Tails - Consejos de seguridadThe Amnesic Incognito Live Systemhttps://tails.net/security/index.es.htmlThe Amnesic Incognito Live Systemikiwiki2024-03-27T14:27:10ZPossible remote attack on onion serviceshttps://tails.net/security/TROVE-2023-006/index.es.html2024-03-27T14:27:10Z2023-11-15T14:00:00Z
<div class="caution">
<p><strong>Creating onion services from Tails 5.19 and earlier is unsafe.</strong></p>
<p>We recommend that you stop using <em>OnionShare</em> and upgrade to Tails
5.19.1.</p>
</div>
<p>The Tor Project has released a security fix for a vulnerability named
TROVE-2023-006.</p>
<p> The details of TROVE-2023-006 haven't been disclosed by the Tor Project to
leave time for users to upgrade before revealing more. We only know that the
Tor Project describes TROVE-2023-006 as a "<a href="https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE"><em>remote triggerable assert on
onion
services</em></a>".</p>
<p> Our team thinks that this vulnerability could affect Tails users who are
creating onion services from their Tails, for example when sharing files or
publishing a website using <em>OnionShare</em>.</p>
<p> This vulnerability might allow an attacker who already knows your
<em>OnionShare</em> address to make your Tor client crash. A powerful attacker might
be able to further exploit this crash to reveal your IP address.</p>
<p> This analysis is only a hypothesis because our team doesn't have access to
more details about this vulnerability. Still, we are releasing this emergency
release as a precaution.</p>
<p> <em>OnionShare</em> is the only application included in Tails that creates onion
services. You are not affected by this vulnerability if you don't use
<em>OnionShare</em> in Tails and only use Tails to connect to onion services and
don't create onion services using Additional Software.</p>
<p> More details about TROVE-2023-006 will be available on the
<a href="https://gitlab.torproject.org/tpo/core/tor/-/issues/40883">Tor issue #40883</a>
sometime after the release.</p>
Parámetros criptográficos débiles en LUKS1https://tails.net/security/argon2id/index.es.html2024-03-27T14:27:10Z2023-06-14T12:34:56Z
<p>Los parámetros criptográficos de LUKS de Tails 5.12 o anterior son débiles
contra un atacante patrocinado por el estado con acceso físico a tu
dispositivo.</p>
<p><strong>Te recomendamos que cambies la frase de contraseña de tu Almacenamiento Persistente y otros
volúmenes cifrados de LUKS, a menos que uses una frase de contraseña larga de 5 palabras aleatorias
o más.</strong></p>
<h1 id="understanding">Entendiendo la debilidad y su solución.</h1>
<h2 id="race">La carrera armamentista para protegerse de los ataques de fuerza bruta</h2>
<p>En toda la tecnología de cifrado que protege los datos en un disco o memoria
USB con una contraseña o frase de contraseña, un atacante puede probar todas
las combinaciones posibles hasta que adivine tu frase de contraseña y
desbloquee el cifrado. Este tipo de ataque se llama <em><a href="https://en.wikipedia.org/wiki/brute%2Dforce%20attack">ataque de fuerza bruta</a></em>.</p>
<p>Una contraseña segura hace que los ataques de fuerza bruta sean más lentos y
costosos. Cuanto más larga sea la frase de contraseña, más caro se vuelve el
ataque de fuerza bruta.</p>
<p>Algunos parámetros criptográficos también pueden hacer que cada suposición
de un ataque de fuerza bruta sea más lenta y costosa, por ejemplo, al tener
que hacer algunos cálculos complicados en cada frase de contraseña antes de
poder intentar desbloquear el cifrado con el resultado de este cálculo.</p>
<p>Con los años, las computadoras se vuelven más rápidas y económicas. Las
tecnologías de cifrado actualizan regularmente sus parámetros para encontrar
un equilibrio entre hacer que el cifrado sea rápido y utilizable por los
usuarios y hacer que los ataques de fuerza bruta sean lo más costosos
posible para los atacantes.</p>
<p>Los parámetros de cifrado fuertes <em>combinados</em> con una frase de contraseña
fuerte hacen que los ataques de fuerza bruta sean tan lentos y costosos que
son imposibles de realizar en la práctica. Por ejemplo, un ataque de fuerza
bruta es imposible de realizar en la práctica si lleva miles de años,
incluso con las supercomputadoras más poderosas.</p>
<h2 id="comparison">Fuerza de Argon2id en comparación con PBKDF2</h2>
<p>Hasta Tails 5.12 (19 de abril de 2023), Tails creaba dispositivos LUKS
versión 1 (LUKS1) con PBKDF2 como <em>función de derivación de clave</em>, un
cálculo ejecutado sobre la frase de contraseña antes de intentar desbloquear
el cifrado con el resultado.</p>
<p>Actualmente se considera que PBKDF2 es demasiado débil en comparación con la
potencia de cálculo disponible.</p>
<p>Algunos criptógrafos creen que esta debilidad podría haber sido ya
<a href="https://mjg59.dreamwidth.org/66429.html">utilizada contra un activista en
Francia</a>, pero las operaciones
reales de la policía francesa se mantienen en secreto.</p>
<p>Desde Tails 5.13 (16 de mayo de 2023), Tails crea dispositivos LUKS versión
2 (LUKS2) con Argon2id como <em>función de derivación de claves</em>.</p>
<table>
<tr><th>Versión de Tails<br />cuándo se creó el cifrado</th><th>Fecha de lanzamiento</th><th>Versión de LUKS</th><th>Función de derivación de claves</th><th>Fuerza</th></tr>
<tr><td>5.12 o anterior</td><td>19 de abril de 2023</td><td>LUKS1</td><td>PBKDF2</td><td>Débil</td></tr>
<tr><td>5.13 o posterior</td><td>16 de mayo de 2023</td><td>LUKS2</td><td>Argon2id</td><td>Fuerte</td></tr>
</table>
<p>Calculamos cuánta electricidad costaría adivinar frases de contraseña de
distinta intensidad. Como recomendamos para el Almacenamiento Persistente,
evaluamos frases de contraseña compuestas por varias palabras aleatorias.</p>
<table>
<tr><th>Longitud de la contraseña</th><th>PBKDF2</th><th>Argon2id</th></tr>
<tr><td>3 palabras aleatorias</td><td>$0.1</td><td>$100</td></tr>
<tr><td>4 palabras aleatorias</td><td>$1 000</td><td>$1 000 000</td></tr>
<tr><td>5 palabras aleatorias</td><td>$10 000 000</td><td>$10 000 000 000</td></tr>
<tr><td>6 palabras aleatorias</td><td>$100 000 000 000</td><td>$100 000 000 000 000</td></tr>
<tr><td>7 palabras aleatorias</td><td>$1 000 000 000 000 000</td><td>$1 000 000 000 000 000 000</td></tr>
</table>
<p>Estas cifras son estimaciones muy aproximadas, pero dan una idea de la
longitud de la frase de contraseña que podría adivinar un adversario muy
poderoso, como un atacante patrocinado por un Estado.</p>
<p>Aunque adivinar una frase de contraseña de 3 palabras aleatorias con LUKS1
cuesta muy poca energía, cualquier ataque de este tipo también requiere:</p>
<ul>
<li>Acceso físico al dispositivo</li>
<li>Equipo informático muy caro</li>
<li>Conocimientos profesionales de hacking</li>
</ul>
<p>Puedes ver los detalles de nuestros cálculos en <a href="https://gitlab.tails.boum.org/tails/tails/-/issues/19615">#19615</a> y en
esta <a href="https://cryptpad.disroot.org/sheet/#/2/sheet/view/KdOJLeuCsc4dS3vq-bHhFw6zByUSRJXsCcAkB-ERxtc/">hoja de
cálculo</a>.</p>
<h2 id="schemes">Otros esquemas de contraseñas dan muy pocas garantías</h2>
<p>Recomendamos utilizar frases de contraseña compuestas por varias palabras
aleatorias, ya que el uso de la aleatoriedad es la única forma de garantizar
realmente la solidez de una contraseña.</p>
<p>El uso de otros esquemas de contraseñas ofrece pocas garantías sobre la
solidez de una contraseña, aunque siga políticas de contraseñas complicadas
y se valide en medidores de solidez de contraseñas.</p>
<p>Por ejemplo, un <a href="https://www.washingtonpost.com/world/2020/12/17/dutch-trump-twitter-password-hack/">hacker holandés entró en la cuenta de Twitter de Donald
Trump <em>dos
veces</em></a>
adivinando sus contraseñas, a pesar de que estas contraseñas incluían varias
palabras, tenían más de 8 caracteres e incluso caracteres
especiales. Definitivamente no eran lo suficientemente aleatorias:
"<em>maga2020!</em>" y "<em>yourefired</em>".</p>
<p>Para entender las matemáticas que hay detrás de la seguridad de las
contraseñas, lee <a href="https://media.libreplanet.org/u/libreplanet/m/an-information-theoretic-model-of-privacy-and-security-metrics/">Un modelo teórico de la información sobre privacidad y
seguridad</a>
(en inglés). Bill Budington, de la EFF, explica de forma accesible el
concepto de entropía y sus implicaciones para las huellas digitales de los
navegadores y la seguridad de las contraseñas.</p>
<h1 id="updating">Mantener tu cifrado seguro</h1>
<p>Se recomienda a todos los usuarios que actualicen a LUKS2 todos sus
dispositivos cifrados: Almacenamiento Persistente, Tails de copia de
seguridad y otros volúmenes cifrados externos.</p>
<p>Dependiendo de la solidez de tu contraseña, también podríamos recomendar
elegir una contraseña diferente y migrar a otra memoria USB de Tails:</p>
<ul>
<li><a href="https://tails.net/security/argon2id/index.es.html#4">Si tu frase de contraseña tiene 4 palabras aleatorias o
menos</a></li>
<li><a href="https://tails.net/security/argon2id/index.es.html#5">Si tu frase de contraseña tiene 5 palabras aleatorias</a></li>
<li><a href="https://tails.net/security/argon2id/index.es.html#6">Si tu frase de contraseña tiene 6 palabras aleatorias o más</a></li>
</ul>
<h2 id="4">Si tu frase de contraseña tiene 4 palabras aleatorias o menos</h2>
<p>Si tu frase de contraseña actual tiene 4 palabras aleatorias o menos:</p>
<ul>
<li><p>Tu cifrado es inseguro con LUKS1.</p>
<p>Tienes que actualizar a LUKS2</p></li>
<li><p>Tu cifrado es más seguro con LUKS2.</p>
<p>Aún recomendamos cambiar tu frase de contraseña para que tenga 5 palabras aleatorias o más.</p></li>
</ul>
<h3>Almacenamiento Persistente (4 palabras o menos)</h3>
<p>Para proteger tu Almacenamiento Persistente:</p>
<ol>
<li><p>Actualiza a Tails 5.14.</p>
<p>Al iniciar Tails 5.14 por primera vez, Tails automáticamente
convierte tu Almacenamiento Persistente a LUKS2.</p></li>
<li><p>Elige una nueva frase de contraseña de 5 a 7 palabras aleatorias.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.4-ps-keepassxc">Muestra las instrucciones para generar una frase de contraseña usando <em>KeePassXC</em>.</a>
</p><div class="toggleable" id="security-argon2id.es.4-ps-keepassxc"></div>
<ol>
<li><p>Choose <strong>Applications</strong> ▸ <strong>KeePassXC</strong>.</p></li>
<li><p>Choose <strong>Tools</strong> ▸ <strong>Password Generator</strong>.</p></li>
<li><p>Switch to the <strong>Passphrase</strong> tab.</p>
<p>A very strong passphrase of 7 random words is automatically generated.</p>
<div class="caution">
<p>It is impossible to recover your passphrase if you forget it!</p>
<p>To help you remember your passphrase, you can write it on a piece of
paper, store it in your wallet for a few days, and destroy it once
you know it well.</p>
</div>
</li>
</ol>
<div class="toggleableend"></div>
</li>
<li><p>Cambia tu frase de contraseña.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.4-ps-passphrase">Muestra las instrucciones para cambiar la contraseña de tu Almacenamiento Persistente.</a>
</p><div class="toggleable" id="security-argon2id.es.4-ps-passphrase"></div>
<ol>
<li><p>Elige <strong>Aplicaciones</strong> ▸ <strong>Almacenamiento Persistente</strong>.</p></li>
<li><p>Haz clic en el botón <strong>Cambiar frase de contraseña</strong> situado a la
izquierda de la barra de título.</p></li>
<li><p>Introduce la frase de contraseña actual en el cuadro de texto
<strong>Contraseña actual</strong>.</p></li>
<li><p>Introduce tu nueva contraseña en el cuadro de texto <strong>Nueva
contraseña</strong>.</p></li>
<li><p>Vuelve a introducir tu nueva contraseña en el cuadro de texto
<strong>Confirmar nueva contraseña</strong>.</p></li>
<li><p>Pulsa <strong>Cambiar</strong>.</p></li>
<li><p>Cierra la configuración del <strong>Almacenamiento Persistente</strong>.</p></li>
</ol>
<div class="toggleableend"></div>
</li>
<li><p>Si creaste tu Almacenamiento Persistente con Tails 5.12 o una versión
anterior, te recomendamos migrar todo tu Tails a una memoria USB
diferente y destruir tu antigua memoria USB de Tails (o al menos
<a href="https://tails.net/doc/encryption_and_privacy/secure_deletion/index.es.html#device">eliminar de forma segura todo el
dispositivo</a>).</p>
<p>If you don't, the previous LUKS1 data might still be written in some recovery
data on the USB stick and could be recovered using advanced data forensics
techniques.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.4-ps-tails-installer">Muestra las instrucciones para migrar tu Tails a una nueva memoria USB.</a>
</p><div class="toggleable" id="security-argon2id.es.4-ps-tails-installer"></div>
<ol>
<li><p>Plug in the new USB stick.</p></li>
<li><p>Choose <strong>Applications</strong> ▸ <strong>Tails Cloner</strong>.</p></li>
<li><p>Turn on the option <strong>Clone the current Persistent Storage</strong> below the
option <strong>Clone the current Tails</strong>.</p></li>
<li><p>Make sure that the new USB stick is selected in the <strong>Target USB
stick</strong> menu.</p></li>
<li><p>To start the cloning, click on the <strong>Install</strong> button.</p></li>
<li><p>Enter a passphrase for the Persistent Storage on the new USB stick in
the <strong>Passphrase</strong> text box.</p></li>
<li><p>Enter the same passphrase again in the <strong>Confirm</strong> text box.</p></li>
<li><p>Click <strong>Continue</strong>.</p></li>
<li><p>Lee el mensaje de advertencia en el diálogo de confirmación.</p></li>
<li><p>Click <strong>Delete All Data and Install</strong> to confirm.</p>
<p>Cloning takes a few minutes.</p>
<div class="bug">
<p>The progress bar usually freezes for some time
while synchronizing data on disk.</p>
</div>
</li>
</ol>
<div class="toggleableend"></div>
</li>
</ol>
<h3>Tails de Respaldo (4 palabras o menos)</h3>
<p>Para asegurar tu <a href="https://tails.net/doc/persistent_storage/backup/index.es.html">copia de seguridad de
Tails</a>, si tienes alguna:</p>
<ol>
<li><p>Inicia en tu memoria USB principal de Tails.</p></li>
<li><p>Actualiza tu memoria USB principal de Tails a Tails 5.14.</p></li>
<li><p>Crea una nueva copia de seguridad de Tails usando <em>Tails Cloner</em></p>
<p>If you created your Persistent Storage with Tails 5.12 or earlier, we
recommend you create your new backup Tails on a different USB stick and
destroy your old backup Tails (or at least <a href="https://tails.net/doc/encryption_and_privacy/secure_deletion/index.es.html#device">securely delete the entire
device</a>).</p>
<p>If you don't, the previous LUKS1 data might still be written in some recovery
data on the USB stick and could be recovered using advanced data forensics
techniques.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.4-backup-tails-installer">Display the instructions to create a new backup.</a>
</p><div class="toggleable" id="security-argon2id.es.4-backup-tails-installer"></div>
<ol>
<li><p>Plug in the new USB stick.</p></li>
<li><p>Choose <strong>Applications</strong> ▸ <strong>Tails Cloner</strong>.</p></li>
<li><p>Turn on the option <strong>Clone the current Persistent Storage</strong> below the
option <strong>Clone the current Tails</strong>.</p></li>
<li><p>Make sure that the new USB stick is selected in the <strong>Target USB
stick</strong> menu.</p></li>
<li><p>To start the cloning, click on the <strong>Install</strong> button.</p></li>
<li><p>Enter a passphrase for the Persistent Storage on the new USB stick in
the <strong>Passphrase</strong> text box.</p></li>
<li><p>Enter the same passphrase again in the <strong>Confirm</strong> text box.</p></li>
<li><p>Click <strong>Continue</strong>.</p></li>
<li><p>Lee el mensaje de advertencia en el diálogo de confirmación.</p></li>
<li><p>Click <strong>Delete All Data and Install</strong> to confirm.</p>
<p>Cloning takes a few minutes.</p>
<div class="bug">
<p>The progress bar usually freezes for some time
while synchronizing data on disk.</p>
</div>
</li>
</ol>
<div class="toggleableend"></div>
</li>
</ol>
<h3>Otros volúmenes cifrados (4 palabras o menos)</h3>
<p>Para proteger tus otros volúmenes cifrados, si tienes alguno:</p>
<ol>
<li><p>Actualiza a Tails 5.14.</p></li>
<li><p>Elige una nueva frase de contraseña de 5 a 7 palabras aleatorias.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.4-other-keepassxc">Display the instructions to generate a passphrase using <em>KeePassXC</em>.</a>
</p><div class="toggleable" id="security-argon2id.es.4-other-keepassxc"></div>
<ol>
<li><p>Choose <strong>Applications</strong> ▸ <strong>KeePassXC</strong>.</p></li>
<li><p>Choose <strong>Tools</strong> ▸ <strong>Password Generator</strong>.</p></li>
<li><p>Switch to the <strong>Passphrase</strong> tab.</p>
<p>A very strong passphrase of 7 random words is automatically generated.</p>
<div class="caution">
<p>It is impossible to recover your passphrase if you forget it!</p>
<p>To help you remember your passphrase, you can write it on a piece of
paper, store it in your wallet for a few days, and destroy it once
you know it well.</p>
</div>
</li>
</ol>
<div class="toggleableend"></div>
</li>
</ol>
<p>If your encrypted volume is on a traditional hard disk (not an SSD) and you
can use the command line:</p>
<ol>
<li><p>Identify the partition name of your encrypted volume.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.4-other-cryptsetup-partition">Display the instructions to identify the partition name using the command line.</a>
</p><div class="toggleable" id="security-argon2id.es.4-other-cryptsetup-partition"></div>
<ol>
<li><p>When starting Tails, <a href="https://tails.net/doc/first_steps/welcome_screen/administration_password/index.en.html">set up an administration
password</a>.</p></li>
<li><p>Choose <strong>Applications</strong> ▸ <strong>System Tools</strong> ▸ <strong>Root Terminal</strong>.</p></li>
<li><p>Execute the following command:</p>
<pre><code>lsblk
</code></pre>
<p>The output is a list of the storage devices and partitions on the system.
For example:</p>
<pre><code>NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 1.2G 1 loop /lib/live/mount/rootfs/filesystem.squashfs
sda 8:0 1 7G 0 disk
├─sda1 8:1 1 4G 0 part /lib/live/mount/medium
└─sda2 8:2 1 3G 0 part
└─TailsData_unlocked 253:0 0 3G 0 crypt /run/nosymfollow/live/persistence/TailsData_un...
zram0 254:0 0 2.8G 0 disk [SWAP]
</code></pre></li>
<li><p>Plug in your encrypted volume. Keep the encryption locked.</p></li>
<li><p>Execute the same command again:</p>
<pre><code>lsblk
</code></pre>
<p>Your encrypted volume appears as a new device with a list of partitions.
Check that the partition size corresponds to your encrypted volume.</p>
<pre><code>NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 1.2G 1 loop /lib/live/mount/rootfs/filesystem.squashfs
sda 8:0 1 7G 0 disk
├─sda1 8:1 1 4G 0 part /lib/live/mount/medium
└─sda2 8:2 1 3G 0 part
└─TailsData_unlocked 253:0 0 3G 0 crypt /run/nosymfollow/live/persistence/TailsData_un...
sdb 8:0 1 7G 0 disk
└─sdb1 8:2 1 7G 0 part
zram0 254:0 0 2.8G 0 disk [SWAP]
</code></pre></li>
<li><p>Take note of the <em>partition name</em> of your encrypted volume. In this
example, the new device in the list is <span class="code">sdb</span>
and the encrypted volume is in the partition
<span class="code">sdb1</span>. Yours might be different.</p></li>
</ol>
<div class="toggleableend"></div>
</li>
<li><p>If you created your encrypted volume with Tails 5.12 or earlier, upgrade
to LUKS2.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.4-other-cryptsetup-upgrade">Display the instructions to upgrade to LUKS2 using the command line.</a>
</p><div class="toggleable" id="security-argon2id.es.4-other-cryptsetup-upgrade"></div>
<ol>
<li><p>To verify whether your encrypted volume uses PBKDF2 or Argon2id, execute
the following command.</p>
<p>Replace <span class="command-placeholder">[partition]</span> with the
partition name found in step 1.6.</p>
<p class="pre command-template">cryptsetup luksDump /dev/<span class="command-placeholder">[partition]</span></p>
<p>In the output:</p>
<ul>
<li><p><code>Version</code> indicates the version of LUKS,
either <code>1</code> or <code>2</code>.</p></li>
<li><p><code>PBKDF</code> indicates the key derivation function,
either <code>pbkdf2</code> or <code>argon2id</code>.</p></li>
</ul>
<p>If your encrypted volume already uses LUKS2 and Argon2id, you can stop
here.</p></li>
<li><p>Execute the following command to do a backup of your LUKS1 header.</p>
<p>Replace <span class="command-placeholder">[partition]</span> with the
partition name found in step 1.6.</p>
<p class="pre command-template">cryptsetup luksHeaderBackup /dev/<span class="command-placeholder">[partition]</span> --header-backup-file /home/amnesia/luks1header</p>
<p>If something goes wrong, you will be able to restore your LUKS1 header
from this backup with:</p>
<p class="pre command-template">cryptsetup luksHeaderRestore /dev/<span class="command-placeholder">[partition]</span> --header-backup-file /home/amnesia/luks1header</p>
</li>
<li><p>To update your LUKS header to LUKS2, execute the following command.</p>
<p>Replace <span class="command-placeholder">[partition]</span> with the
device name found in step 1.6.</p>
<p class="pre command-template">cryptsetup convert /dev/<span class="command-placeholder">[partition]</span> --type luks2</p>
</li>
<li><p>To verify that Argon2id is the new key derivation function, execute the
following command again.</p>
<p>Replace <span class="command-placeholder">[partition]</span> with the
partition name found in step 1.6.</p>
<p class="pre command-template">cryptsetup luksDump /dev/<span class="command-placeholder">[partition]</span></p>
<p>In the output, verify that:</p>
<ul>
<li><p>The <code>Version</code> is <code>2</code> and not <code>1</code>.</p></li>
<li><p>The <code>PBKDF</code> is <code>argon2id</code> and not <code>pbkdf2</code>.</p></li>
</ul>
</li>
<li><p>Try to unlock your encrypted volume.</p></li>
</ol>
<div class="toggleableend"></div>
</li>
<li><p>Cambia tu frase de contraseña.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.4-other-cryptsetup-passphrase">Display the instructions to change your passphrase using the command line.</a>
</p><div class="toggleable" id="security-argon2id.es.4-other-cryptsetup-passphrase"></div>
<ol>
<li><p>To change your passphrase, execute the following command.</p>
<p>Replace <span class="command-placeholder">[partition]</span> with the
partition name found in step 1.6.</p>
<p> </p><p class="pre command-template">cryptsetup luksChangeKey /dev/<span class="command-placeholder">[partition]</span></p></li>
</ol>
<div class="toggleableend"></div>
</li>
</ol>
<p>Otherwise, if your encrypted volume is on a USB stick (or an SSD) or you are
not comfortable with the command line:</p>
<ul>
<li><p>If you created your encrypted volume with Tails 5.13 or later, we
recommend you change your passphrase.</p>
<p>Follow our instructions on <a href="https://tails.net/doc/encryption_and_privacy/encrypted_volumes/index.es.html#changing">changing the passphrase of an existing encrypted
partition</a>.</p></li>
<li><p>If you created your encrypted volume with Tails 5.12 or earlier, we
recommend you migrate all your encrypted data to a new encrypted device.</p>
<p>Follow our instructions on <a href="https://tails.net/doc/encryption_and_privacy/encrypted_volumes/index.es.html">creating and using LUKS encrypted
volumes</a>.</p>
<p>We also recommend you destroy your old device (or at least <a href="https://tails.net/doc/encryption_and_privacy/secure_deletion/index.es.html#device">securely delete
the entire device</a>).</p>
<p>If you don't, the previous LUKS1 data might still be written in some recovery
data on the USB stick and could be recovered using advanced data forensics
techniques.</p></li>
</ul>
<h2 id="5">If your passphrase has 5 random words</h2>
<p>If your current passphrase has 5 random words:</p>
<ul>
<li><p>Your encryption is secure with LUKS1, except against a very powerful
adversary, like a state-sponsored attacker with a huge budget to spend on
guessing your passphrase.</p>
<p>We still recommend you upgrade to LUKS2.</p></li>
<li><p>Your encryption is even more secure with LUKS2.</p></li>
</ul>
<p>Congratulations on following our recommendations!</p>
<h3>Persistent Storage (5 words)</h3>
<p>Para proteger tu Almacenamiento Persistente:</p>
<ol>
<li><p>Actualiza a Tails 5.14.</p>
<p>Al iniciar Tails 5.14 por primera vez, Tails automáticamente
convierte tu Almacenamiento Persistente a LUKS2.</p></li>
<li><p>Consider adding another random word to your passphrase.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.5-ps-passphrase">Display the instructions to change the passphrase of your Persistent Storage.</a>
</p><div class="toggleable" id="security-argon2id.es.5-ps-passphrase"></div>
<ol>
<li><p>Elige <strong>Aplicaciones</strong> ▸ <strong>Almacenamiento Persistente</strong>.</p></li>
<li><p>Haz clic en el botón <strong>Cambiar frase de contraseña</strong> situado a la
izquierda de la barra de título.</p></li>
<li><p>Introduce la frase de contraseña actual en el cuadro de texto
<strong>Contraseña actual</strong>.</p></li>
<li><p>Introduce tu nueva contraseña en el cuadro de texto <strong>Nueva
contraseña</strong>.</p></li>
<li><p>Vuelve a introducir tu nueva contraseña en el cuadro de texto
<strong>Confirmar nueva contraseña</strong>.</p></li>
<li><p>Pulsa <strong>Cambiar</strong>.</p></li>
<li><p>Cierra la configuración del <strong>Almacenamiento Persistente</strong>.</p></li>
</ol>
<div class="toggleableend"></div>
</li>
<li><p>If you created your encrypted volume with Tails 5.12 or earlier and are
worried about a very powerful adversary, consider migrating your entire
Tails to a different USB stick and destroying your old Tails USB stick
(or at least <a href="https://tails.net/doc/encryption_and_privacy/secure_deletion/index.es.html#device">securely deleting the entire
device</a>).</p>
<p>If you don't, the previous LUKS1 data might still be written in some recovery
data on the USB stick and could be recovered using advanced data forensics
techniques.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.5-ps-tails-installer">Display the instructions to migrate your entire Tails to a new USB stick.</a>
</p><div class="toggleable" id="security-argon2id.es.5-ps-tails-installer"></div>
<ol>
<li><p>Plug in the new USB stick.</p></li>
<li><p>Choose <strong>Applications</strong> ▸ <strong>Tails Cloner</strong>.</p></li>
<li><p>Turn on the option <strong>Clone the current Persistent Storage</strong> below the
option <strong>Clone the current Tails</strong>.</p></li>
<li><p>Make sure that the new USB stick is selected in the <strong>Target USB
stick</strong> menu.</p></li>
<li><p>To start the cloning, click on the <strong>Install</strong> button.</p></li>
<li><p>Enter a passphrase for the Persistent Storage on the new USB stick in
the <strong>Passphrase</strong> text box.</p></li>
<li><p>Enter the same passphrase again in the <strong>Confirm</strong> text box.</p></li>
<li><p>Click <strong>Continue</strong>.</p></li>
<li><p>Lee el mensaje de advertencia en el diálogo de confirmación.</p></li>
<li><p>Click <strong>Delete All Data and Install</strong> to confirm.</p>
<p>Cloning takes a few minutes.</p>
<div class="bug">
<p>The progress bar usually freezes for some time
while synchronizing data on disk.</p>
</div>
</li>
</ol>
<div class="toggleableend"></div>
</li>
</ol>
<h3>Backup Tails (5 words)</h3>
<p>Para asegurar tu <a href="https://tails.net/doc/persistent_storage/backup/index.es.html">copia de seguridad de
Tails</a>, si tienes alguna:</p>
<ol>
<li><p>Inicia en tu memoria USB principal de Tails.</p></li>
<li><p>Actualiza tu memoria USB principal de Tails a Tails 5.14.</p></li>
<li><p>Update your backup or create a new backup Tails using <em>Tails Cloner</em>.</p>
<p>If you created your backup Tails with Tails 5.12 or earlier and are worried
about a very powerful adversary, consider creating your new backup Tails on a
different USB stick and destroying your old backup Tails (or at least
<a href="https://tails.net/doc/encryption_and_privacy/secure_deletion/index.es.html#device">securely deleting the entire
device</a>).</p>
<p>If you don't, the previous LUKS1 data might still be written in some recovery
data on the USB stick and could be recovered using advanced data forensics
techniques.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.5-backup-tails-installer">Display the instructions to update your backup or create a new backup.</a>
</p><div class="toggleable" id="security-argon2id.es.5-backup-tails-installer"></div>
<ol>
<li><p>Plug in the new USB stick.</p></li>
<li><p>Choose <strong>Applications</strong> ▸ <strong>Tails Cloner</strong>.</p></li>
<li><p>Turn on the option <strong>Clone the current Persistent Storage</strong> below the
option <strong>Clone the current Tails</strong>.</p></li>
<li><p>Make sure that the new USB stick is selected in the <strong>Target USB
stick</strong> menu.</p></li>
<li><p>To start the cloning, click on the <strong>Install</strong> button.</p></li>
<li><p>Enter a passphrase for the Persistent Storage on the new USB stick in
the <strong>Passphrase</strong> text box.</p></li>
<li><p>Enter the same passphrase again in the <strong>Confirm</strong> text box.</p></li>
<li><p>Click <strong>Continue</strong>.</p></li>
<li><p>Lee el mensaje de advertencia en el diálogo de confirmación.</p></li>
<li><p>Click <strong>Delete All Data and Install</strong> to confirm.</p>
<p>Cloning takes a few minutes.</p>
<div class="bug">
<p>The progress bar usually freezes for some time
while synchronizing data on disk.</p>
</div>
</li>
</ol>
<div class="toggleableend"></div>
</li>
</ol>
<h3>Otros volúmenes cifrados (5 palabras)</h3>
<p>Para proteger tus otros volúmenes cifrados, si tienes alguno:</p>
<ol>
<li><p>Actualiza a Tails 5.14.</p></li>
<li><p>Consider adding another random word to your passphrase.</p></li>
</ol>
<p>If you created your encrypted volume with Tails 5.12 or earlier and your
encrypted volume is on a traditional hard disk (not an SSD) and you can use
the command line:</p>
<ol>
<li><p>Identify the partition name of your encrypted volume.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.5-other-cryptsetup-partition">Display the instructions to identify the partition name using the command line.</a>
</p><div class="toggleable" id="security-argon2id.es.5-other-cryptsetup-partition"></div>
<ol>
<li><p>When starting Tails, <a href="https://tails.net/doc/first_steps/welcome_screen/administration_password/index.en.html">set up an administration
password</a>.</p></li>
<li><p>Choose <strong>Applications</strong> ▸ <strong>System Tools</strong> ▸ <strong>Root Terminal</strong>.</p></li>
<li><p>Execute the following command:</p>
<pre><code>lsblk
</code></pre>
<p>The output is a list of the storage devices and partitions on the system.
For example:</p>
<pre><code>NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 1.2G 1 loop /lib/live/mount/rootfs/filesystem.squashfs
sda 8:0 1 7G 0 disk
├─sda1 8:1 1 4G 0 part /lib/live/mount/medium
└─sda2 8:2 1 3G 0 part
└─TailsData_unlocked 253:0 0 3G 0 crypt /run/nosymfollow/live/persistence/TailsData_un...
zram0 254:0 0 2.8G 0 disk [SWAP]
</code></pre></li>
<li><p>Plug in your encrypted volume. Keep the encryption locked.</p></li>
<li><p>Execute the same command again:</p>
<pre><code>lsblk
</code></pre>
<p>Your encrypted volume appears as a new device with a list of partitions.
Check that the partition size corresponds to your encrypted volume.</p>
<pre><code>NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 1.2G 1 loop /lib/live/mount/rootfs/filesystem.squashfs
sda 8:0 1 7G 0 disk
├─sda1 8:1 1 4G 0 part /lib/live/mount/medium
└─sda2 8:2 1 3G 0 part
└─TailsData_unlocked 253:0 0 3G 0 crypt /run/nosymfollow/live/persistence/TailsData_un...
sdb 8:0 1 7G 0 disk
└─sdb1 8:2 1 7G 0 part
zram0 254:0 0 2.8G 0 disk [SWAP]
</code></pre></li>
<li><p>Take note of the <em>partition name</em> of your encrypted volume. In this
example, the new device in the list is <span class="code">sdb</span>
and the encrypted volume is in the partition
<span class="code">sdb1</span>. Yours might be different.</p></li>
</ol>
<div class="toggleableend"></div>
</li>
<li><p>If you created your encrypted volume with Tails 5.12 or earlier, upgrade
to LUKS2.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.5-other-cryptsetup-upgrade">Display the instructions to upgrade to LUKS2 using the command line.</a>
</p><div class="toggleable" id="security-argon2id.es.5-other-cryptsetup-upgrade"></div>
<ol>
<li><p>To verify whether your encrypted volume uses PBKDF2 or Argon2id, execute
the following command.</p>
<p>Replace <span class="command-placeholder">[partition]</span> with the
partition name found in step 1.6.</p>
<p class="pre command-template">cryptsetup luksDump /dev/<span class="command-placeholder">[partition]</span></p>
<p>In the output:</p>
<ul>
<li><p><code>Version</code> indicates the version of LUKS,
either <code>1</code> or <code>2</code>.</p></li>
<li><p><code>PBKDF</code> indicates the key derivation function,
either <code>pbkdf2</code> or <code>argon2id</code>.</p></li>
</ul>
<p>If your encrypted volume already uses LUKS2 and Argon2id, you can stop
here.</p></li>
<li><p>Execute the following command to do a backup of your LUKS1 header.</p>
<p>Replace <span class="command-placeholder">[partition]</span> with the
partition name found in step 1.6.</p>
<p class="pre command-template">cryptsetup luksHeaderBackup /dev/<span class="command-placeholder">[partition]</span> --header-backup-file /home/amnesia/luks1header</p>
<p>If something goes wrong, you will be able to restore your LUKS1 header
from this backup with:</p>
<p class="pre command-template">cryptsetup luksHeaderRestore /dev/<span class="command-placeholder">[partition]</span> --header-backup-file /home/amnesia/luks1header</p>
</li>
<li><p>To update your LUKS header to LUKS2, execute the following command.</p>
<p>Replace <span class="command-placeholder">[partition]</span> with the
device name found in step 1.6.</p>
<p class="pre command-template">cryptsetup convert /dev/<span class="command-placeholder">[partition]</span> --type luks2</p>
</li>
<li><p>To verify that Argon2id is the new key derivation function, execute the
following command again.</p>
<p>Replace <span class="command-placeholder">[partition]</span> with the
partition name found in step 1.6.</p>
<p class="pre command-template">cryptsetup luksDump /dev/<span class="command-placeholder">[partition]</span></p>
<p>In the output, verify that:</p>
<ul>
<li><p>The <code>Version</code> is <code>2</code> and not <code>1</code>.</p></li>
<li><p>The <code>PBKDF</code> is <code>argon2id</code> and not <code>pbkdf2</code>.</p></li>
</ul>
</li>
<li><p>Try to unlock your encrypted volume.</p></li>
</ol>
<div class="toggleableend"></div>
</li>
<li><p>Cambia tu frase de contraseña.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.5-other-cryptsetup-passphrase">Display the instructions to change your passphrase using the command line.</a>
</p><div class="toggleable" id="security-argon2id.es.5-other-cryptsetup-passphrase"></div>
<ol>
<li><p>To change your passphrase, execute the following command.</p>
<p>Replace <span class="command-placeholder">[partition]</span> with the
partition name found in step 1.6.</p>
<p> </p><p class="pre command-template">cryptsetup luksChangeKey /dev/<span class="command-placeholder">[partition]</span></p></li>
</ol>
<div class="toggleableend"></div>
</li>
</ol>
<p>If you create your encrypted volume with Tails 5.12 or earlier and your
encrypted volume is on a USB stick (or an SSD) or if you are not comfortable
with the command line:</p>
<ol>
<li><p>Migrate all your encrypted data to a new encrypted device.</p>
<p>Follow our instructions on <a href="https://tails.net/doc/encryption_and_privacy/encrypted_volumes/index.es.html">creating and using LUKS encrypted
volumes</a>.</p></li>
<li><p>If you are worried about a very powerful adversary, consider destroying
your old device (or at least <a href="https://tails.net/doc/encryption_and_privacy/secure_deletion/index.es.html#device">securely deleting the entire
device</a>).</p>
<p>If you don't, the previous LUKS1 data might still be written in some recovery
data on the USB stick and could be recovered using advanced data forensics
techniques.</p></li>
</ol>
<h2 id="6">If your passphrase has 6 random words or more</h2>
<p>If your current passphrase has 6 random words or more:</p>
<ul>
<li><p>Your encryption is secure with LUKS1, even against a very powerful
adversary.</p>
<p>We still recommend you upgrade to LUKS2.</p></li>
<li><p>Your encryption is even more secure with LUKS2.</p></li>
</ul>
<p>Congratulations on following our most secure recommendations!</p>
<h3>Persistent Storage (6 words or more)</h3>
<p>Your Persistent Storage is already secure, even with LUKS1.</p>
<p>After you upgrade to Tails 5.14 or later, Tails will automatically convert
your Persistent Storage to LUKS2 and make your Persistent Storage even more
secure.</p>
<h3>Backup Tails (6 words or more)</h3>
<p>Your backup Tails is already secure, even with LUKS1.</p>
<p>If you want to upgrade your backup Tails to LUKS2 anyway:</p>
<ol>
<li><p>Inicia en tu memoria USB principal de Tails.</p></li>
<li><p>Actualiza tu memoria USB principal de Tails a Tails 5.14.</p></li>
<li><p>Update your backup using <em>Tails Cloner</em>.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.6-backup-tails-installer">Display the instructions to update your backup.</a>
</p><div class="toggleable" id="security-argon2id.es.6-backup-tails-installer"></div>
<ol>
<li><p>Plug in the new USB stick.</p></li>
<li><p>Choose <strong>Applications</strong> ▸ <strong>Tails Cloner</strong>.</p></li>
<li><p>Turn on the option <strong>Clone the current Persistent Storage</strong> below the
option <strong>Clone the current Tails</strong>.</p></li>
<li><p>Make sure that the new USB stick is selected in the <strong>Target USB
stick</strong> menu.</p></li>
<li><p>To start the cloning, click on the <strong>Install</strong> button.</p></li>
<li><p>Enter a passphrase for the Persistent Storage on the new USB stick in
the <strong>Passphrase</strong> text box.</p></li>
<li><p>Enter the same passphrase again in the <strong>Confirm</strong> text box.</p></li>
<li><p>Click <strong>Continue</strong>.</p></li>
<li><p>Lee el mensaje de advertencia en el diálogo de confirmación.</p></li>
<li><p>Click <strong>Delete All Data and Install</strong> to confirm.</p>
<p>Cloning takes a few minutes.</p>
<div class="bug">
<p>The progress bar usually freezes for some time
while synchronizing data on disk.</p>
</div>
</li>
</ol>
<div class="toggleableend"></div>
</li>
</ol>
<h3>Otros volúmenes cifrados (6 palabras o más)</h3>
<p>Tus otros volúmenes cifrados ya están seguros, incluso con LUKS1.</p>
<p>Si deseas actualizar tus otros volúmenes cifrados a LUKS2 de todos modos y
sabes cómo usar la línea de órdenes:</p>
<ol>
<li><p>Identify the partition name of your encrypted volume.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.6-other-cryptsetup-partition">Display the instructions to identify the partition name using the command line.</a>
</p><div class="toggleable" id="security-argon2id.es.6-other-cryptsetup-partition"></div>
<ol>
<li><p>When starting Tails, <a href="https://tails.net/doc/first_steps/welcome_screen/administration_password/index.en.html">set up an administration
password</a>.</p></li>
<li><p>Choose <strong>Applications</strong> ▸ <strong>System Tools</strong> ▸ <strong>Root Terminal</strong>.</p></li>
<li><p>Execute the following command:</p>
<pre><code>lsblk
</code></pre>
<p>The output is a list of the storage devices and partitions on the system.
For example:</p>
<pre><code>NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 1.2G 1 loop /lib/live/mount/rootfs/filesystem.squashfs
sda 8:0 1 7G 0 disk
├─sda1 8:1 1 4G 0 part /lib/live/mount/medium
└─sda2 8:2 1 3G 0 part
└─TailsData_unlocked 253:0 0 3G 0 crypt /run/nosymfollow/live/persistence/TailsData_un...
zram0 254:0 0 2.8G 0 disk [SWAP]
</code></pre></li>
<li><p>Plug in your encrypted volume. Keep the encryption locked.</p></li>
<li><p>Execute the same command again:</p>
<pre><code>lsblk
</code></pre>
<p>Your encrypted volume appears as a new device with a list of partitions.
Check that the partition size corresponds to your encrypted volume.</p>
<pre><code>NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 1.2G 1 loop /lib/live/mount/rootfs/filesystem.squashfs
sda 8:0 1 7G 0 disk
├─sda1 8:1 1 4G 0 part /lib/live/mount/medium
└─sda2 8:2 1 3G 0 part
└─TailsData_unlocked 253:0 0 3G 0 crypt /run/nosymfollow/live/persistence/TailsData_un...
sdb 8:0 1 7G 0 disk
└─sdb1 8:2 1 7G 0 part
zram0 254:0 0 2.8G 0 disk [SWAP]
</code></pre></li>
<li><p>Take note of the <em>partition name</em> of your encrypted volume. In this
example, the new device in the list is <span class="code">sdb</span>
and the encrypted volume is in the partition
<span class="code">sdb1</span>. Yours might be different.</p></li>
</ol>
<div class="toggleableend"></div>
</li>
<li><p>Upgrade to LUKS2.</p>
<p><a class="toggle" href="https://tails.net/security/index.es.html#security-argon2id.es.6-other-cryptsetup-upgrade">Display the instructions to upgrade to LUKS2 using the command line.</a>
</p><div class="toggleable" id="security-argon2id.es.6-other-cryptsetup-upgrade"></div>
<ol>
<li><p>To verify whether your encrypted volume uses PBKDF2 or Argon2id, execute
the following command.</p>
<p>Replace <span class="command-placeholder">[partition]</span> with the
partition name found in step 1.6.</p>
<p class="pre command-template">cryptsetup luksDump /dev/<span class="command-placeholder">[partition]</span></p>
<p>In the output:</p>
<ul>
<li><p><code>Version</code> indicates the version of LUKS,
either <code>1</code> or <code>2</code>.</p></li>
<li><p><code>PBKDF</code> indicates the key derivation function,
either <code>pbkdf2</code> or <code>argon2id</code>.</p></li>
</ul>
<p>If your encrypted volume already uses LUKS2 and Argon2id, you can stop
here.</p></li>
<li><p>Execute the following command to do a backup of your LUKS1 header.</p>
<p>Replace <span class="command-placeholder">[partition]</span> with the
partition name found in step 1.6.</p>
<p class="pre command-template">cryptsetup luksHeaderBackup /dev/<span class="command-placeholder">[partition]</span> --header-backup-file /home/amnesia/luks1header</p>
<p>If something goes wrong, you will be able to restore your LUKS1 header
from this backup with:</p>
<p class="pre command-template">cryptsetup luksHeaderRestore /dev/<span class="command-placeholder">[partition]</span> --header-backup-file /home/amnesia/luks1header</p>
</li>
<li><p>To update your LUKS header to LUKS2, execute the following command.</p>
<p>Replace <span class="command-placeholder">[partition]</span> with the
device name found in step 1.6.</p>
<p class="pre command-template">cryptsetup convert /dev/<span class="command-placeholder">[partition]</span> --type luks2</p>
</li>
<li><p>To verify that Argon2id is the new key derivation function, execute the
following command again.</p>
<p>Replace <span class="command-placeholder">[partition]</span> with the
partition name found in step 1.6.</p>
<p class="pre command-template">cryptsetup luksDump /dev/<span class="command-placeholder">[partition]</span></p>
<p>In the output, verify that:</p>
<ul>
<li><p>The <code>Version</code> is <code>2</code> and not <code>1</code>.</p></li>
<li><p>The <code>PBKDF</code> is <code>argon2id</code> and not <code>pbkdf2</code>.</p></li>
</ul>
</li>
<li><p>Try to unlock your encrypted volume.</p></li>
</ol>
<div class="toggleableend"></div>
</li>
</ol>
<h2 id="checking">Knowing which version of LUKS is used in your devices</h2>
<p>If you know how to use the command line, you can verify whether your
encryption uses PBKDF2 or Argon2id.</p>
<h3>Almacenamiento Persistente</h3>
<ol>
<li><p>Al iniciar Tails, <a href="https://tails.net/doc/first_steps/welcome_screen/administration_password/index.es.html">configura una contraseña de
administración</a>.</p></li>
<li><p>Elige <strong>Aplicaciones</strong> ▸ <strong>Herramientas del Sistema</strong> ▸
<strong>Terminal de root</strong>.</p></li>
<li><p>Ejecuta el siguiente comando:</p>
<pre><code>lsblk
</code></pre>
<p>El resultado es una lista de los dispositivos de almacenamiento y las particiones del sistema.
Por ejemplo:</p>
<pre><code> NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 1.2G 1 loop /lib/live/mount/rootfs/filesystem.squashfs
sda 8:0 1 7G 0 disk
├─sda1 8:1 1 4G 0 part /lib/live/mount/medium
└─sda2 8:2 1 3G 0 part
└─TailsData_unlocked 253:0 0 3G 0 crypt /run/nosymfollow/live/persistence/TailsData_un...
zram0 254:0 0 2.8G 0 disk [SWAP]
</code></pre>
<p> Your Persistent Storage appears as <code>TailsData_unlocked</code>.</p></li>
<li><p>Take note of the <em>partition name</em> of your Persistent Storage, which
appears above <code>TailsData_unlocked</code>. In this example, the Persistent
Storage is in the partition <span class="code">sda2</span>. Yours
might be different.</p></li>
<li><p>Para verificar si tu volumen cifrado usa PBKDF2 o Argon2id, ejecuta el
siguiente comando.</p>
<p> Replace <span class="command-placeholder">[partition]</span> with the
partition name found in step 4.</p>
<p> </p><p class="pre command-template">sudo cryptsetup luksDump /dev/<span class="command-placeholder">[partition]</span></p>
<p> En la salida:</p>
<ul>
<li><p><code>Versión</code> indica la versión de LUKS, ya sea <code>1</code> o <code>2</code>.</p></li>
<li><p><code>PBKDF</code> indicates the key derivation function, either <code>pbkdf2</code> or
<code>rgon2id</code>.</p></li>
</ul>
</li>
</ol>
<h3>Otros volúmenes cifrados</h3>
<ol>
<li><p>When starting Tails, <a href="https://tails.net/doc/first_steps/welcome_screen/administration_password/index.en.html">set up an administration
password</a>.</p></li>
<li><p>Choose <strong>Applications</strong> ▸ <strong>System Tools</strong> ▸ <strong>Root Terminal</strong>.</p></li>
<li><p>Execute the following command:</p>
<pre><code>lsblk
</code></pre>
<p>The output is a list of the storage devices and partitions on the system.
For example:</p>
<pre><code> NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 1.2G 1 loop /lib/live/mount/rootfs/filesystem.squashfs
sda 8:0 1 7G 0 disk
├─sda1 8:1 1 4G 0 part /lib/live/mount/medium
└─sda2 8:2 1 3G 0 part
└─TailsData_unlocked 253:0 0 3G 0 crypt /run/nosymfollow/live/persistence/TailsData_un...
zram0 254:0 0 2.8G 0 disk [SWAP]
</code></pre></li>
<li><p>Plug in your encrypted volume. Keep the encryption locked.</p></li>
<li><p>Execute the same command again:</p>
<pre><code>lsblk
</code></pre>
<p>Your encrypted volume appears as a new device with a list of partitions.
Check that the partition size corresponds to your encrypted volume.</p>
<pre><code> NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 1.2G 1 loop /lib/live/mount/rootfs/filesystem.squashfs
sda 8:0 1 7G 0 disk
├─sda1 8:1 1 4G 0 part /lib/live/mount/medium
└─sda2 8:2 1 3G 0 part
└─TailsData_unlocked 253:0 0 3G 0 crypt /run/nosymfollow/live/persistence/TailsData_un...
sdb 8:0 1 7G 0 disk
└─sdb1 8:2 1 7G 0 part
zram0 254:0 0 2.8G 0 disk [SWAP]
</code></pre></li>
<li><p>Take note of the <em>partition name</em> of your encrypted volume. In this
example, the new device in the list is <span class="code">sdb</span>
and the encrypted volume is in the partition
<span class="code">sdb1</span>. Yours might be different.</p></li>
<li><p>Para verificar si tu volumen cifrado usa PBKDF2 o Argon2id, ejecuta el
siguiente comando.</p>
<p> Replace <span class="command-placeholder">[partition]</span> with the
partition name found in step 6.</p>
<p> </p><p class="pre command-template">sudo cryptsetup luksDump /dev/<span class="command-placeholder">[partition]</span></p>
<p> En la salida:</p>
<ul>
<li><p><code>Versión</code> indica la versión de LUKS, ya sea <code>1</code> o <code>2</code>.</p></li>
<li><p><code>PBKDF</code> indica la función de derivación de clave, ya sea <code>pbkdf2</code> o
<code>argon2id</code>.</p></li>
</ul>
</li>
</ol>
Serious security vulnerability in Tails 5.0https://tails.net/security/prototype_pollution/index.es.html2024-03-27T14:27:10Z2022-05-24T12:34:56Z
<p><em>Tor Browser</em> in Tails 5.0 and earlier is unsafe to use for sensitive
information.</p>
<p><strong>We recommend that you stop using Tails until the release of 5.1 (early June) if
you use <em>Tor Browser</em> for sensitive information (passwords, private messages,
personal information, etc.).</strong></p>
<p>A security vulnerability was discovered in the JavaScript engine of
<em>Firefox</em> and <em>Tor Browser</em>. See the <a href="https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/">Mozilla Foundation Security Advisory
2022-19</a></p>
<p>This vulnerability allows a malicious website to bypass some of the security
built in <em>Tor Browser</em> and access information from other websites.</p>
<p>For example, after you visit a malicious website, an attacker controlling
this website might access the password or other sensitive information that
you send to other websites afterwards during the same Tails session.</p>
<p>This vulnerability doesn't break the anonymity and encryption of Tor
connections.</p>
<p>For example, it is still safe and anonymous to access websites from Tails if
you don't share sensitive information with them.</p>
<p>After <em>Tor Browser</em> has been compromised, the only reliable solution is to
restart Tails.</p>
<p>Other applications in Tails are not vulnerable. <em>Thunderbird</em> in Tails is
not vulnerable because JavaScript is disabled.</p>
<p>The <em>Safest</em> <a href="https://tails.net/doc/anonymous_internet/Tor_Browser/index.es.html#security-level">security level of <em>Tor
Browser</em></a> is not affected
because JavaScript is disabled at this security level.</p>
<p>This vulnerability will be fixed in Tails 5.1 (early June), but our team
doesn't have the capacity to publish an emergency release earlier.</p>
JavaScript vulnerability in Tor Browserhttps://tails.net/security/mcallgetproperty/index.es.html2024-03-27T14:27:10Z2020-11-11T21:15:09Z
<p>A <a href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-49/">critical
vulnerability</a>
was discovered in the JavaScript engine of <em>Firefox</em> and <em>Tor Browser</em>.</p>
<p>Until Tails 4.13 (November 17), we recommend all users to set the <a href="https://tails.net/doc/anonymous_internet/Tor_Browser/index.es.html#security-level">security
level of <em>Tor Browser</em></a>
to <em>Safer</em> or <em>Safest</em>.</p>
<p>This vulnerability was discovered during the <a href="http://www.tianfucup.com/">Tianfu Cup 2020 International
Cybersecurity Contest</a>. The details of the
vulnerability were not disclosed.</p>
<p>We are not aware of any use of this vulnerability against actual users.</p>
<p>The <em>Safer</em> or <em>Safest</em> security level of <em>Tor Browser</em> are not affected
because the feature of JavaScript that is affected, the <em><a href="https://en.wikipedia.org/wiki/just%2Din%2Dtime%20compilation">just-in-time compilation</a></em>, is disabled at these security levels.</p>
<p>Mozilla fixed this vulnerability in <em>Firefox</em> 78.4.1 and Tor fixed this
vulnerability in <em>Tor Browser</em> 10.0.4.</p>
<p>We decided not to release an emergency upgrade of Tails because:</p>
<ul>
<li>Tails 4.13 is already scheduled for November 17 and will fix this
vulnerability.</li>
<li>Our main release manager left the team recently and we have very limited
staffpower right now.</li>
<li>The details of the vulnerability were not disclosed, making it harder to
exploit, and we are not aware of any use of this vulnerability against
actual users.</li>
</ul>
Critical security vulnerability in Tails 3.14.1https://tails.net/security/sandbox_escape_in_tor_browser/index.es.html2024-03-27T14:27:10Z2019-06-20T10:34:57Z
<div class="caution">
<p>Tor Browser in Tails 3.14.1 and earlier is unsafe to use in most cases.</p>
<p>We <b>strongly</b> encourage you to
<a href="https://tails.net/news/version_3.14.2/">upgrade to Tails 3.14.2</a> as soon as possible.</p>
</div>
<h1>SOME DESCRIPTIVE TITLE</h1>
<h1>Copyright (C) YEAR Free Software Foundation, Inc.</h1>
<h1>This file is distributed under the same license as the PACKAGE package.</h1>
<h1>FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.</h1>
<p>#
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2021-05-10 15:03+0000\n"
"PO-Revision-Date: 2021-05-11 15:09+0000\n"
"Last-Translator: Weblate Admin <a href="mailto:tails-weblate@boum.org">tails-weblate@boum.org</a>\n"
"Language-Team: LANGUAGE <a href="mailto:LL@li.org">LL@li.org</a>\n"
"Language: es\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n != 1;\n"
"X-Generator: Weblate 3.11.3\n"</p>
<h1>. type: Plain text</h1>
<h1>, no-wrap</h1>
<p>msgid "\n"
msgstr "\n"</p>
<h1>. type: Plain text</h1>
<p>msgid ""
"A security vulnerability was discovered in the sandboxing mechanism of "
"<em>Firefox</em> and <em>Tor Browser</em>. This vulnerability allows a malicious website "
"to bypass some of the confinement built in <em>Firefox</em>, which means possibly "
"spying on the content of other tabs and steal the passwords of other "
"websites."
msgstr ""</p>
<h1>. type: Plain text</h1>
<p>msgid ""
"After <em>Tor Browser</em> has been compromised, the only reliable solution is to "
"restart Tails."
msgstr ""</p>
<h1>. type: Plain text</h1>
<p>msgid ""
"Because <em>Tor Browser</em> in Tails is [[confined using <em>AppArmor</em>|doc/"
"anonymous_internet/Tor_Browser#confinement]], only the data accessible to "
"<em>Tor Browser</em> might be compromised but not the other applications or your "
"other files. For example, a compromised <em>Tor Browser</em> might access your "
"files in the <em>Tor Browser</em> and <em>Persistent/Tor Browser</em> folders but not "
"anywhere else."
msgstr ""</p>
<h1>. type: Plain text</h1>
<p>msgid "For example, without restarting Tails:"
msgstr ""</p>
<h1>. type: Plain text</h1>
<p>msgid "- It is unsafe to:"
msgstr ""</p>
<h1>. type: Bullet: ' - '</h1>
<p>msgid ""
"Log in to a website and also visit an untrusted website. Your password on "
"the first website might be stolen by the untrusted website."
msgstr ""</p>
<h1>. type: Bullet: ' - '</h1>
<p>msgid ""
"Visit an untrusted website if you have sensitive information stored in your "
"<em>Persistent/Tor Browser</em> folder. The untrusted website might access these "
"files."
msgstr ""</p>
<h1>. type: Plain text</h1>
<p>msgid "- It is safe to:"
msgstr ""</p>
<h1>. type: Bullet: ' - '</h1>
<p>msgid ""
"Visit untrusted websites, without logging in, if you have no sensitive "
"information stored in your <em>Tor Browser</em> and <em>Persistent/Tor Browser</em> "
"folders."
msgstr ""</p>
<h1>. type: Bullet: ' - '</h1>
<p>msgid ""
"Log in to several trusted websites without visiting any untrusted websites."
msgstr ""</p>
Tor Browser not safe without manual actionhttps://tails.net/security/noscript_disabled_in_tor_browser/index.es.html2024-03-27T14:27:10Z2019-05-04T00:00:00Z
<div class="caution">Tor Browser in Tails 3.13.1 is not safe to use
without taking the manual steps listed below each time you start
Tails!</div>
<p>Starting from Friday May 3, a problem in <em>Firefox</em> and <em>Tor Browser</em>
disabled all add-ons, especially <em>NoScript</em> which is used to:</p>
<ul>
<li><p>Strengthen <em>Tor Browser</em> against some JavaScript attacks that can lead to
compromised accounts and credentials on websites.</p></li>
<li><p>Enable or disable JavaScript on some websites using the <em>NoScript</em>
interface, if you use it.</p></li>
</ul>
<p>If <em>NoScript</em> is activated, the <em>NoScript</em> icon appears in the top-right
corner and <em>Tor Browser</em> is safe:</p>
<p><img alt="" class="img" height="149" src="https://tails.net/news/version_3.13.2/with-noscript.png" width="269" /></p>
<p>If <em>NoScript</em> is deactivated, the <em>NoScript</em> icon is absent from the
top-right corner and <em>Tor Browser</em> is unsafe:</p>
<p><img alt="" class="img" height="149" src="https://tails.net/news/version_3.13.2/without-noscript.png" width="269" /></p>
<h2>Activate <em>NoScript</em> manually</h2>
<p>To secure <em>Tor Browser</em> in Tails 3.13.1 or earlier, you must activate
<em>NoScript</em> every time you start Tails:</p>
<ol>
<li><p>Open the address <code>about:config</code> in <em>Tor Browser</em>.</p>
<p><img class="img" height="155" src="https://tails.net/news/version_3.13.2/about-config.png" width="609" /></p></li>
<li><p>Click the <strong>I accept the risk!</strong> button.</p></li>
<li><p>At the top of the page, search for <code>xpinstall.signatures.required</code>.</p></li>
<li><p>Double-click on the <strong>xpinstall.signatures.required</strong> line in the results
to set its value to <strong>false</strong>.</p></li>
<li><p>Verify that <em>NoScript</em> is activated again.</p>
<p><img class="img" height="190" src="https://tails.net/news/version_3.13.2/xpinstall-false.png" width="617" /></p></li>
</ol>
Claws Mail leaks plaintext of encrypted emails to IMAP serverhttps://tails.net/security/claws_mail_leaks_plaintext_to_imap/index.es.html2024-03-27T14:27:10Z2015-05-07T12:34:56Z
<p>We discovered that <em>Claws Mail</em>, the email client in Tails, stores plaintext
copies of all emails on the remote IMAP server, including those that are
meant to be encrypted.</p>
<ul>
<li>When sending an email, <em>Claws Mail</em> copies the email in plaintext to the
sending queue of the IMAP server before encrypting the email. <em>Claws
Mail</em> deletes this plaintext copy after sending the email.</li>
<li><em>Claws Mail</em> drafts in plaintext on the server. An email can be saved as
draft either:
<ul>
<li>Manually by clicking on the <strong>Draft</strong> button when composing an email.</li>
<li>Automatically if you selected the <strong>automatically save message to
Draft folder</strong> option in the writing preferences. This option is
deselected by default in Tails.</li>
</ul>
</li>
</ul>
<p><strong>All users of <em>Claws Mail</em> using IMAP and its OpenPGP plug-in are affected.</strong></p>
<p>Users of <em>Claws Mail</em> using POP are not affected.</p>
<div class="tip">
To know if you are using IMAP or POP, choose <span class="menuchoice">
<span class="guimenu">Configuration</span> ▸
<span class="guimenuitem">Edit accounts…</span></span> and refer
to the <span class="guilabel">Protocol</span> column in the list of
accounts.
</div>
<p>Unfortunately, we were not yet able to fix the problem automatically and for
everybody. This would require to either modify <em>Claws Mail</em> or to migrate to
a different application. Refer to the workarounds section to solve this
problem in your setup and please warn others around you.</p>
<h1>Workarounds</h1>
<h2>Verify the content of your <strong>Drafts</strong> folder</h2>
<p>First of all, verify the content of the <strong>Drafts</strong> folder on the server,
either through <em>Claws Mail</em> or through the web interface of your email
provider. Delete any plaintext email that might have been stored against
your will in this folder until now.</p>
<p>Then apply one of the other two workarounds to prevent more leaks in the
future.</p>
<h2>Use POP instead of IMAP</h2>
<p><em>Claws Mail</em> can connect to the email server using either the IMAP or POP
protocol.</p>
<ul>
<li>With IMAP, <em>Claws Mail</em> constantly synchronizes with the server and
displays the emails and folders that are currently stored on the
server. IMAP is better suited if you access your emails from different
operating systems.</li>
<li>With POP, <em>Claws Mail</em> downloads the emails that are in the inbox on the
server and possibly removes them from the server. POP is better suited
if you access emails from Tails only and store them in the persistent
volume.</li>
</ul>
<p>To know more, see also this Yahoo! Help page on <a href="https://help.yahoo.com/kb/mail-for-desktop/compare-differences-pop-imap-sln3769.html">comparing the differences
between POP and
IMAP</a>.</p>
<p>POP is not affected at all by this security problem. When using POP, only
encrypted emails are sent to the server. So consider switching to POP if you
have an email account dedicated to your activities on Tails. To do so:</p>
<ol>
<li><p>Choose <strong>File</strong> ▸ <strong>Add mailbox</strong> ▸ <strong>MH…</strong> to
create a local mailbox where to download your emails.</p></li>
<li><p>To store the mailbox in the persistent volume, specify
<code>.claws-mail/Mail</code> as location.
Make sure to type the <code>.</code> before
<code>claws-mail/Mail</code>.</p>
<p> <img class="img" height="246" src="https://tails.net/security/claws_mail_leaks_plaintext_to_imap/add_mailbox.png" width="355" /></p></li>
<li><p>Choose <strong>Configuration</strong> ▸ <strong>Edit accounts…</strong>, select
your IMAP account in the list of accounts, and click <strong>Delete</strong> to
delete it. Doing so does not delete any email stored on the server.</p></li>
<li><p>Click <strong>New</strong> and configure this new account as specified by your
email provider.</p>
<ul>
<li>In the <strong>Basic</strong> tab, make sure that the <strong>Protocol</strong> option is set to
<strong>POP3</strong>.</li>
<li><p>In the <strong>Receive</strong> tab, click on the <strong>Browse</strong> button of the <strong>Default
Inbox</strong> option and select the <strong>Inbox</strong> folder of the mailbox that you
created in step 2.</p>
<p><img class="img" height="318" src="https://tails.net/security/claws_mail_leaks_plaintext_to_imap/select_inbox.png" width="302" /></p></li>
<li><p>If you want to keep a copy of the received emails on the server, verify
the preferences in the <strong>Receive</strong> tab. We recommend you to disable the
<strong>Remove messages on server when received</strong> option until you make sure
that the emails are stored in the persistent volume.</p></li>
</ul>
</li>
<li><p>Close the preferences dialog and the list of accounts to go back to
the main window of <em>Claws Mail</em>.</p></li>
<li><p>Click on the <strong>Get Mail</strong> button to download all emails from the
inbox on the server. Emails in other folders are not downloaded.</p></li>
</ol>
<h2>Use local <strong>Drafts</strong> and <strong>Queue</strong> folders</h2>
<p>If you want to continue using IMAP, you should configure your IMAP account
to use <strong>Drafts</strong> and <strong>Queue</strong> folders stored in Tails instead of on the
server. To do so:</p>
<ol>
<li><p>Choose <strong>Add mailbox</strong> ▸ <strong>MH…</strong> to create a local
mailbox where to save your drafts and queued emails.</p></li>
<li><p>To store the mailbox in the persistent volume, specify
<code>.claws-mail/Mail</code> as location.
Make sure to type the <code>.</code> before
<code>claws-mail/Mail</code>.</p>
<p> <img class="img" height="246" src="https://tails.net/security/claws_mail_leaks_plaintext_to_imap/add_mailbox.png" width="355" /></p></li>
<li><p>Choose <strong>Configuration</strong> ▸ <strong>Edit accounts…</strong>, select
your IMAP account in the list of accounts, and click <strong>Edit</strong> to edit
its preferences.</p></li>
<li><p>Select <strong>Advanced</strong> in the left pane.</p></li>
<li><p>Select the <strong>Put queued messages in</strong> option, click <strong>Browse</strong>, and
select the <strong>Queue</strong> folder of the <strong>MH</strong> mailbox.</p></li>
<li><p>Select the <strong>Put draft messages in</strong> option, click <strong>Browse</strong>, and
select the <strong>Drafts</strong> folder of the <strong>MH</strong> mailbox.</p></li>
</ol>
<p><img class="img" height="221" src="https://tails.net/security/claws_mail_leaks_plaintext_to_imap/local_folders.png" width="551" /></p>
<h1>Long term solution</h1>
<p>As for the possible long term solutions to this problem, we are considering:</p>
<ul>
<li><p>Getting the development team of <em>Claws Mail</em> to <a href="http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2965">fix the problem
upstream</a>.
We contacted them about this problem already. Please help them provide a
technical solution if you can.</p></li>
<li><p>Replacing <em>Claws Mail</em> with <em>Icedove</em> (the name of <em>Mozilla Thunderbird</em>
in Debian). We have been willing to do so for years and this problem
motivates us to move faster.</p></li>
</ul>
<h1>Technical details</h1>
<h2>Leak through the sending queue</h2>
<p>When sending an email from an IMAP account, <em>Claws Mail</em> does the following:</p>
<ol>
<li><p>It connects to the IMAP server and stores a plaintext copy of the
email in the <strong>Queue</strong> folder on the server.</p></li>
<li><p>It encrypts the email locally.</p></li>
<li><p>It sends the encrypted email through the SMTP server.</p></li>
<li><p>It connects to the IMAP server and stores an encrypted copy of the
email in the <strong>Sent</strong> folder on the server.</p></li>
<li><p>It connects to the IMAP server and deletes the plaintext email
saved in step 1 from the <strong>Queue</strong> folder.</p></li>
</ol>
Security hole in I2P 0.9.13https://tails.net/security/Security_hole_in_I2P_0.9.13/index.es.html2024-03-27T14:27:10Z2014-07-24T21:15:00Z
<p>A security hole affects I2P 0.9.13, that is part of Tails 1.1 and earlier.</p>
<h1>Scope and severity</h1>
<p>If you are using I2P in Tails 1.1 and earlier, an attacker can deanonymize
you: they can learn the IP address that identifies you on the Internet.</p>
<p>To be able to conduct this attack:</p>
<ol>
<li><p>the attacker must be able to affect the content of a website that you are
visiting using the <a href="https://tails.net/doc/anonymous_internet/Tor_Browser/index.es.html">Tor Browser</a> in
Tails — many people are able to do so;</p></li>
<li><p>and, the attacker must find out how to exploit this security hole; this
information has not been published yet, but they may somehow already have
discovered it, or been made aware of it.</p></li>
</ol>
<div class="note">
<p><strong>Tails does not start I2P by default.</strong> This design
decision was made precisely in order to
protect the Tails users who do not use I2P from security holes in this
piece of software.</p>
<p>Still, an attacker who would also be able to start I2P on your
Tails, either by exploiting another undisclosed security hole, or by
tricking you into starting it yourself, could then use this I2P
security hole to deanonymize you.</p>
</div>
<h1>Temporary solutions</h1>
<p>You can protect yourself from this security hole until it is corrected.</p>
<p>Do not start I2P in Tails 1.1 and earlier. You can protect yourself further
by removing the <code>i2p</code> package every time you start Tails:</p>
<ol>
<li><a href="https://tails.net/doc/first_steps/welcome_screen/administration_password/index.es.html">Set an administration
password</a>.</li>
<li><p>Run this command in a <span class="application">Root Terminal</span>:</p>
<pre><code>apt-get purge i2p
</code></pre></li>
</ol>
<p>However, if you really need to use I2P in Tails 1.1: before you start I2P,
disable JavaScript globally <a href="https://tails.net/doc/anonymous_internet/Tor_Browser/index.es.html#noscript">with
NoScript</a> in the Tor Browser.</p>
<h1>Credits</h1>
<p>This security hole was reported to us by Exodus Intelligence.</p>
You have to upgrade Tor to fix a critical anonymity vulnerabilityhttps://tails.net/security/Upgrade_Tor/index.es.html2024-03-27T14:27:10Z2011-10-30T15:12:13Z
<div class="tip">
<p>This security issue was fixed in Tails 0.9.</p>
</div>
<p>The version of Tor currently shipped in Tails does not protect your
anonymity as it should. <strong>This vulnerability is critical.</strong></p>
<p>Until a future version of Tails is released (soon), the only way to have
Tails protect your anonymity is to <strong>upgrade Tor every time you start
Tails</strong>, by following the instructions bellow.</p>
<p>(Every time, really? Sure. Tails is amnesic: any change you make in it is
lost upon restart.)</p>
<p>To upgrade Tor, start a <em>Root Terminal</em> from the
<em>Applications</em> → <em>Accessories</em> menu, and type the following command in
there:</p>
<pre><code>apt-get update && apt-get install tor && service tor start
</code></pre>
<p>... then type <em>Enter</em>, and wait until the upgrade is completed, which may
take a few minutes. At this time, the Vidalia icon on the top right of the
screen should have changed from the usual green onion to a grey, red-crossed
one. Right click on it and choose <em>Exit</em> in the menu that opens. Then, start
a new Vidalia from the <em>Applications</em> → <em>Internet</em> menu.</p>
<p>Once this is done, you can safely use Tails as usual.</p>
<p>Want details? See the <a href="https://blog.torproject.org/blog/tor-02234-released-security-patches">Tor project's blog
post</a>
about it.</p>
Iceweasel exposes a rare User-Agenthttps://tails.net/security/Iceweasel_exposes_a_rare_User-Agent/index.es.html2024-03-27T14:27:10Z2010-09-03T01:15:14Z
<p>A Torbutton bug (<a href="https://bugs.debian.org/595375">Debian bug #595375</a>) makes Iceweasel expose a recognizable
User-Agent when the "Spoof US English Browser" setting is disabled, which is
the case in T(A)ILS 0.5.</p>
<h1>Impacto</h1>
<p>System administrators, webmasters and anyone able to read the logs of a
website are able to single out, amongst the visitors, the ones that are
using an affected Torbutton extension <em>and</em> have explicitly disabled the
"Spoof US English Browser" setting.</p>
<p>While T(A)ILS users are obviously not the only ones in this case, such a bug
eases fingerprinting.</p>
<p>The client IP address recorded in the webserver logs for such a connection
is the one of the Tor exit node used by the T(A)ILS user at this time.</p>
<h1>Solución</h1>
<p>Upgrade to T(A)ILS 0.6.</p>
<h1>Mitigation on T(A)ILS 0.5</h1>
<p>The following steps need to be done immediately after boot, <strong>before</strong>
running Iceweasel.</p>
<p>Run the following command in a terminal:</p>
<pre><code>gksudo gedit /etc/iceweasel/profile/user.js
</code></pre>
<p>... this opens a text editor. Delete the line that says:</p>
<pre><code>user_pref("extensions.torbutton.spoof_english", false);
</code></pre>
<p>... then save and quit. You can now run Iceweasel.</p>
<p>Beware! Changing this setting in the Torbutton preferences window is <strong>not</strong>
effective.</p>
<h1>Versiones afectadas</h1>
<p>Torbutton 1.2.5, included in T(A)ILS 0.5</p>