Is saving a dark web page locally and reloading it in another browser a security risk?



  • Say I have Tor running and am browsing the dark web with the Tor browser. If I were to save a local copy of a web page and render it into another browser, like Chrome (with JS enabled), would I then have a higher risk of revealing my IP even though Tor is still running?

    I do understand that you in theory never want to do this, but I am curious to know what the answer is.



  • Likely

    That depends all on what scripts the page might be running. If the page contains malicious code that is trying to de-anonymize you, then it is a risk.

    If the page has

    <script src="//example.gov/trackUser.js"></script>
    

    this is what happens using the Tor Browser:

    1. The script is downloaded via Tor, so your IP is not revealed to the tracking source, which I called example suffixed by .gov to highlight the interest in mass surveillance
    2. TrackUser script, if Javascript is enabled, may or may not invoke REST methods from example.gov and these are routed via Tor as well

    Now, remember that scripts can inject other scripts (think about Angular's lazy loading) that are not known to the HTML at rendering time, and perform REST calls.

    When you open the saved page with a regular browser, you will open a local copy of trackUser.js

    1. The script is loaded locally because it has been saved along with the page, so your IP is not revealed
    2. Any AJAX call or injected script will be downloaded from example.gov revealing your IP address

    This risk must be mitigated by proxying the regular browser via Tor.

    Risk of fingerprinting

    Another reason why you should not open a dark page in a browser other than Tor is the risk of browser fingerprinting. This because normal browsers don't do enough to protect users from fingerprinting. Tor Browser tries to do so. I used this wording because I am skeptic about the following sentence

    In the end, the approach chosen by Tor developers is simple: all Tor users should have the exact same fingerprint. No matter what device or operating system you are using, your browser fingerprint should be the same as any device running Tor Browser (more details can be found in the Tor design document).

    Even if you proxy via Tor Socks, example.gov can still get an AJAX request containing a potentially unique fingerprint.

    Reference: https://amiunique.org/

    Final line

    You should not try to open dark pages you don't fully trust or didn't vet early in a non-anonymised environment.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2