Dash Four writes: > Roger Dingledine wrote: > >Using any browser with Tor besides Tor Browser is usually a bad idea: > >https://www.torproject.org/docs/faq#TBBOtherBrowser > I disagree with that statement. It is certainly _not_ a bad idea, provided > you know what you are doing.
As the documentation says, there are a couple of different things that can go awry here. * Your non-Tor Browser can be vulnerable to a proxy bypass (because other browsers don't necessarily consider that a very serious problem). E.g., an attacker can serve you some HTML that uses some kind of browser feature that goes directly over the Internet, not via Tor. * Your non-Tor Browser can be vulnerable to various kinds of tracking and fingerprinting, because other browsers haven't done as much to mitigate that. E.g., an attacker can use some kind of supercookie to recognize you across sessions, or serve some kind of Javascript that queries various system properties that produce a unique long-term fingerprint that Tor Browser might have prevented. * Your non-Tor Browser can be inherently distinctive because very few people are using any given other configuration. E.g., you might be the only person in the world currently using Tor with a particular browser version, OS, language, and browser window size (even if a site doesn't use elaborate or complex Javascript to find out about your system's properties). Your particular setup has probably mitigated the first of these effectively, but maybe not the other two. Now, there are ways that the Tor Browser may also have failed to fully mitigate each of these risks. And there could be other benefits to using a different browser in terms of adversaries who know of zero-day vulnerabilities in Tor Browser that might not be present in other browsers. (Some critics have pointed out that more potential attackers probably have zero-days against the current Tor Browser at a given moment than against, say, the current Google Chrome; at least, they typically wouldn't have to pay as much money to buy them.) But you probably can't mitigate the second two concerns above on your own, which might always mean more trackability and less anonymity of a certain kind when using another browser with Tor. Also, * If you use something other than Tor Browser, you can get confused about when you are or aren't using Tor, or accidentally enable or disable it in the middle of some other activity, leading to several kinds of contamination between Tor and non-Tor sessions. Very sophisticated and disciplined users might not trip over this particular issue, but it's a relatively high risk and a lot of people using the old TorButton setup definitely ran into this kind of problem. -- Seth Schoen <sch...@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk