Eine Sicherheitslücke betrifft I2P 0.9.13, das Teil von Tails 1.1 und früher ist.

Umfang und Schweregrad

If you are using I2P in Tails 1.1 and earlier, an attacker can deanonymize you: they can learn the IP address that identifies you on the Internet.

To be able to conduct this attack:

  1. the attacker must be able to affect the content of a website that you are visiting using the Tor Browser in Tails — many people are able to do so;

  2. and, the attacker must find out how to exploit this security hole; this information has not been published yet, but they may somehow already have discovered it, or been made aware of it.

Tails does not start I2P by default. This design decision was made precisely in order to protect the Tails users who do not use I2P from security holes in this piece of software.

Still, an attacker who would also be able to start I2P on your Tails, either by exploiting another undisclosed security hole, or by tricking you into starting it yourself, could then use this I2P security hole to deanonymize you.

Temporary solutions

You can protect yourself from this security hole until it is corrected.

Starten Sie I2P nicht in Tails 1.1 und früher. Sie können sich weiter schützen, indem Sie das Paket i2p bei jedem Start von Tails entfernen:

  1. Set an administration password.
  2. Run this command in a Root Terminal:

    apt-get purge i2p

However, if you really need to use I2P in Tails 1.1: before you start I2P, disable JavaScript globally with NoScript in the Tor Browser.


This security hole was reported to us by Exodus Intelligence.