 relays with the last one establishing the actual connection to the final destination"]]
64
65
66
67
68

The last relay on this circuit, called the exit node, is the one that
establishes the actual connection to the destination server. As Tor does not,
and by design cannot, encrypt the traffic between an exit node and the
destination server, **any exit node is in a position to capture any traffic
Tails developers's avatar
Tails developers committed
69
passing through it**. See [Tor FAQ: Can exit nodes eavesdrop on
xin's avatar
xin committed
70
communications?](https://www.torproject.org/docs/faq.html.en#CanExitNodesEavesdrop).
71
72

For example, in 2007, a security researcher intercepted thousands of private
sajolida's avatar
sajolida committed
73
email messages sent by foreign embassies and human rights groups around the
74
75
world by spying on the connections coming out of an exit node he was running.
See [Wired: Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's
xin's avatar
xin committed
76
Paradise](http://archive.wired.com/politics/security/news/2007/09/embassy_hacks).
77

78
79
80
81
**To protect yourself from such attacks you should use end-to-end encryption.**

**Tails includes many tools to help you using strong encryption** while
browsing, sending email or chatting, as presented on our [[about
Tails developers's avatar
Tails developers committed
82
page|/about#cryptography]].
83

84
85
<a id="fingerprint"></a>

86
87
Tails makes it clear that you are using Tor and probably Tails
==============================================================
88

89
90
91
92
93
**Your Internet Service Provider (ISP) or your local network administrator**
can see that you're connecting to a Tor relay, and not a normal web server for
example. Using [[Tor bridges in certain
conditions|first_steps/startup_options/bridge_mode]] can help you hide the fact
that you are using Tor.
94

Tails developers's avatar
Tails developers committed
95
**The destination server that you are contacting through Tor** can know whether your
Jesse Weinstein's avatar
Jesse Weinstein committed
96
communication comes from a Tor exit node by consulting the publicly
97
available list of exit nodes that might contact it. For example using the [Tor
Jesse Weinstein's avatar
Jesse Weinstein committed
98
Bulk Exit List tool](https://check.torproject.org/cgi-bin/TorBulkExitList.py) from
99
100
the Tor Project.

T(A)ILS developers's avatar
T(A)ILS developers committed
101
**So using Tails doesn't make you look like any random Internet user.**
102
103
104
The anonymity provided by Tor and Tails works by trying to make all of their
users look the same so it's not possible to identify who is who amongst them.

105
106
See also [[Can I hide the fact that I am using Tails?|fingerprint]]

107
108
<a id="man-in-the-middle"></a>

Tails developers's avatar
Tails developers committed
109
Man-in-the-middle attacks
110
=========================
111

Tails developers's avatar
Tails developers committed
112
A man-in-the-middle attack (MitM) is a form of active eavesdropping in which the
113
114
115
116
117
attacker makes independent connections with the victims and relays messages
between them, making them believe that they are talking directly to each other
over a private connection, when in fact the entire conversation is controlled by
the attacker.

xin's avatar
xin committed
118
[[!img man-in-the-middle.png link=no alt=""]]
119
<!-- Source: wiki/lib/man-in-the-middle.svg -->
120
121
122

While using Tor, man-in-the-middle attacks can still happen between the exit
node and the destination server. The exit node itself can also act as a
Tails developers's avatar
Tails developers committed
123
124
man-in-the-middle. For an example of such an attack see [MW-Blog: TOR exit-node
doing MITM
xin's avatar
xin committed
125
attacks](https://web.archive.org/web/20120113162841/http://www.teamfurry.com/wordpress/2007/11/20/tor-exit-node-doing-mitm-attacks).
126
127
128
129
130
131

**Again, to protect yourself from such attacks you should use end-to-end
encryption** and while doing so taking extra care at verifying the server
authenticity.

Usually, this is automatically done throught SSL certificates checked by your
132
133
browser against a given set of recognized [[!wikipedia
Certificate_authority desc="certificate authorities"]]).
Jesse Weinstein's avatar
Jesse Weinstein committed
134
135
If you get a security exception message such as this one you might be the victim of
a man-in-the-middle attack and should not bypass the warning unless you have another
136
137
138
trusted way of checking the certificate's fingerprint with the people running
the service.

139
[[!img ssl_warning.png link=no alt="This Connection is Untrusted"]]
140

Jesse Weinstein's avatar
Jesse Weinstein committed
141
But on top of that the certificate authorities model of trust on the Internet is
142
143
144
susceptible to various methods of compromise.

For example, on March 15, 2011,
Jesse Weinstein's avatar
Jesse Weinstein committed
145
Comodo, one of the major SSL certificates authorities, reported that a user account
Tails developers's avatar
Tails developers committed
146
147
148
149
150
with an affiliate registration authority had been compromised. It was then used
to create a new user account that issued nine certificate signing requests for
seven domains: mail.google.com, login.live.com, www.google.com, login.yahoo.com
(three certificates), login.skype.com, addons.mozilla.org, and global trustee.
See [Comodo: The Recent RA
xin's avatar
xin committed
151
Compromise](https://blog.comodo.com/other/the-recent-ra-compromise/).
152

153
154
Later in 2011, DigiNotar, a Dutch SSL certificate company, incorrectly issued
certificates to a malicious party or parties. Later on, it came to light that
Jesse Weinstein's avatar
Jesse Weinstein committed
155
156
157
they were apparently compromised months before, perhaps as far back as May of 2009,
or even earlier. Rogue certificates were issued for domains such as google.com,
mozilla.org, torproject.org, login.yahoo.com and many more. See [The Tor
158
159
160
Project: The DigiNotar Debacle, and what you should do about
it](https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it).

Tails developers's avatar
Tails developers committed
161
162
163
164
165
166
167
168
169
**This still leaves open the possibility of a man-in-the-middle attack even when
your browser is trusting an HTTPS connection.**

On one hand, by providing anonymity, Tor makes it more difficult to perform a
man-in-the-middle attack targeted at **one specific person** with the blessing
of a rogue SSL certificate. But on the other end, Tor makes it easier for people
or organizations running exit nodes to perform large scale MitM attempts, or
attacks targeted at **a specific server**, and especially those among its users
who happen to use Tor.
170

171
<p class="quoted-from">Quoted from [[!wikipedia Man-in-the-middle_attack
172
desc="Wikipedia: %s"]], [[!wikipedia
xin's avatar
xin committed
173
Comodo_Group#Certificate_hacking desc="Wikipedia: %s"]] and <a
174
href="https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion">Tor
175
Project: Detecting Certificate Authority compromises and web browser
176
collusion</a>.</p>
177

Tails developers's avatar
Tails developers committed
178
Confirmation attacks
179
====================
180
181
182
183
184
185

The Tor design doesn't try to protect against an attacker who can see or measure
both traffic going into the Tor network and also traffic coming out of the Tor
network. That's because if you can see both flows, some simple statistics let
you decide whether they match up.

Tails developers's avatar
Tails developers committed
186
187
188
189
190
191
That could also be the case if your ISP (or your local network administrator)
and the ISP of the destination server (or the destination server itself)
cooperate to attack you.

Tor tries to protect against traffic analysis, where an attacker tries to learn
whom to investigate, but Tor can't protect against traffic confirmation (also
Jesse Weinstein's avatar
Jesse Weinstein committed
192
known as end-to-end correlation), where an attacker tries to confirm a
Tails developers's avatar
Tails developers committed
193
194
hypothesis by monitoring the right locations in the network and then doing the
math.
195

196
197
198
<p class="quoted-from">Quoted from <a
href="https://blog.torproject.org/blog/one-cell-enough">Tor Project: "One cell
is enough to break Tor's anonymity"</a>.</p>
199

200
201
202
203
Tails doesn't encrypt your documents by default
===============================================

The documents that you might save on storage devices will not be encrypted by
Jesse Weinstein's avatar
Jesse Weinstein committed
204
205
206
207
208
default, except in the [[encrypted persistent volume|doc/first_steps/persistence]].
But Tails provides you with tools to encrypt your documents, such as
GnuPG, or encrypt your storage devices, such as LUKS.

It is also likely that the files you may create will contain evidence that they were created using Tails.
209
210
211
212

**If you need to access the local hard-disks** of the computer you are using, be
conscious that you might then leave trace of your activities with Tails on it.

sajolida's avatar
sajolida committed
213
Tails doesn't clear the metadata of your documents for you and doesn't encrypt the Subject: and other headers of your encrypted email messages
127.0.0.1's avatar
127.0.0.1 committed
214
===========================================================================================
215

Jesse Weinstein's avatar
Jesse Weinstein committed
216
217
Numerous files formats store hidden data or metadata inside of the files. Word
processing or PDF files could store the name of the author, the date and time of
218
creation of the file, and sometimes even parts of the editing history of the
Jesse Weinstein's avatar
Jesse Weinstein committed
219
220
221
file, depending on the file format and the software used.

Please note also, that the Subject: as well as the rest of the header lines of your
sajolida's avatar
sajolida committed
222
OpenPGP encrypted email messages are not encrypted. This is not a bug of Tails or
Jesse Weinstein's avatar
Jesse Weinstein committed
223
224
225
the [OpenPGP](http://www.mozilla-enigmail.org/forum/viewtopic.php?f=3&t=328) protocol;
it's due to backwards compatibility with the original SMTP protocol. Unfortunately no
RFC standard exists yet for Subject: line encryption.
226

Jesse Weinstein's avatar
Jesse Weinstein committed
227
228
Image file formats, like TIFF of JPEG, probably take the prize for most hidden data.
These files, created by digital cameras or mobile phones, contain a metadata
229
format called EXIF which can include the date, time and sometimes the GPS
Jesse Weinstein's avatar
Jesse Weinstein committed
230
231
232
233
coordinates when the picture was taken, the brand and serial number of the device which took
it, as well as a thumbnail of the original image. Image processing software tends
to keep this metadata intact. The internet is full of cropped or blurred images in
which the included EXIF thumbnail still shows the original picture.
234
235
236

**Tails doesn't clear the metadata of your files for you**. Yet. Still it's in
Tails' design goal to help you do that. For example, Tails already comes with
237
the [Metadata anonymisation toolkit](https://mat.boum.org/).
238

Tails developers's avatar
Tails developers committed
239
Tor doesn't protect you from a global adversary
240
===============================================
241
242
243
244
245

A global passive adversary would be a person or an entity able to monitor at the
same time the traffic between all the computers in a network. By studying, for
example, the timing and volume patterns of the different communications across
the network, it would be statistically possible to identify Tor circuits and
Jesse Weinstein's avatar
Jesse Weinstein committed
246
thus match Tor users and destination servers.
247

Tails developers's avatar
Tails developers committed
248
It is part of Tor's initial trade-off not to address such a threat in order to
249
250
251
create a low-latency communication service usable for web browsing, Internet
chat or SSH connections.

Jesse Weinstein's avatar
Jesse Weinstein committed
252
253
254
For more expert information see the Tor design paper, "[Tor Project: The Second-Generation Onion
Router](https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf)",
specifically, "Part 3. Design goals and assumptions."
255

Tails developers's avatar
Tails developers committed
256
257
<a id="identities"></a>

Tails developers's avatar
Tails developers committed
258
Tails doesn't magically separate your different contextual identities
259
=====================================================================
260
261

It is usually not advisable to use the same Tails session to perform two tasks
T(A)ILS developers's avatar
T(A)ILS developers committed
262
or endorse two contextual identities that you really want to keep separate
Jesse Weinstein's avatar
Jesse Weinstein committed
263
264
from one another. For example hiding your location to check your email and
anonymously publishing a document.
265

Jesse Weinstein's avatar
Jesse Weinstein committed
266
First, because Tor tends to reuse the same circuits, for example, within the same
Tails developers's avatar
Tails developers committed
267
browsing session. Since the exit node of a circuit knows both the destination
Jesse Weinstein's avatar
Jesse Weinstein committed
268
server (and possibly the content of the communication if it's not encrypted) and the
Tails developers's avatar
Tails developers committed
269
address of the previous relay it received the communication from, it makes it
Jesse Weinstein's avatar
Jesse Weinstein committed
270
271
272
easier to correlate several browsing requests as part of a same circuit and
possibly made by the same user. If you are facing a global adversary as described
above, it might then also be in a position to do this correlation.
273

sajolida's avatar
sajolida committed
274
Second, in case of a security hole or an error in using Tails or one of its
Jesse Weinstein's avatar
Jesse Weinstein committed
275
applications, information about your session could be leaked. That could reveal
Tails developers's avatar
Tails developers committed
276
that the same person was behind the various actions made during the session.
277

Tails developers's avatar
Tails developers committed
278
279
**The solution to both threats is to shutdown and restart Tails** every time
you're using a new identity, if you really want to isolate them better.
280

281
282
283
284
285
286
287
As explained in our documentation about
[[Tor Browser|anonymous_internet/Tor_Browser#new_identity]],
its **New identity** feature is not a perfect solution to separate
different contextual identities. And, as
[[explained in the FAQ|support/faq#new_identity]], Tails does not
provide a global <span class="guilabel">New Identity</span>
feature. **Shutdown and restart Tails instead.**
288

289
290
Tails doesn't make your crappy passwords stronger
=================================================
291

292
Tor allows you to be anonymous online; Tails allows you to leave no trace on the
Jesse Weinstein's avatar
Jesse Weinstein committed
293
computer you're using. But again, **neither or both are magic spells for computer
294
295
security**.

T(A)ILS developers's avatar
T(A)ILS developers committed
296
If you use weak passwords, they can be guessed by brute-force attacks with or
297
without Tails in the same way. To know if your passwords are weak and learn good
298
299
practices to create better password, you can read [[!wikipedia
Weak_password#Examples_of_weak_passwords desc="Wikipedia: Weak Passwords"]].
300

301
302
Tails is a work in progress
===========================
303

Jesse Weinstein's avatar
Jesse Weinstein committed
304
Tails, as well as all the software it includes, are continuously being developed
sajolida's avatar
sajolida committed
305
and may contain programming errors or security holes.