Silk Road forums

Discussion => Security => Topic started by: StaticTension on August 28, 2013, 11:11 pm

Title: Tails giving me sending unencrypted warning when trying to connect to SR
Post by: StaticTension on August 28, 2013, 11:11 pm
I've never used Tails before so I tried it out and when trying to connect to SR I put in my login details and then I get a warning saying that the information I'm about to send is unencrypted and that a third party could potentially see it.

 Is this normal? Also the other thing is why is it that by default on something that is touted as a safe portable OS is Scripts enabled on Iceweasel by default and Javascript? Isn't that counter intuitive to their design purposes?
Title: Re: Tails giving me sending unencrypted warning when trying to connect to SR
Post by: StaticTension on August 28, 2013, 11:49 pm
https://tails.boum.org/doc/anonymous_internet/iceweasel/index.en.html

Quote
Protection against dangerous JavaScript
Having all JavaScript disabled by default would disable a lot of harmless and possibly useful JavaScript and render unusable many websites.

That's why JavaScript is enabled by default in Tails.

But we rely on Torbutton to disable all potentially dangerous JavaScript.

We consider this as a necessary compromise between security and usability and as of today we are not aware of any JavaScript that would compromise Tails anonymity.

That doesn't make me feel good about using Tails at all. So this OS that I'm supposed to trust my freedom is not aware of how Javascript that would comprise Tails anonymity? That seems like a vary laxed attitude to me considering recent events. Some of you might say well they don't update their site or w/e but how hard is it to change a line on a website?

As far as I knew the main disadvantage of using Tails was a lack of persisent entry guards for Tor but the more I'm look at it seems kinda well not that great.
Title: Re: Tails giving me sending unencrypted warning when trying to connect to SR
Post by: ECC_ROT13 on August 29, 2013, 10:46 am
I've never used Tails before so I tried it out and when trying to connect to SR I put in my login details and then I get a warning saying that the information I'm about to send is unencrypted and that a third party could potentially see it.
Yes, that's normal.  From the browser's perspective, the content is being sent via HTTP, not HTTPS, so it views it as insecure.    The browser isn't aware that since it's going to a .onion address, it's destined for a hidden site, and the Tor instance will take care of encrypting it in-transit.    It's annoying, and it would be nice if they'd change the browser on Tails to not warn on .onion addresses, but I can see why they don't want Yet Another fork of the browser just for Tails to implement that.

 
Quote
Also the other thing is why is it that by default on something that is touted as a safe portable OS is Scripts enabled on Iceweasel by default and Javascript? Isn't that counter intuitive to their design purposes?
I don't think that hidden service users are necessarily the target market for Tails.    They're more concerned with the very non-technical user (journalists in oppressive countries, etc) using it, and it being an easy enough experience that they keep using it.  So they flip Javascript on.    Aside from the persistent entry-guard issue, and the fact that if an attacker gets root, they can deanonymize you, Tails is still a decent fit for both use cases.

I think that at this point, they'll keep JS enabled just so nobody says they were wrong to have it turned on by default.

What Tails should do is to use the unencrypted OS partition to store a basic preferences file (that isn't replicated when Tails clones itself to new USB keys) that keeps a few things:  entry guards/cache, Javascript preference, fake-XP-or-not preference, etc.    Or try to load the persistent encrypted volume earlier in the boot process and if present, load those things from it.
Title: Re: Tails giving me sending unencrypted warning when trying to connect to SR
Post by: StaticTension on August 30, 2013, 07:36 am
Thx for the reply...

After mucking around on their website that's what I figured as well and you make a good point about the target audience that Tails developers had in mind. I'm not sure if there would be a way to create a persisent volume that would keep info for static tor entry guards and enable it early on in the boot sequence. I just got into Linux myself a week ago but I'd think if your intent was to customize Tails source code you'd prolly be better off making your own hardened Gentoo live distro and add the stuff you want on it. That would be my ideal choice but at the current time my lack of knowledge is putting that idea on the back burner. I'm just taking about if I need to use TOR when out and about, would never really on it for a main option... those twitchy entry guards are sketchy. I read a news article about a week ago saying that half of the entry guards are owned by intelligence agencies..I'll try to dig it up but then again I never believe media but in those rare times they can be right. Better safe than sorry  8)