Skip to content

Security: radio24/TorBox

Security

Report a vulnerability

SECURITY.md

Security Policy

Use it at your own risk!

TorBox is ideal for providing additional protection for the entire data stream up to the Tor network and overcoming censorship. However, anonymity is hard to get – solely using Tor doesn’t guarantee it. Malware, Cookies, Java, Flash, Javascript, and more will most certainly compromise your anonymity. Even the people from the Tor Project themselves state that “Tor can’t solve all anonymity problems. It focuses only on protecting the transport of data.” Therefore, it is strongly advised not to use TorBox if your well-being depends on your anonymity. In such a situation, it is advisable to use Tails.

Supported Versions / SHA-256 hashes

If you download the TorBox image file and/or the TorBox menu package from the TorBox website, you can check the integrity of the downloaded files with the provided SHA-256 hashes (for details, see here).

Updates (for example, by using entry 5 in the Update and Reset menu) are made only for the latest version. If possible, we describe the update path from the previous to the last version in the Blog post to a new version. Nevertheless, we recommend, if possible, using the new image.

Reporting a Vulnerability

To report security issues, send an email to anonym@torbox.ch.

For secure email communication, we are using Protonmail. All messages between Protonmail users are automatically end-to-end encrypted. Additionally, all messages in Protonmail inboxes are protected with PGP encryption to prevent Protonmail (or anyone else) from reading or sharing emails, a concept known as zero-access encryption. Creating a Protonmail email address is free and takes less than a minute. With Protonmail, anyone can use PGP regardless of their technical knowledge. However, technically versed, can also use our public PGP key to communicate with us:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xjMEXemNYRYJKwYBBAHaRw8BAQdAH22RKj/kZRqZds03njk7tSFEgrYkbeFo
PRC3CwA2JwPNI2Fub255bUB0b3Jib3guY2ggPGFub255bUB0b3Jib3guY2g+
wncEEBYKAB8FAl3pjWEGCwkHCAMCBBUICgIDFgIBAhkBAhsDAh4BAAoJEOhJ
KVODQehAkY8A/A7vPC+6nPaGBiv7P6wryQ+THA97uEwRK0Rsx3TYlKHuAQDN
M4XH5G++eqqptaEv1daJEofwOnYxahJoHzYvdfZUBM44BF3pjWESCisGAQQB
l1UBBQEBB0Cp+yT4Ec5kmGaGWneulB/KSgXLkkMSVaD++dC9mrcTfQMBCAfC
YQQYFggACQUCXemNYQIbDAAKCRDoSSlTg0HoQArZAQD94cT2csOWOsqqx7+q
Ps0P1Udn2/jXRbO+XbfzBzjM6wEAq4Z4g0w03KkHC3aU8/fATEnbN2+TInLV
gNKTldrMtAg=
=eGoI
-----END PGP PUBLIC KEY BLOCK-----

There aren’t any published security advisories