Tails - Warning

doc about Warning

WarningEven though we do our best to offer yougood tools to protect your privacy whileusing a computer, there is no magic orperfect solution to such a complexproblem. Understanding well the limits ofsuch tools is a crucial step to, first, decidewhether Tails is the right tool for you, andsecond, make a good use of it.

Tails does not protect againstcompromised hardware

1.

Tails can be compromised if installed orplugged in untrusted systems

2.

Tails does not protect against BIOS orfirmware attacks

3.

Tor exit nodes can eavesdrop oncommunications

4.

Tails makes it clear that you are usingTor and probably Tails

5.

Man-in-the-middle attacks6. Confirmation attacks7. Tails doesn't encrypt your documents by default8. Tails doesn't clear the metadata of your documents for you and doesn'tencrypt the Subject: and other headers of your encrypted e-mailmessages

9.

Tor doesn't protect you from a global adversary10. Tails doesn't magically separate your different contextual identities11.

English DE FA FR PT

DownloadTails 1.8.12015-12-19

About

Getting started…

Documentation

Help & Support

Contribute

News

Donate

Tails - Warning https://tails.boum.org/doc/about/warning/index.en.html

1 of 10 12/25/15, 5:19 PM

Tails doesn't make your crappy passwords stronger12. Tails is a work in progress13.

Tails does not protect againstcompromised hardwareIf the computer has been compromised by someone having physical access to itand who installed untrusted pieces of hardware (like a keylogger), then it might beunsafe to use Tails.

Tails can be compromised if installed orplugged in untrusted systemsWhen starting your computer on Tails, it cannot be compromised by a virus in yourusual operating system, but:

Tails should be installed from a trusted system. Otherwise it might be corruptedduring installation.

Plugging your Tails device in a compromised operating system might corruptyour Tails installation, and destroy the protection that Tails provides. Only useyour Tails device to start Tails.

See the corresponding FAQ.

Tails does not protect against BIOS orfirmware attacksIt is also impossible for Tails to protect against attacks made through the BIOS orother firmware embedded in the computer. These are not managed or provided bythe operating system directly, and no operating system can protect against suchattacks.

See for example, this attack on BIOS by LegbaCore .

Tor exit nodes can eavesdrop on


2 of 10 12/25/15, 5:19 PM

communicationsTor is about hiding your location, not about encrypting yourcommunication.

Instead of taking a direct route from source to destination, communications usingthe Tor network take a random pathway through several Tor relays that cover yourtracks. So no observer at any single point can tell where the data came from orwhere it's going.

The last relay on this circuit, called the exit node, is the one that establishes theactual connection to the destination server. As Tor does not, and by design cannot,encrypt the traffic between an exit node and the destination server, any exit nodeis in a position to capture any traffic passing through it. See Tor FAQ: Canexit nodes eavesdrop on communications? .

For example, in 2007, a security researcher intercepted thousands of private e-mailmessages sent by foreign embassies and human rights groups around the world byspying on the connections coming out of an exit node he was running. See Wired:Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise .

To protect yourself from such attacks you should use end-to-endencryption.


3 of 10 12/25/15, 5:19 PM

Tails includes many tools to help you using strong encryption whilebrowsing, sending email or chatting, as presented on our about page.

Tails makes it clear that you are using Torand probably TailsYour Internet Service Provider (ISP) or your local network administratorcan see that you're connecting to a Tor relay, and not a normal web server forexample. Using Tor bridges in certain conditions can help you hide the fact that youare using Tor.

The destination server that you are contacting through Tor can knowwhether your communication comes from a Tor exit node by consulting the publiclyavailable list of exit nodes that might contact it. For example using the Tor BulkExit List tool from the Tor Project.

So using Tails doesn't make you look like any random Internet user. Theanonymity provided by Tor and Tails works by trying to make all of their users lookthe same so it's not possible to identify who is who amongst them.

See also Can I hide the fact that I am using Tails?

Man-in-the-middle attacksA man-in-the-middle attack (MitM) is a form of active eavesdropping in which theattacker makes independent connections with the victims and relays messagesbetween them, making them believe that they are talking directly to each otherover a private connection, when in fact the entire conversation is controlled by theattacker.


4 of 10 12/25/15, 5:19 PM

While using Tor, man-in-the-middle attacks can still happen between the exit nodeand the destination server. The exit node itself can also act as a man-in-the-middle.For an example of such an attack see MW-Blog: TOR exit-node doing MITMattacks .

Again, to protect yourself from such attacks you should use end-to-endencryption and while doing so taking extra care at verifying the serverauthenticity.

Usually, this is automatically done throught SSL certificates checked by yourbrowser against a given set of recognized certificate authorities ). If you get asecurity exception message such as this one you might be the victim of a man-in-the-middle attack and should not bypass the warning unless you have anothertrusted way of checking the certificate's fingerprint with the people running theservice.


5 of 10 12/25/15, 5:19 PM

But on top of that the certificate authorities model of trust on the Internet issusceptible to various methods of compromise.

For example, on March 15, 2011, Comodo, one of the major SSL certificatesauthorities, reported that a user account with an affiliate registration authority hadbeen compromised. It was then used to create a new user account that issued ninecertificate signing requests for seven domains: mail.google.com, login.live.com,www.google.com, login.yahoo.com (three certificates), login.skype.com,addons.mozilla.org, and global trustee. See Comodo: The Recent RA Compromise .

Later in 2011, DigiNotar, a Dutch SSL certificate company, incorrectly issuedcertificates to a malicious party or parties. Later on, it came to light that they wereapparently compromised months before, perhaps as far back as May of 2009, oreven earlier. Rogue certificates were issued for domains such as google.com,mozilla.org, torproject.org, login.yahoo.com and many more. See The Tor Project:The DigiNotar Debacle, and what you should do about it .

This still leaves open the possibility of a man-in-the-middle attack evenwhen your browser is trusting an HTTPS connection.

On one hand, by providing anonymity, Tor makes it more difficult to perform aman-in-the-middle attack targeted at one specific person with the blessing of arogue SSL certificate. But on the other end, Tor makes it easier for people ororganizations running exit nodes to perform large scale MitM attempts, or attackstargeted at a specific server, and especially those among its users who happen to


6 of 10 12/25/15, 5:19 PM

use Tor.

Quoted from Wikipedia: Man-in-the-middle attack , Wikipedia: ComodoGroup#Iran SSL certificate controversy and Tor Project: Detecting CertificateAuthority compromises and web browser collusion .

Confirmation attacksThe Tor design doesn't try to protect against an attacker who can see or measureboth traffic going into the Tor network and also traffic coming out of the Tornetwork. That's because if you can see both flows, some simple statistics let youdecide whether they match up.

That could also be the case if your ISP (or your local network administrator) andthe ISP of the destination server (or the destination server itself) cooperate toattack you.

Tor tries to protect against traffic analysis, where an attacker tries to learn whom toinvestigate, but Tor can't protect against traffic confirmation (also known asend-to-end correlation), where an attacker tries to confirm a hypothesis bymonitoring the right locations in the network and then doing the math.

Quoted from Tor Project: "One cell is enough to break Tor's anonymity" .

Tails doesn't encrypt your documents bydefaultThe documents that you might save on storage devices will not be encrypted bydefault, except in the encrypted persistent volume. But Tails provides you with toolsto encrypt your documents, such as GnuPG, or encrypt your storage devices, suchas LUKS.

It is also likely that the files you may create will contain evidence that they werecreated using Tails.

If you need to access the local hard-disks of the computer you are using, beconscious that you might then leave trace of your activities with Tails on it.

Tails doesn't clear the metadata of your


7 of 10 12/25/15, 5:19 PM

documents for you and doesn't encryptthe Subject: and other headers of yourencrypted e-mail messagesNumerous files formats store hidden data or metadata inside of the files. Wordprocessing or PDF files could store the name of the author, the date and time ofcreation of the file, and sometimes even parts of the editing history of the file,depending on the file format and the software used.

Please note also, that the Subject: as well as the rest of the header lines of yourOpenPGP encrypted e-mail messages are not encrypted. This is not a bug of Tails orthe OpenPGP protocol; it's due to backwards compatibility with the original SMTPprotocol. Unfortunately no RFC standard exists yet for Subject: line encryption.

Image file formats, like TIFF of JPEG, probably take the prize for most hidden data.These files, created by digital cameras or mobile phones, contain a metadataformat called EXIF which can include the date, time and sometimes the GPScoordinates when the picture was taken, the brand and serial number of the devicewhich took it, as well as a thumbnail of the original image. Image processingsoftware tends to keep this metadata intact. The internet is full of cropped orblurred images in which the included EXIF thumbnail still shows the original picture.

Tails doesn't clear the metadata of your files for you. Yet. Still it's in Tails'design goal to help you do that. For example, Tails already comes with theMetadata anonymisation toolkit .

Tor doesn't protect you from a globaladversaryA global passive adversary would be a person or an entity able to monitor at thesame time the traffic between all the computers in a network. By studying, forexample, the timing and volume patterns of the different communications acrossthe network, it would be statistically possible to identify Tor circuits and thus matchTor users and destination servers.

It is part of Tor's initial trade-off not to address such a threat in order to create alow-latency communication service usable for web browsing, Internet chat or SSHconnections.


8 of 10 12/25/15, 5:19 PM

For more expert information see the Tor design paper, "Tor Project: The Second-Generation Onion Router ", specifically, "Part 3. Design goals and assumptions."

Tails doesn't magically separate yourdifferent contextual identitiesIt is usually not advisable to use the same Tails session to perform two tasks orendorse two contextual identities that you really want to keep separate from oneanother. For example hiding your location to check your email and anonymouslypublishing a document.

First, because Tor tends to reuse the same circuits, for example, within the samebrowsing session. Since the exit node of a circuit knows both the destination server(and possibly the content of the communication if it's not encrypted) and theaddress of the previous relay it received the communication from, it makes it easierto correlate several browsing requests as part of a same circuit and possibly madeby the same user. If you are facing a global adversary as described above, it mightthen also be in a position to do this correlation.

Second, in case of a security hole or an error in using Tails or one of itsapplications, information about your session could be leaked. That could reveal thatthe same person was behind the various actions made during the session.

The solution to both threats is to shutdown and restart Tails every timeyou're using a new identity, if you really want to isolate them better.

As explained in our documentation about Vidalia and Tor Browser, their Newidentity features are not perfect solutions to separate different contextualidentities. Shutdown and restart Tails instead.

Tails doesn't make your crappypasswords strongerTor allows you to be anonymous online; Tails allows you to leave no trace on thecomputer you're using. But again, neither or both are magic spells forcomputer security.

If you use weak passwords, they can be guessed by brute-force attacks with orwithout Tails in the same way. To know if your passwords are weak and learn good


9 of 10 12/25/15, 5:19 PM

practices to create better password, you can read Wikipedia: Weak Passwords .

Tails is a work in progressTails, as well as all the software it includes, are continuously being developed andmay contain programming errors or security holes. Stay tuned to Tailsdevelopment.

Last edited Sun 25 Oct 2015 09:02:03 AM CET


10 of 10 12/25/15, 5:19 PM

Tails - Warning

Documents

Transcript of Tails - Warning