Re: [Tails-dev] Anonymous Blogging with WordPress and Tor

Borrar esta mensaxe

Responder a esta mensaxe
Autor: sajolida
Data:  
Para: The Tails public development discussion list
Asunto: Re: [Tails-dev] Anonymous Blogging with WordPress and Tor
El 01/07/11 15:41, intrigeri escribió:
> sajolida wrote (01 Jul 2011 08:50:24 GMT) :
>> I'm ready to this work if we find it interesting.
>
> I felt the same as you when I read this text a few weeks ago.
> I'm all for you to suggest them some enhancements and point them to
> Tails. Beware not becoming by error the primary maintainer of this
> document, though ;)
>
> Bye,



Hi,

Here is the draft of the email I'm planning to send to the author of
this guide. I'd like to have a quick review from you before sending it.


                × × ×



Hi,

This week I found out about your document called « Anonymous Blogging
with WordPress and Tor » and read it carefully and with interest.

I'm part of the team developing Tails, a live CD or live USB that aims
at preserving your privacy and anonymity; first, by redirecting all
outgoing traffic to Tor, and second, by taking special to leave no trace
on the computer you're using unless you ask it explicitly, see:
http://tails.boum.org/

Tails is now listed by The Tor Project as it's recommended live
distribution, see:
https://www.torproject.org/projects/projects.html.en

I would like to suggest you trying out Tails and possibly adapting some
part of your guide to using it. I believe it would make parts of it
easier to document and also improve the overall solution that you're
proposing. I'll tell you why.


Trusting your OS
----------------

A central vision of Tails is that it is crucial to trust, as a whole,
the operating system that you are using if you're planning to do any
sensitive task on a computer, like protecting your anonymity or working
on sensitive documents.

For example, on page 8, I agree with you when you advocate the use of
Firefox over Internet Explorer but following the same assumption you
should not advocate the use of Tor from Windows. The operating system is
the central piece of software managing all your applications, having
direct access to your files, your disks, your network interfaces, etc.
If you can't trust your OS, any security measure that you try to build
on top of it is bound to be flawed.

The assumption of Tails regarding this is that you'd better trust open
source software, in our case Debian GNU/Linux on which Tails is based
and which is quite well know to be reactive on security issues than
proprietary software like Windows, quite well know for just the opposite.

Plus, since Tails is a live distribution, the OS is restarted in its
original state at every use so that viruses, buggy software or misuse
can't affect the system on the long run, especially if run from a
read-only support like a CD.

This is how we try to provide an improved level of trust on the OS and
then build security measures at the application level on top of that.

Regarding your document, that would resolve the issue you're mentioning
on page 1 and provide you an OS easier to trust against keyloggers and
viruses.


About secure deletion
---------------------

When writing documentation about security measures it's both hard to
know where to stop and at the same time be sure you wrote enough.

For example, on page 20 you advise to use securely delete posts after
publishing them. This means that you include in the thread model of the
people reading your document that the computer they use could be seize
and investigate by forensics in search of traces from those documents.

Tails could help you addressing better this thread by:
- ensuring that every document written during a Tails session won't
leave any trace on the computer since it's a live distribution running
from RAM and that it takes special care to not leave any trace on the
local storage of the computer unless asked explicitly,
- being shipped already with tools for secure deletion — then actually
documenting how to use them would be shorter and easier.

For example, when you're saying on page 21 « Write your blog post
offline. Not only is this a good way to keep from losing a post if your
browser crashes or your net connection goes down, it means you can
compose your posts somewhere more private than a cybercafe. », if using
normal operating systems, you are very likely to leave traces of the
document on both your machine and the public one.

Plus, it would be a good idea to suggest the users safe ways to carry
their drafts from one machine to another, for example:

1. Using an encrypted USB stick. That would be something else to
document well since actually securely delete a single file on a USB is
much more problematic that on a hard drive, see :
http://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf

Tails provide tools to fully encrypt USB sticks.

2. Saving the drafts in the disposable mailbox. That might be a better
solution if it is encrypted using FireGPG. Tails also comes with FireGPG
installed.

Furthermore, it is good to advertise the securely deletion of files but
then to be coherent you should also advertise the secure deletion of the
browser history. And this is much harder to achieve using a normal
operating system. Plus, on a normal OS you could still leave flash
cookies behind, see:
https://www.eff.org/deeplinks/2009/09/new-cookie-technologies-harder-see-and-remove-wide

Being a live distribution, Tails guarantees you that you won't leave
trace of any document, any browsing history or flash cookie.
We then advertise people to only use Tails to work on a give document:
clearly isolate every step of their work on their sensitive documents in
a amnesic environment that leave no trace after shutdown.


Improved end-to-end encryption
------------------------------

While talking about Tor I always feel like it's really important to
explicit remind people that even though your traffic might be encrypted
between the proxy servers, Tor does not encrypt it between the exit node
and the destination server. And thus, if you're not using HTTPS the Tor
exit node can fully monitor your traffic: read it and modify it. And
this is not fiction, see:
http://www.wired.com/politics/security/news/2007/09/embassy_hacks

The encryption provided by Tor aims at providing anonymity by hiding
your location and does not pretend, as such, to protect your content.
You are still the one who has to take care of this by using end-to-end
encryption. So, you should maybe rephrase this part of page 13:

« The pages are encrypted in transit between servers, and even if one or
two of the servers in the chain were compromised, it would be very
difficult to see what webpage you were retrieving or posting to. »

and rather get inspired by this excerpt from Tor's overview:

« Instead of taking a direct route from source to destination, data
packets on the Tor network take a random pathway through several relays
that cover your tracks so no observer at any single point can tell where
the data came from or where it's going. »

Tor is about hiding your location not your content.

For example, by default when blogging on WordPress, HTTPS is not enabled
by default. This means that if the user doesn't take special care to
switch to HTTPS the whole traffic will be in plain-text and the Tor exit
node will be in position of capturing the blog's password, modifying
posts, reading drafts, etc.

A counter measure would be to install the HTTPS Everywhere extension to
Firefox. It's an extension developed by the EFF that automatically
switches to HTTPS every connection to a bunch of major websites,
including WordPress. Tails comes with HTTPS Everywhere enabled by default.

You might be interested in checking the warning page we wrote for Tails
to mention those kind of security issues people need to be aware of
before using Tor or Tails:
https://tails.boum.org/doc/warning/index.en.html


Mail providers
--------------

This doesn't have anything to do with Tails, but in page 17 you say:

« Hotmail and Yahoo mail both have a “security feature” that makes
privacy advocates very unhappy. Both include the IP address of the
computer used to send any email. »

I just checked again and I see clearly this in Hotmail (there is a
header called X-ORIGINATING-IP) but not in Yahoo, so maybe that got removed.

« Also, Hotmail and Yahoo don’t offer secure HTTP (https) interfaces to
webmail - again, this doesn’t matter so long as you use Tor every time
you use these mail services. But many users will want to check their
mail in circumstances where they don’t have Tor installed - for your
main webmail account, it’s worth choosing a provider that has an https
interface to mail. »

This is not true anymore and that all three provide HTTPS by now and it
seems to be enabled by default so this whole paragraph might be removed.


Downsides of Tails?
-------------------

The main downside I can see in advertising Tails at the moment could be
about its availability:
- We don't know whether Tails website is being blocked by some countries
and we don't support a systematic way of getting around this like the
TBB does.
- You might not be able to access the Internet from Tails on every
possible public computer if this requires special network configuration.
- You might not be able to access the Internet in some places where you
need to go through a WiFi hotspot web interface, see :
http://tails.boum.org/todo/add_support_for_free_wifi_hotspots/.

I'd like to hear from your whether you think this could be a major
blocker in advertising Tails in the context in which you are working. If
so, the TBB could be a worthy alternative for people that can't use
Tails because of those technical limitations.


Final thoughts
--------------

I hope that this email was not too long, that I explained myself well
enough and that you found my points relevant.

In Tails, we're in the process of rewriting our user documentation. It's
been done already for the parts dealing with downloading and installing
Tails but not for the main user documentation on how to use Tails. But,
since you're used to Tor, Firefox and Torbutton I'm sure you won't have
problems trying out Tails for blogging.

If, in the writing of your document, you need to point to or write parts
of documentation that we also want to include on Tails website, I guess
we will be happy to collaborate on those parts.

If you want to getter deeper into Tails internals you can have a look at
our design document, explaining Tails thread model, specification and
implementation details, here:
http://tails.boum.org/contribute/design/

Hoping to hear back from you,

--
sajolida