Skip to content
This repository has been archived by the owner on Feb 20, 2020. It is now read-only.

Change External File Advice Using Tor #179

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Change External File Advice Using Tor #179

wants to merge 1 commit into from

Conversation

tommycollison
Copy link
Contributor

As per Micah's out-of-band comment, changed the advice for opening files using Tor to be more general, and mention pdf.js.

@tommycollison
Change External File Advice Using Tor
468c003 
As per Micah's out-of-band comment, changed the advice for opening files using Tor to be more general, and mention pdf.js.
@harlo
Copy link

harlo commented Aug 25, 2015

nitpick on "anonymously": isn't more of a sandboxing mechanism?

garrettr
garrettr reviewed Sep 14, 2015
View reviewed changes
encryption_works.md
@@ -256,8 +256,7 @@ Here are some further tips to enhance your security and privacy while using the

- Use Tor's new [Security Slider](https://blog.torproject.org/blog/tor-browser-45-released) feature. This allows you some control over your Tor experience based on your threat model. Generally speaking, we recommend setting it to "Medium-High."
- Be careful of unencrypted sites, ones which begin with "HTTP" rather than "HTTPS." Tor anonymizes your Internet traffic but unencrypted connections can still be eavesdropped on between the final node and the Internet server.
- Try to avoid downloading files such as PDFs or Microsoft Word
documents (which end in .doc or .docx), as they can be vehicles for malware that can be used by an attacker to de-anonymize your web browsing.
- Avoid downloading any files that you need an external app to open, as these can be vehicles for malware or can de-anonymize you. Tor Browser uses pdf.js, so you can anonymously view PDFs.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with @harlo - anonymously isn't the right word to use here. You're more concerned about potential malware (including malware that could de-anonymize you, yes, but really any kind of malware) so I'd say "securely" view PDF's would be a better word choice. Although given recent events, we should probably not tout pdf.js as a secure solution for viewing PDF's.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, "securely" is better phrasing, but I agree that PDF.js has had a rough summer. If we don't recommend PDF.js, however, we'll need to remove the recommendation not to use external apps.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should say "be careful" or "think twice" about downloads that require external apps. I'm not sure if it's realistic to say "don't open them", since that's kind of a big part of what the Internet is for. You should only download files like that from sites you trust that use HTTPS (to avoid exit node tampering).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tommycollison @harlo @garrettr @conorsch