downloading pdfs with TOR
Hi all. Two quick TOR questions.
First, I want to use TOR to download .pdf files or .torrent files (just the .torrent file, not actually use a torrent client to get the substance of the torrent), but when I try, I get this:
An external application is needed to handle:
NOTE: External applications are NOT Tor safe by default and can unmask you!
If this file is untrusted, you should either save it to view while offline or in a VM,
or consider using a transparent Tor proxy like Tails LiveCD or torsocks.
Am I OK? Can I proceed safely and anonymously?
Also, I want to use a web-based email service via TOR so as to have anonymous email capabilities. Gmail worked for a while, but just asked me what city I usually log in from, cause it thought my account was hijacked. Know any web-based email providers that will work with TOR?
edit: "file.pdf" was not the original name.
Re: downloading pdfs with TOR
Hushmail might work with Tor pretty well , I would think it would be in their client-bases interest.
Originally Posted by querent
As far as external applications, they obviously may not be configured to route their traffic through tor , thus tor warns you that is the case. If you have Tor set up as your network proxy than those applications SHOULD utilize it as well.
Also it's important to know that Tor does not and can not make you truly anonymous. Hope this helps.
Re: downloading pdfs with TOR
Thanks for the tip on hushmail
I'm not sure if I'm trying to use any other applications...I'm just hoping to be able to download files anonymously (or as anonymously as I am while browsing with TOR), so I can later view them off line.
Thanks for your thoughts!
Re: downloading pdfs with TOR
Bittorent gives out your IP, using TOR or not.
The projects blog says so.
Re: downloading pdfs with TOR
I do understand that...I'm just taking about downloading the .torrent files, not actually engaging in p2p transfer.
Forget the torrent part, if that helps. Say I'm just trying to download a pdf from a site I'm visiting via the TOR network. Does this uncloak me?
Re: downloading pdfs with TOR
Downloading the file without opening it should be fine I think. The PDF will open using an application other than the browser, and if there are any scripts, links, or whatever in the PDF that go out to other domains and only the browser is routed through TOR, it might be a concern to some folks because the PDF reader isn't. If you set it to save rather than open upon download and then only view the file while disconnected, I wouldn't expect it to be a problem.
Re: downloading pdfs with TOR
That was my thinking too. Thanks for your input!
Any other thoughts?
Re: downloading pdfs with TOR (with a tinfoil Santa hat!)
"First, I want to use TOR to download .pdf files"
First, how have you setup Tor? (it's not TOR btw, it's Tor)
Have you installed the Tor Browser Bundle? (TBB) It contains a (limited) preconfigured Tor environment (you need to reconfigure the included Noscript properly as by default it is set to allow everything, which is bad) and includes Vidalia, a Tor GUI front-end. If you have, you can right click on most .PDF file download links and select your local destination for the PDF to download to and it runs through Tor without leaping outside of the Tor client. Some PDF file downloads are caught by Tor button for unknown reasons, it thinks you're trying to load it directly and not download it when you're trying to download it. This may be a bug which appears at random. TBB's preconfigued Tor environment does not modify files like wgetrc (more on this later) or other application's files outside of the applications it provides.
My preferred method of handing PDF files when using Tor is to load them remotely via this free web service: http://view.samurajdata.se/
I don't see that website as having any ads, but I block ads anyway, nor are there any posts begging for money, nor do they push an application to download in order to view the PDFs. It's the most simplistic layout I've seen for loading PDFs remotely and safely so they don't touch your system (your web cache should be disabled and is disabled if you use TBB, your swap and home partitions, if not your whole system should be encrypted). But does the admin track PDFs and IPs? Simple, always use Tor with that site with nothing personal.
It should be noted the moment you begin using your real name and playing about on Facebook with your friends or acquaintances via Tor, you've lost the plot. Do not mingle your personal Internet use with your Tor Internet use. Do not use Tor while at the same time accessing your personal e-mail outside of Tor (you shouldn't load it inside Tor, for that matter, either). Don't boast through Tor to one of your chums that you're using Tor.
In using that free PDF converter website, I can preview the document to determine beforehand whether it is worth the time, space, and effort in manually downloading the PDF and storing it for future access. Should you access PDF files on your system, I would recommend burning them to a CD or DVD, a read only medium, and accessing them from a non-networked environment such as a Linux LiveCD with the network cable unplugged, using an open source PDF reader, never use the proprietary PDF reader from Adobe, unless you're reading off-line from read only media, in addition to pulling the network cable prior to booting from a fresh and verified LiveCD and pulling the cable and power plugs from any hard drives (before you turn your system ON), to eliminate any possible contamination. Remember, you're downloading PDF files through Tor, and unless you verify each file through checksum verification (like MD5 or GPG) there's a chance they could've been trojaned by a rogue exit node, or contain phoning home instructions or any other type of malicious "feature". No amount of open or closed source virus/trojan scanners can convince me a file is entirely free of malware.
If you're booting from a LiveCD to use Tor, I heavily recommend pulling the plug/power cord from any hard drives just in case, before you start your LiveCD session and before you've powered the system ON, so no data is transferred/shared through the use of the LiveCD sessions. I strongly recommend against using a preconfigured Tor LiveCD, not limited to but including the recent, "Tails LiveCD". You have no method to inform you on whether or not the binaries have been modified to whatever end. While not pointing the finger at any one such project, I can imagine the temptation would be great for a malicious user or project team to poison the well, so to speak, with compromised binaries naive users would trust their security/privacy to.
If you're running a system with sufficient memory, you should be able to download a Linux LiveCD of your choosing, verify it with MD5 or GPG, verify it with the bootable option to, "Verify This CD" extract the previously downloaded TBB into the home directory, disable all extra network services, configure a few files like hosts.deny and others as well as changing the password on the LiveCD user account. Since the LiveCD user runs with elevated privileges, you should consider creating your own LiveCD for TBB use, stripping it down to only the basics to minimize bugs in some packages in the repositories which could compromise your Tor operational security/privacy.
There are free tools like remastersys which allow you to put together a LiveCD with packages of your choosing. You may configure a proper limited user account beforehand and use this with TBB from your customized LiveCD. I'm not recommending remastersys or any other LiveCD creation tool as I have not audited their source code nor do I blindly trust binaries, but it's an option.
It would be wise to consider all binary transfers via Tor as potentially trojaned by a rogue exit node, modifications to data by a rogue exit node AND sniffing of plain text traffic occurs and is well documented. Some good preventative methods for browsing in Tor:
1. https://www.ixquick.com/ offers encrypted searches AND proxying of web content, you may surf in Tor through Ixquick's web proxy for excellent SSL protection.
Flash: Don't install the plugin, don't try alternatives, they won't be torrified. Some have claimed, on Tor's or-talk mailing list discussions, to have enabled YouTube's HTML5 option and, without the use of a Flash plugin, enabling the content to be shot through Tor but I haven't tried it. There are methods of downloading flash videos through Tor, such as through a third party website or by using clive or youtube-dl, both are listed in the Ubuntu repositories but each must be configured to use a proxy with Tor like Polipo or Privoxy.
Second, if you haven't installed Tor via the TBB, you've opted to install and configure Tor with a proxy like Polipo or Privoxy. If this is so, it's easier to download PDFs as you don't need to accomplish this through the browser, instead you modify your /etc/wgetrc file with a proxy configuration matching the proxy port you're using with Tor.
$cat /etc/wgetrc | grep proxy
(default wgetrc displays as follows):
#https_proxy = http://proxy.yoyodyne.com:18023/
#http_proxy = http://proxy.yoyodyne.com:18023/
#ftp_proxy = http://proxy.yoyodyne.com:18023/
# If you do not want to use proxy at all, set this to off.
#use_proxy = on
sudo nano /etc/wgetrc
gksudo gedit /etc/wgetrc
You would specify the proxy as http://127.0.0.1:proxy port number here If you're using a proxy port of 12345, for example, it would be http://127.0.0.1:12345 I don't know what port Polipo and Privoxy use, but use whatever value they specify.
With wgetrc configured properly and proxy lines uncommented, you can test it by using wget in a Terminal to manually download the PDF files, copy/paste the url into the Terminal following the wget command, and I recommend using the -c option in case the download fails somewhere during your download:
wget -c https://www.torproject.org/dist/torb...v-en-US.tar.gz
This would download the TBB for Linux (current as of 12/12/2011). While on the subject, please verify every Tor package you download using GPG, instructions are on their site, as well as instructions to torrify your gpg key fetching if you don't wish to grab gpg keys in the clear.
I haven't tested wget while using the TBB, I don't know what would be required here, installing Polipo or Privoxy and appending the proper local address with port within Vidalia and giving it a go or by some other method. All this rests on the belief you're downloading legal PDFs.
"or .torrent files"
I can't help you with that and it's considered bad etiquette to run torrent traffic through Tor.
"An external application is needed to handle: file.pdf NOTE: External applications are NOT Tor safe by default and can unmask you! If this file is untrusted, you should either save it to view while offline or in a VM, or consider using a transparent Tor proxy like Tails LiveCD or torsocks."
"Am I OK? Can I proceed safely and anonymously?"
No, not when it pops up with that warning. Don't click on the PDF url, right click on the url and save it locally and the transfer will traverse through the Tor network. As above, I mentioned Tor button randomly pops up with this warning even though I've right clicked on the PDF url, probably a bug but it thinks you're trying to view it directly. You should see that Tor button warning most of the time for when you're trying to access non-torrifyed content directly. Always click CANCEL when this warning appears.
My best suggestion would be to use wget with a properly modified wgetrc file, this likely means you'll have to download and configure Polipo or Privoxy. If you're using the TBB, you're on your own, I haven't explored it.
"Also, I want to use a web-based email service via TOR so as to have anonymous email capabilities. Gmail worked for a while, but just asked me what city I usually log in from, cause it thought my account was hijacked. Know any web-based email providers that will work with TOR?"
"Hushmail might work with Tor pretty well"
Does Hushmail not require Java installed to function? Java is a big no no when using Tor, for many reasons not limited to rogue exit nodes manipulating your traffic to unmask or otherwise poison your Tor session and possibly exploit the java user's system. In the ideal Tor setup, no plugins should be installed, this is where the TBB for Linux works well, it has no plugins by default, it does have some extensions, such as Tor button, Noscript, and eff.org's HTTP-Everywhere, but no plugins. Hushmail also has a checkered history, in my opinion, concerning privacy and I don't approve of their methods of encryption or use of Java. Wait a second... Well l00ky what we have here:
"Hushmail Turns Data Over to Government"
Furthermore, you shouldn't install other extensions unless you are certain they work well with Tor, they could leak, Tor's website offers a page suggesting which plugins work well. I would stick with the three TBB contains, and configure them correctly as I mentioned earlier, Noscript is setup by default to allow everything by default which is bad. To verify no plugins (don't confuse with extensions) are installed, type about:plugins in your browser's address bar. No plugins should be listed. I find TBB useful as I can use it for Tor only, and use another browser outside of the TBB directory, installed from Ubuntu's repositories, for non-Tor use, why mix the two in one browser? It's complicated and messy. And, unless I'm mistaken, TBB's version of Firefox (Aurora) has been tweaked by the Tor developers to address certain issues vanilla Firefox would otherwise contain.
The preferred method of removing the possibility of any Tor leakage is to change my network settings during Tor use to list no DNS servers. If, by error, you launch an application outside of Tor, there are no DNS servers to catch the application's requests, they are stonewalled and will turn up an error. Despite what some may tell you, Tor functions well with no DNS servers listed. After you modify your network settings with DNS servers removed, check your resolv.conf file, it should look like this:
#Generated by NetworkManager
With no DNS servers listed.
You may also opt to block DNS during your Tor session with ufw by blocking all communication with port 53. You may also choose to, as in my thread within the Security section here details, block all ports except those you need and configure Vidalia or your torrc file if not using Vidalia, to use only port 80 and 443 for its operation.
Lastly, get to know and love using Tor bridges:
Why tell everyone on your network you're using Tor? Tor use may stand out in other ways, but by using bridges, you're obscuring your use of Tor, instead of telling everyone on your network you're connecting to known Tor nodes. It's simple to determine you're using bridges, but it's more difficult than using the standard method of Tor connectivity.
Has your network provider setup a honey-pot virtual Tor network and you're connecting to it rather than the genuine Tor network? How would you know? Again, this is where using bridges is the preferred method for Tor access. Clear documentation of using bridges is on Tor's official site, but made easier by using Vidalia and accessing the Tor bridges page, and copy/pasting the Tor bridges into Vidalia's GUI section under Vidalia's Settings, Network, and box tic for "My ISP blocks connections to the Tor network". If you have a legit connection to the Tor network without using bridges, how may you know whether or not your network provider is limiting the nodes you're able to access and hasn't blacklisted many in order to better monitor your Tor usage?
The subject of a network provider setting up a fake Tor network has been documented and if memory serves me has appeared in at least one White-paper.
If in doubt during any Tor use, Wireshark may be used to verify traffic is contained within the Tor network, it's in the Ubuntu repositories.
I've waddled outside your request with more information than the OP requested, but it's useful information for all. (and to all a good night!)
Bonus material: from a verified trusted and true LiveCD, run rkhunter and chkrootkit against your hard disk drives, extra points for using a tool such as hexdump or objdump to check binaries and space on the hard drive for any potential virus or trojaned software/sectors. Trojans targeting the system's BIOS are becoming more common, standard practice for any new system you obtain is to set the BIOS write protect within the BIOS options and question whether bundled system update programs which may want to update your BIOS is really required, and source verified (has your DNS been poisoned? A new project called DNSCrypt has been floating around in recent tech news as a potential solution to these attacks).
Extra credit: Employ TEMPEST shielding techniques, never use a program which claims to keep your computer passwords safe or simply holding them for you, they are vulnerable to TEMPEST based attacks (and keeping them on any r/w medium is stupid on so many levels). Use a Frequency Counter and test for through-the-air leakage. Never use Tor on a Windows based system! Not even within a VM. If you trust it, it's closed source: install Wine and run a freeware program called, "Zero Emission Pad" to modify/read your text documents in, as it claims (strong emphasis on claims) to prevent TEMPEST attacks. It's a Windows only freeware program which I haven't vetted for possible leaks but it is interesting, google for it and you'll eventually find it. At least one software vendor in the U.S. offers a proprietary and commercial application which does the same job, but I have no trust in commercially developed, closed source software, which is a reason why trusting GPG over PGP is a great idea.
Related OPSEC reading:
TEMPEST (or, "Hey! Who owns that van/RV/delivery truck outside? It never moves!"):
- [PDF] http://packetstormsecurity.org/files/65944/tempest.pdf
TEMPEST ; Stealing Data Via Electrical Outlet
TEMPEST ; Compromising Wired Keyboards:
TEMPEST-for-eliza - demonstrate electromagnetic emissions from computer systems
(it's in the Ubuntu repositories, verify the tech threat for yourself)
Frequency counter devices:
DNSCrypt (not usable at this time AFAIK):
AX25 (is someone being sneaky and controlling your computer remotely through the air?)
(the dirty hidden secret of AX25 and packet radio, or how your computer is capable of much
more than you think, are we all rooted remotely?) (note: has nothing to do with Wifi)
Package Manager Security:
Packet Filtering Firewalls:
Detecting Packet Injection:
Encryption: (TBB from within an encrypted Truecrypt container within an encrypted Ubuntu install? woot!)
Tor OPSEC And General Articles:
- [PDF] http://packetstormsecurity.nl/filede...cking.pdf.html
Always verify signed packages!:
Writeprint (thought your words were anonymous via Tor, right? WRONG!):
"Why, what a BEAUTIFUL scarf I received for the Holidays! Wait, what!?"
Why are my windows constantly vibrating? What the... !!! "You'll shoot your eye out, kid!"
- [PDF} http://www.cl.cam.ac.uk/~mgk25/ih99-stegfs.pdf
Tinfoil hat reading / remote system compromise through the air on a grand scale! (omg CONSPIRACY? Or, I forgot to take my pills?)
To conclude, Google for:
- powerline vulns (or, "Hey, my key-presses can be picked up via powerline!")
- additional through-the-air attacks
(or, "What!? Someone in the other room or building can pick up my key presses?)
- temperature vulns (or, "Hey, my cpu can be compromised by temperature attacks?
Wait a minute, why WAS that cute red head spending so much time looking inside my
computer when I had it open and asked me to go into the kitchen to make an elaborate
meal?" How miniature modifications to hardware can escape your sight!) Don't forget
Timing and Side Channel attacks!
Walking in a winter wonderland....
"Behold, I give unto you power to tread on serpents and scorpions,
and over all the power of the enemy" - Luke 10:19
I forgot to add:
uget easy-to-use download manager written in GTK+2
uget is in the Ubuntu repositories and claims to support proxies, via:
from the man file:
I haven't tried uget's proxy support, try it and tell us if it worked for you.
--proxy-type=N set proxy type to N. (0=Don't use) --proxy-host=HOST set proxy host to HOST. --proxy-port=PORT set proxy port to PORT. --proxy-user=USER set USER as proxy username. --proxy-password=PASS set PASS as proxy password.
Re: downloading pdfs with TOR
That is the most informative spam bot I've ever seen...Someone spent a lot of time writing you... I'm not even sure if I should report it lol..
Re: downloading pdfs with TOR
Originally Posted by dangertux