On 5/4/15, coderman coderman@gmail.com wrote:
... this deserves a longer answer, but you're right. if the attacker is using Tor itself a Tor enforcing gateway can't protect against those attacks.
i have updated the document to make this more clear.
it is hard to express the nuance of vulnerability here. for example, on Windows, if you can access file APIs, even from within a sandbox, you can reference a network path (WebDAV, SMB, etc) that leverages system services to make a proxy bypass request, or socks wrapper bypass request.
that is a very different level of risk compared to arbitrary remote execution with priv escalation - at the end of that chain, your attacker can read serial numbers off components for a perfect match, then report the results back along the hidden service command and control link.
the first can be mitigated by a Tor enforcing router, while the second is game over every time.
there is a rich field of mixed threats in-between, and mitigating measures clients can take, but the short of it is that endpoint security is and always will be critical to security and privacy.
best regards, and thanks again for your questions!
p.s. i also changed the Onion service FAQ entry to mention that One-time ephemeral hostnames are used by default, with the persistent and vanity hostname options available to opt-in explicitly.