Hello, My whistleblower/journalist team has a question regarding UPLOADING files through Tor (mainly static image type files such as jpegs and PNGs, screensnips of documents, and the like). We already know that one must be very careful to remove image metadata which could be used to de-anonymize users, so our question relates to whether the process itself of uploading a file through Tor could be used to reveal user’s true IP address? We are mainly referring to web forms and forums which contain a “browse” button which then opens a windows explorer box that lets a user browse for a local file and then upload it to the website through the browser. Also, what about when one clicks the paperclip icon on a email service which opens the same explorer window and lets one select and upload a file? Is there any way this could leak one’s true IP? Does it make any difference whether or not javascript is enabled on the website or email service? In terms of operating systems, my group is unable to use a secure operating system such as TAILS at this time, and we must use windows PCs and MACs. Our main threat models are nation-state actors and national police agencies. We are mainly concerned with the “injection” of malicious scripts by websites and email providers (working with national police and government) to retrieve our true IP address (or other de-anonymizing system information) via our uploads even if our email and website accounts were created anonymously on Tor with no association with our identities or location . Thanks for any advice on this matter you can give to us!!
Until a more qualified person answers you, here is an non-expert answer for you:
There is no way for the website to simply discover your IP address.
There is a “theoretical” risk that a nation state monitoring the whole internet in your country could use a timing correlation attack to guess your IP address.
Unless the website is exploiting an unknown zero-day bug in the browser, it can’t discover your IP address. If the browser does have an actively exploited, unpatched bug, then you are safer with javascript disabled (Tor browser “Safest” security level), but some sites won’t work without javascript.
Although javascript won’t normally reveal your IP address, websites can still use javascript to do privacy invasive things like record your session (recording and storing all the keystrokes and mouse movements you make on the website).
That is unfortunate. Does your group not own the devices you are using?
I would not advise working with sensitive documents on an insecure OS on a device you do not own.
The best tool for journalists working with whistleblowers is SecureDrop, but you need to run your own server for this, and preferably also be able to use TAILS, so this is probably not an option available to you currently.
I don’t get that statement.
From the Tails site “Shut down the computer and start on your Tails USB stick instead of starting on Windows, macOS, or Linux. Tails leaves no trace on the computer when shut down.”
I always thought this was the whole point of Tails.
So does this mean the machines are owned or controled by an entity like a company or school and do not allow you to boot from a USB stick??