warning.mdwn 10.2 KB
Newer Older
1
2
[[!meta title="Warning"]]

3
4
5
6
7
Even thought we're doing our best to offer you good tools to protect your
privacy while using a computer, **there is no magic or perfect solution to such
a complex problem**. Understanding well the limits of such tools is a crucial
step in, first, deciding whether Tails is the right tool for you, and second,
helping you making a good use of it.
8

9
10
11
12
[[!toc levels=2]]

## Tor exit nodes can eavesdrop on communications

Tails developers's avatar
Tails developers committed
13
14
15
16
Instead of taking a direct route from source to destination, communications
using the Tor network take a random pathway through several Tor relays that
cover your tracks. So no observer at any single point can tell where the data
came from or where it's going.
17
18

![A Tor connection usually goes through 3 relays with the last one establishing
Tails developers's avatar
Tails developers committed
19
the actual connection to the final destination](htw2-tails.png)
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

The last relay on this circuit, called the exit node, is the one that
establishes the actual connection to the destination server. As Tor does not,
and by design cannot, encrypt the traffic between an exit node and the
destination server, **any exit node is in a position to capture any traffic
passing through it**. See, [Tor FAQ: Can exit nodes eavesdrop on
communications?](https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#CanexitnodeseavesdroponcommunicationsIsntthatbad)

For example, in 2007, a security researcher intercepted thousands of private
e-mail messages sent by foreign embassies and human rights groups around the
world by spying on the connections coming out of an exit node he was running.
See [Wired: Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's
Paradise.](http://www.wired.com/politics/security/news/2007/09/embassy_hacks).

**To protect yourself from such attacks you should use end-to-end encryption**
Tails developers's avatar
Tails developers committed
35
36
37
38
39
between you and the website/service, such as TLS, for example by choosing to
use HTTPS whenever it's possible.  Fortunately, Tails includes HTTPS
Everywhere, a Firefox extension that switches automatically to HTTPS all your
communications to a number of major websites.  See, [EFF: HTTPS
Everywhere](https://www.eff.org/https-everywhere).
40
41
42

## It makes it clear that you are using Tor and probably Tails

Tails developers's avatar
Tails developers committed
43
**Your ISP or your local network administrator** can easily check that you're
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
connecting to a Tor relay, and not a normal web server for example.

**The destination server your are contacting through Tor** can know whether your
communication comes out from a Tor exit node by consulting the publicly
available list of exit nodes that might contact it. For example using the [Tor
Bulk Exit List tool](https://check.torproject.org/cgi-bin/TorBulkExitList.py) of
the Tor Project.

**So using Tails doesn't make your look like any random Internet user.**
The anonymity provided by Tor and Tails works by trying to make all of their
users look the same so it's not possible to identify who is who amongst them.

## Man-in-the-middle attacks

A man-in-the-middle attack (MITM) is a form of active eavesdropping in which the
attacker makes independent connections with the victims and relays messages
between them, making them believe that they are talking directly to each other
over a private connection, when in fact the entire conversation is controlled by
the attacker.

Quoted from [Wikipedia: Man-in-the-middle
Tails developers's avatar
Tails developers committed
65
attack](https://secure.wikimedia.org/wikipedia/en/wiki/Man-in-the-middle_attack).
66
67
68
69
70
71
72
73
74
75
76
77
78

![Illustration of a man-in-the-middle attack](man_in_the_middle.jpg)

While using Tor, man-in-the-middle attacks can still happen between the exit
node and the destination server. The exit node itself can also act as a
man-in-the-middle, for an example of this see [MW-Blog: TOR exit-node doing MITM
attacks](http://www.teamfurry.com/wordpress/2007/11/20/tor-exit-node-doing-mitm-attacks).

**Again, to protect yourself from such attacks you should use end-to-end
encryption** and while doing so taking extra care at verifying the server
authenticity.

Usually, this is automatically done throught SSL certificates checked by your
Tails developers's avatar
Tails developers committed
79
80
81
82
browser against a given set of recognized [certificate
authorities](https://secure.wikimedia.org/wikipedia/en/wiki/Certificate_authority).
If you get a security exception message such as this one you might be victim of
a man-in-the-middle attack and should not bypass it unless you have another
83
84
85
86
87
88
89
90
trusted way of checking the certificate's fingerprint with the people running
the service.

![This Connection is Untrusted](ssl_warning.png)

But on top of that the certificate authorities model of trust on Internet is
susceptible to various methods of compromise. For example, in March 15, 2011,
Comodo, one of the major SSL certificates company, reported that a user account
Tails developers's avatar
Tails developers committed
91
92
93
94
95
with an affiliate registration authority had been compromised. It was then used
to create a new user account that issued nine certificate signing requests for
seven domains: mail.google.com, login.live.com, www.google.com, login.yahoo.com
(three certificates), login.skype.com, addons.mozilla.org, and global trustee.
See [Comodo: The Recent RA
96
97
98
99
Compromise](http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/).

This still leaves open the possibility of a man-in-the-middle attack even when
your browser is trusting an HTTPS connection but this won't affect Tor or Tails
Tails developers's avatar
Tails developers committed
100
users more than anybody else on the Internet. Actually, by providing anonymity,
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
Tor makes it more difficult to perform a man-in-the-middle attack targeted on a
specific user with the blessing of a rogue SSL certificate.

Partially quoted from [Wikipedia: Comodo
Group](https://secure.wikimedia.org/wikipedia/en/wiki/Comodo_Group) and [Tor
Project: Detecting Certificate Authority compromises and web browser
collusion](https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion). 

## Confirmation attacks

The Tor design doesn't try to protect against an attacker who can see or measure
both traffic going into the Tor network and also traffic coming out of the Tor
network. That's because if you can see both flows, some simple statistics let
you decide whether they match up.

The way we generally explain it is that Tor tries to protect against traffic
analysis, where an attacker tries to learn whom to investigate, but Tor can't
protect against traffic confirmation (also known as end-to-end correlation),
where an attacker tries to confirm a hypothesis by monitoring the right
locations in the network and then doing the math.

Quoted from [Tor Project: "One cell is enough to break Tor's
anonymity"](https://blog.torproject.org/blog/one-cell-enough).

125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
## It doesn't clear the metadata of your documents for you

Numerous files format store hidden data or metadata inside of the files. Text
processors or PDF files could store the name of the author, the date and time of
creation of the file, and sometimes even parts of the editing history of the
file… Those hidden data depend on the file format and the software used.

Images file formats, like TIFF of JPEG, probably take the prize in this field.
Those files, created by digital cameras or mobile phones, contain a metadata
format called EXIF which can include the date, time and sometimes the GPS
coordinates of the picture, the brand and serial number of the device which took
it as well as a thumbnail of the original image. Image processing software tend
to keep those data intact.  Internet is full of cropped or blurred images for
which the EXIF thumbnail still contains the full original picture.

**Tails doesn't clear the metadata of your files for you**. Yet. Still it's in
Tails' design goal to help you do that. For example, Tails already comes with
[Exiv2](http://exiv2.org/), an image metadata manipulation tool.

## Tor doesn't protect you from a global adversary

A global passive adversary would be a person or an entity able to monitor at the
same time the traffic between all the computers in a network. By studying, for
example, the timing and volume patterns of the different communications across
the network, it would be statistically possible to identify Tor circuits and
thus matching Tor users and destination servers.

Tails developers's avatar
Tails developers committed
152
It is part of Tor's initial trade-off not to address such a threat in order to
153
154
155
156
157
158
159
160
161
162
163
164
165
166
create a low-latency communication service usable for web browsing, Internet
chat or SSH connections.

For more expert information see [Tor Project: The Second-Generation Onion
Router](https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf),
part 3. Design goals and assumptions.

## Tails doesn't magically separate your different virtual identities

It is usually not advisable to use the same Tails session to perform two tasks
or endorse two virtual identities that you really want to keep separate on from
another. For example hiding your location to check your email and publishing
anonymously a document.

Tails developers's avatar
Tails developers committed
167
First, because Tor tends to reuse the same circuits, for example amongst a same
Tails developers's avatar
Tails developers committed
168
169
170
browsing session. Since the exit node of a circuit knows both the destination
server (and possibly the content of the communication if not encrypted) and the
address of the previous relay he received the communication from, it makes it
Tails developers's avatar
Tails developers committed
171
easier to correlate the several browsing requests as part of a same circuit and
Tails developers's avatar
Tails developers committed
172
173
possibly made by a same user. If your facing a global adversary as described
above, it might then also be in position to do this correlation.
174
175
176

Second, in case of a security hole or a misuse in using Tails or one of its
application, information about your session could be leaked. That could reveal
Tails developers's avatar
Tails developers committed
177
that the same person was behind the various actions made during the session.
178

Tails developers's avatar
Tails developers committed
179
180
181
182
**The solution to both threats is to shutdown and restart Tails** every time
you're using a new identity, if you really want to isolate them better.
Vidalia's "New Identity" button forces Tor to use new circuits, thus addressing
the first threat, but not the second one.
183
184
185
186

## It doesn't make your crappy passwords stronger

Tor allows you to be anonymous online and Tails to leave no trace on the
Tails developers's avatar
Tails developers committed
187
computer you're using. But again, **neither of both are magic spells for computer
188
189
190
191
192
193
security**.

If your use weak passwords they can be guessed by brute-force attacks with or
without Tails in the same way. To know if your passwords are weak and learn good
practices to create better password, you can read [Wikipedia: Weak
Passwords](https://secure.wikimedia.org/wikipedia/en/wiki/Weak_password#Examples_of_weak_passwords).