Hacker News new | ask | show | jobs
by hackuser 3411 days ago
SecureDrop uses Tor Browser, as do many other public interest security solutions. However, a respected security expert here on HN recently said of Tor Browser:

the Tor Browser might be the least safe browser to use of all available browsers that can be installed on modern computers. It is a perfect storm of "inferior security design" and "maximized adversarial value per exploit dollar spent". / Don't use Tor Browser.

He recommends Chrome (presumably over the Tor network). I tend to believe the expert, because IME real security expertise (as opposed to technically sophisticated people reading about security and trying to DIY) is rarely utilized and applied even by prominent organizations and projects. But I wish someone would reconcile all of this.

EDIT: Some clarifying edits
5 comments
schoen 3411 days ago
The Tor Browser folks have talked about this a little bit under

https://blog.torproject.org/category/tags/chrome

although I'm not sure if there's been a big recent summary on this. One way to put it, akin to things other people have said in this thread, is that Chromium is tougher to customize, less cooperative upstream, and somewhat worse for specific technical user-tracking issues. Tor folks are very, very worried about cross-site and cross-session linkability attacks and tend to put a lot of technical effort into mitigating those.

tptacek's point in the other thread (that you're quoting) is about exploit mitigation, where Chromium is doing better, partly because they hired a lot of super-great people to work primarily on that (and also are paying pretty big bounties), and also because their architecture makes it easier in the first place.

So the Tor Browser work has focused a lot on stopping sites from recognizing you, while they're not working as hard or doing as well on stopping sites from hacking you, which they might then use to deanonymize you by making you send clearnet traffic, or even to exfiltrate files from your computer. (Also, for visiting non-HTTPS clearnet sites over Tor, the exit nodes and their ISPs are in a position to perform these attacks.)

The situation for SecureDrop instances might be safer than for other hidden services because they're probably more professionally run and carefully monitored, and use better-audited and simpler user-facing code, among other reasons, but then again this might not be true because they're also potentially exciting and interesting targets.

link
mtgx 3411 days ago
I disagree. Tor/Firefox do indeed have significantly worse security (right now), but that can be mostly mitigated by using easy-to-use third-party sandboxing tools (Sandboxie, Firejail, a VM).

For Linux, there's now a "hardened" version of the Tor browser as well (still alpha, I believe), and if you really care about this, you can also use TAILS, Qubes/Whonix, etc. It would probably be best not to use Windows if you want to be anonymous anyway (certainly not Windows 10, which looks like it was designed after a law enforcement wishlist - there are probably dozens of ways in which law enforcement can identify you by using Windows 10's tracking "features").

I don't think there's a way to "easily" make "Chrome over Tor" anonymous and private...

link
indolering 3411 days ago
> I disagree. Tor/Firefox do indeed have significantly worse security (right now), but that can be mostly mitigated by using easy-to-use third-party sandboxing tools (Sandboxie, Firejail, a VM).

Now that they have moved to multi-process Firefox, they can finally start sandboxing everything. There are already plans in place to start reusing Chrome's sandboxes profiles.

> I don't think there's a way to "easily" make "Chrome over Tor" anonymous and private...

You literally have to fork the browser, they won't maintain the internal APIs required by the Tor team. Hell, they refuse to respect basic SOCKS5 proxy settings [0].

[0]: https://trac.torproject.org/projects/tor/wiki/doc/ImportantG...

link
hackuser 3411 days ago
> that can be mostly mitigated by using easy-to-use third-party sandboxing tools (Sandboxie, Firejail, a VM)

We also need solutions for typical end users. In the case of SecureDrop, the users will include people with near-zero technical capability, and little time or motivation to learn something new.

link
nikcub 3411 days ago
You need to disable WebRTC, WebGL, Canvas and a bunch of other things if you're going to use Chrome/Chromium with Tor

There is no good solution at the moment - one lacks security while the other lacks privacy.

link
KirinDave 3411 days ago
None of this stops browser fingerprinting completely. Browser fingerprints can be extracted from just using canvas calls.
link
gsnedders 3411 days ago
Browser fingerprints can be largely extracted from fairly fundamental JS DOM/CSSOM APIs, you don't need to get into anything nearly as easily-disabled as canvas. (For one, start by measuring metrics of a list of several hundred fonts to detect their presence: that's just simple CSSOM operations.)
link
KirinDave 3411 days ago
I'm not sure what the state of the art is, but I know canvas calls offer very rich fingerprints that almost no one disables.

But this was more concerning the "webgl" disabled bit.

link
nikcub 3411 days ago
Well, the act of using Chrome itself on Tor is many bits towards a unique fingerprint

WebRTC is because of IP leaks via peer connections

We really need a build of chromium that removes the fancier web tech and integrates privacy features of Tor BB

Its just a lot of work to maintain - but a fork of chromium that is a little behind upstream is safer than FF

link
chopin 3411 days ago
But this can largely mitigated by switching off Javascript. I am not sure whether this is possible in Chrome, in Firefox that is easy. This might be one of the reasons that the Tor browser bundle uses Firefox over Chrome.
link
hubert123 3411 days ago
I dont really understand the issue with browser fingerprinting. Yes in theory it can uniquely identify you but only if your browser fingerprint never changes. Everytime I go to one of these "are you unique?" websites, I am a new guy to them.
link
KirinDave 3411 days ago
Many aspects of your computer end up in browser fingerprinting. So even if you do end up using multiple browsers temporal coupling and secondary signals may let observers make a (low-confidence) link to you.
link
hubert123 3411 days ago
I am not talking about multiple browsers. I use the same browser all day and my fingerprint still changes constantly, for many obvious reasons. The browser updates itself, I add extensions, etc. So browser fingerprinting seems like a really bad way to identify people uniquely. Using multiple different browsers just adds to that even more.
link
jacquesm 3411 days ago
It appears that you do not understand the basics of how this works: even if the print changes in an absolute sense what does not change is that many bits from one print to another are constant. Those are the bits that matter, and if there are enough of them then they can be used to track you across sessions, even across session using Tor and sessions not using Tor.

Tie that all together and it may very well be possible to tie an upload using the Tor network to a particular user visiting some random website at a later date.

You're leaking bits all the time and not all that many of them are required to uniquely identify you.

See https://33bits.org/ for an easy to consume introduction.

link
AtomicOrbital 3409 days ago
If you spin up a new docker container on a server hosting provider and run your desktop from there your browser is untainted fresh each session so no fingerprints
link
indolering 3411 days ago
> However, a respected security expert here on HN recently said of Tor Browser

The Chrome browser doesn't respect SOCKS5 proxy settings, lacks stream isolation, and has other all sorts of built in identifiers. There is a reason the Tor team hasn't switched to using Chrome!

link
Kinnard 3411 days ago
Could you cite with a link to the actual comment?
link
riquito 3411 days ago
https://news.ycombinator.com/item?id=13623821
link