I downloaded the Tor Browser a decade ago, maybe even longer, in an effort to be privacy conscious. I used it here and there but I never made the switch to using Tor by default. Some time later I remember reading the US government was tracking people, or had a list of everyone, who had simply downloaded Tor. I also vaguely remember reading about how using Tor could potentially expose you to legal risks because of the way the information hops between user computers. I don't really know much about networking or the nitty gritty of how Tor works so I uninstalled it.
I don't know if any of that was true and even if it was I'm sure a lot has changed with how Tor handles privacy and directs traffic. Are there any good resources for average Joe internet users to read about how the browser works so I can better understand the risks/rewards?
I mean there are a lot of resources but they are at a very high level. I don't think much has changed.
The basic idea is that with Tor, you make HTTPS connections to the "tor relay", a network of volunteers who route your traffic around the world to make it hard to track. You can use Tor in two ways: you can join the relay network and route traffic for others, or you can just use the browser and make queries. If you do decide to join the relay network you have an additional decision about whether you will be an "exit node", one that does the final request to the destination website and thus appears to be the initiator of the request. This is an option because it can be difficult on home internet setups: if someone uses your exit node to post a lot of stupid crap to Reddit and Reddit tries to IP-ban them, then you are suddenly IP-banned from Reddit at home, because you ran the exit node.
If you are just a user then the only thing you need to know is that there is a price for your privacy, which is that routing your traffic all the way around the world takes a little more time than sending it straight to you, and this has two effects -- a latency jump which exists basically no matter how big the network gets, and a slowdown in your bandwidth which depends on how big the network is relative to the number of people trying to browse with it.
> if someone uses your exit node to post a lot of stupid crap to Reddit ...
I think there’s a lot more to worry about than reddit shitposts eg straight up criminal activity apparently coming from your router, and in way you’d have difficulty proving was tor and not you or your family.
A subset of relay operators & other volunteers monitor the network for bad actors and report them to Tor Project who will then direct directory authority operators to blacklist those relays.
It can't be prevented on a technological level.
However there are attempts to detect bad nodes and ban them. Since the exit node doesn't know "who" is accessing the website it can't just temper with your content. So it would be detected asymptomatically.
I would have to say "it's not".. anything non-encrypted you risk being manipulated by a node of the TOR network. I bet there are people who act as relays just to try to sniff out any good non-HTTPS traffic.. although, I suppose generally anyone using TOR is mostly aware of this so there's probably not that much to gain.
Complete side note.. but this just reminds me of back when I was in college in the late 90s, and our entire apartment buildings traffic was a hub (not a switch).. so I had a packet sniffer running for fun on linux and could see everything from everyones internet since every single packet was rounting to every machine on the network, and lots of stuff had no encryption... nuts to think how open stuff was back in the day.
Pretty sure some switches (to this day) can be tricked into doing similar. eg send them a few specially crafted packets, and they fall back into broadcasting ~everything like a hub for some period of time.
Not from the point of view of "legal intercept" stuff, more like "switch gets confused and doesn't know how to route, so broadcasts as a workaround".
(be warned, I also did that as an exercise to learn more TypeScript. So it's not good TS. But improvements and issues are more than welcome from any TS gurus out there!)
I assume that GEBBL is either only familiar with the -phile suffix in the context of 'pedophile', or is implying that that could be the case for others.
If you're thinking about risks, it's important not to conflate 3 scenarios: (1) running a Tor exit node (potentially very risky), (2) running a Tor relay node, and (3) just using the Tor browser as a user (should probably be fine for most users - depends on what you use it for of course, and Tor by itself is of course not sufficient to solve all privacy issues - you can still be deanonymized if you're not careful).
Do you have any more information on how one could be deanonymized using Tor? I am aware of the browser fingerprinting and Tor themselves has a decent article about it but are there other methods that malicious parties could use?
To use an obvious example, if you log into an account you've previously logged into directly from your home computer.
More broadly, any privacy tech can be undone by poor 'operational security'. For example Ross Ulbricht - 'Dread Pirate Roberts' of Silk road - posted on StackOverflow under his own name to ask "How can I connect to a Tor hidden service using curl in php?" [1]
You could use Brave browser, it includes a Tor client which is accessed through the "new private window with Tor" menu item. I assume downloads of Brave might not be tracked by the US government, but then again, everything is tracked, it's just a matter of what behavior is likely to be flagged by an agency's algorithms.
It's true. Same applies with Tails. If your employer is one of the few with intelligence community shadow relationships,they will likely be alerted as well.
You will also be targeted for browser exploitation without a warrant. Tails in an isolated environment is probably the best way of using Tor.
The Tor Browser is scrutinized heavily. I know that is kind of a fallacious argument, but they have a routine presence at DefCon and they are really committed to protecting people around the world. At DefCon last year, the Tor project talked about the biggest security concern as countries who monitor the entry points to the network, and the challenges with getting those IPs distributed confidentially and keeping them hidden. (If you don't already know, Tor does require an entry IP address list before the anonymization occurs: countries can arrest people who visit these URLs, so this is the big challenge right now.)
Someone who knows more can probably elaborate, but after hearing them present year after year, and how much global advocacy they engage in, and their transparency, I find it unlikely they have NSA spooks embedded.
I use it when I need to read something objectionable through a VPN. (Still not perfect, because I run a VPN on EC2 and the exit zone is in the US...)
Not trying to be flame-baity here, but with Trump's ranting about making ANTIFA a terror org, and with the recent legislation that allows warrant-less IP tracking, I am legitimately concerned I might end up on a watch list because I visit a website this admin finds objectionable.
> If you don't already know, Tor does require an entry IP address list before the anonymization occurs: countries can arrest people who visit these URLs, so this is the big challenge right now.
Sorry, can you explain what this means? Would my home IP address be the "entry IP address" you're referring to?
You -> Relay 1 -> Relay 2 -> Relay 3 -> The website
Each arrow is an encrypted connection. The content of the exchange on a single arrow is the address of the next hop and the query of the next hop. Thanks to this:
- Relay 1 only knows you're going through Relay 2
- Relay 2 doesn't know who's asking (you) but knows it passed through Relay 1 and is going through Relay 3
- Relay 3 doesn't know who's asking (you) and where you entered, but knows it's going to the website
The nodes in the middle know everything that goes through them, but don't have the big picture.
The entry IP address is the IP address of Relay 1. Your computer must know an address to connect to, and that address is distributed in listings by the Tor Project. Since this listing is public, it also makes it easier for censors to censor, or at least detect who's interested in connecting through Tor
Do you know if GDPR prevents EU countries from obtaining IP logs for Amazon zones located there? I was hoping I could spin up an EC2 VPN in Europe and feel more secure that my IP logs can't be obtained by the US gov't. I use RunBox for email in Norway, which has the strictest privacy laws, but there is no AWS zone there. Any thoughts? Thanks.
> Do you know if GDPR prevents EU countries from obtaining IP logs for Amazon zones located there?
GDPR has specific exemptions for law enforcement and national security. Governments are allowed to get the data by claiming it's for national security. Some EU countries may have better protections than others.
To give better advice I guess people would want to know what your risk model is. Who do you think is after your data? What do you want to protect?
> For the first time, Tor Browser users on desktop will be able to opt-in for using onion sites automatically whenever the website makes them available.
Good. This is, in my opinion, one of the bigger pain points of the whole Tor experience.
I don't personally think the problem is with understanding how onion addresses work (I've explained them to my mother and she understands the concept pretty easily), it's just the user-experience that has always been kind of a pain - even for people that use Tor often and understand it well.
I don't use the Tor browser for a number of reasons, so I can only hope other browsers follow suit.
At a certain philosophical / high level, I don't like the idea of the 'human-memorable names' .onion feature.
It's politicising software. Open-source software should never have an official, hard-coded opinion about any of the content findable through it.
I've seen the Firefox org increasing do similar things when reading their email newsletter. It even stopped me donating to Firefox.
A core idea of Tor is to not censor. When you give special access to some sites, it feels like the opposite of net neutrality. That is on the censorship spectrum.
I guess it's not too bad if they never block any content at the protocol or software level, but at some point, giving certain content privileged features at the software/protocol level is a two-edged sword. It means you're forced to deny supporting other content.
Indeed, once Tor starts having an official opinion about online content at the browser level, who's to stop people starting to pressure Tor to block certain content, since they're basically starting to be in that realm now? It can be a slippery slope.
I'd prefer at the very least it be toned down to a third party add-on. It's great to make onion sites easier to access, of course. But it should be in a way that doesn't involve political or legal barriers for content creators.
---
BTW, I highly encourage anyone with a linux box at home just sitting there 24/7 to start an obfs4 bridge relay. It's not that hard, and low on resources. #tor-relays IRC extremely helpful in getting you set up.
I've been running one for about a year and it's provided tens/hundreds of GBs of Tor Internet to people hopefully in Asia, South America, and the Middle East - protesters who really, really need some help in anonymization or gaining access to blocked content.
On the topic of using Tor with a non-persistent OS, what I'd really like to see on that front is a federated encrypted bookmarking sync service integrated into the browser. Would be really neat if you could "sign-in" to the browser using a human-memorizable identifier to restore bookmarks and other settings.
Obviously that opens up additional attack surface for de-anonymization attacks, but I think it could be done reasonably securely given sufficient effort. (Hashing and key-stretching the login credentials, fetching bookmarks over a separate Tor circuit, storing the encrypted payload in a distributed database rather than a centralized server, etc.)
Done right, a system like that could potentially even lead to an open standard for synchronizing bookmarks, passwords, and other settings across different browsers.
Firefox Sync is federated? I only ever saw an option to sync using my Firefox account. (Which is a non-starter for Tor; since my Firefox account is tied to my email address.)
I also didn't realize it was an open standard. Are there any other implementations besides the one in Firefox? I couldn't find any information on that.
I wasn't aware of that. I don't use it a lot but I assumed the same thing and that something like https://www.invidio.us/ would be necessary to make it usable
Great to know thanks!
The Onion site autodiscovery has never worked for me when using Cloudflare's Onion routing. My sites (e.g. https://www.pastery.net/) include an alt-svc header, yet the browser never prompts me to switch to it. It does work for ProPublica, but not for my sites for which I have CF's Onion Routing enabled.
Has anyone else had this problem (or had this work)?
according to the blog post, alt-svc enables invisible onion services, which have been supported "for years". this new release enables "Onion Location", which is apparently presented in the address bar.
Oh hmm, I thought those were the same. I did think this has been supported for years, though I've never seen any indication that my browser is actually using the Onion service.
Anyone know what the HTML is for adding my onion address to my page for people visiting from the normal web entrance? I looked through the changelog for the bit about this auto-detection but didn't see it. Is it some sort of link tag thing in the <head> like,
<link rel="alternate" title="my site but on tor" href="superkuhbitj6tul.onion" />
brave browser has a "tor private window". such a great idea, since most people dont realize a private window is only private to their own browser. anyone know how updates to tor affect brave? it seems crucial it is kept to to date
updates to the tor library gets updated in brave most likely (if they care about its security)
updates to the Tor Browser shouldn't affect it mostly unless they like a feature and they want to add it.
Has anyone had any luck or done any experiments using OnionCat with Multicast? I've heard people can get 200MB/s+ doing this but potentially sacrificing some anonymity.
Indeed! This release promise more focus on usability and that's really great. human readable URLS and .onion headers can help newcomers get out to find their way and evade scams
For what it's worth, Tor has been my default browser for the past 5 years to 'surf' the net and the experience is incomparable from 3 years ago to today, so much improvement specially on news sites with the 'Toggle reader view' or Reddit, Twitter, etc.
Give it a go if your experience wasn't great a few years back.
Tor Browser tries to make your browser fingerprint look the same as all other Tor Browser users, while Brave does have some patches to try to handle that it's still very far from what Tor Browser offers.
wait! the most privacy centric iOS doesn't support Tor?! but Android does! I wonder is privacy is just Apple's PR but far from truth. The speech to text translation also they need to route via their servers. The contractors listen to recordings of Siri. Its time to unmask Apple's true face.
Jailbreaking is harder than rooting though and apple constantly fixes the holes so maintanence cost.
Few android manufacturers even have instructions to change your rom or root the phone. Lot of them support it while apple doesn't. Android is also open source so you can push your own changes at os level and reflash it . You can't do the same for iOS. You also have control over the hardware more than you do on iOS - way easily. Overclocking isn't possible on iphones.
I am not denying Android doesn't collect data. I am just saying Apple does it too and them being hypocrite in this argument about privacy. You still missed the point on why Tor is not supported on iOS?!
I use Tor Browser for most of my day to day browsing to foil all the non-governmental corporate botnet spying. Of course I’m under no illusions that it secures you against the government. But I don’t do anything naughty so I’m not worried.
Why do you think it fails as basic security against the government? Honestly curious. And what would you suggest instead. To my knowledge many dissidents and activists around the world are specifically using TOR because it supposedly does indeed provide protection against government tracking.
> Why do you think it fails as basic security against the government?
Tor connections against normal sites use 3 hops while they use 6 hops against onion sites. Controlling or potentially even analysing the traffic from 2 of the hops is enough to know where the user connects to (it might be 4 hops for the onion case but I am not sure). I am pretty sure that NSA has enough resources for their own nodes. I2P has a better architecture in general but it still does not solve the issue. I am looking into evaluating lokinet at the moment.
In general tor does not have a great track record. For example they took ages to upgrade from an 80-bit sha-1 truncated address scheme with dh1024 and aes128 into something more modern.
Okay, definitely a bit less practical, but what about using TOR with TAILS on a laptop that's dedicated to nothing else (laptops for TAILS use generally shouldn't run over top of a Windows or regular OS installation). Furthermore, using said machines or TOR alone from an IP address that isn't one's own identifiable address.
That aside, what do you concretely propose as alternatives to TOR for the seriously privacy-conscious (and those, such as activists and dissidents, who need anonymity in a life-or-death way.
Are you kidding? What part of "Tor connections against normal sites use 3 hops while they use 6 hops against onion sites. Controlling or potentially even analysing the traffic from 2 of the hops is enough to know where the user connects to (it might be 4 hops for the onion case but I am not sure). I am pretty sure that NSA has enough resources for their own nodes" seems like a hunch?
Do you have something that you disagree with? If so just say it.
Dissidents and activists have been busted using Tor and there’s always a friendly government damage control agent ready to pop up (any forum, any time of day) to remind people that Tor couldn’t possibly be backdoored or owned, it was always some other type of thing they used in parallel construction.
Over-shilling is what clued next in. You don’t get this kind of response without a massive panopticon dispatching reputation managers. Why the heck would the NSA write NSA proof software? LOL.
EDIT: this is in reply to mapgrep and his crew:
Did I say I won't use Tor Browser? Is it really necessary to put words into my mouth to make your point? I've noticed this a lot with people who are very very lightning fast, almost unbelievably fast, to defend Tor on any forum or platform on the Internet. The speed at which it occurs, and the typical over-the-top, rude, and unnecessary attempts to make people seem to say things they 100% have not.
You should apologize. Obviously the NSA has broken Tor, they made it. Forget about current funding, where'd it originate?
And why does the Tor Project publish a list of exit nodes?
The fact that the US government, largely through Open Technology Fund, originally an arm off the State Department (via Radio Free Asia!), has arguably done more to fund core internet privacy technologies than the private sector is an indictment of the private sector, not of the U.S. government.
We should absolutely be aware of funding sources, skeptical of code written by other people, etc, but if you were to actually enforce in your life a position that you won’t use any security or privacy technology with funding ties to the USG you will quickly find yourself in quite an untenable position.
AES which is the encryption standard for asymmetric crypto and used everywhere (including by the gubment) was designed by the NSA. So what's your point?
Fair enough, but my point against the tinfoil hattery still stands; Just because the gubment was involved with it's inception doesn't mean it has backdoors.
* Exit nodes might be run by malicious actors and unless you enforce always https they might snoop credentials.
* If you login to platforms like google/facebook/twitter/stock overflow it might still be possible to track you.
If you're worried that your employer is spying on you then tor can't help because they already have administrative access on your computer. I personally have a rule to never log into personal accounts from corporate devices.
Listen I'm not some Antifa here bombing the hell out of the next city over. I'm merely avoiding the botnet. How is it risky? What's the worst that could happen, I get tracked by the same people who would 100% track me without Tor Browser?
well, if you open non-HTTPS links you're trusting the exit node operator not not fuck with your data and to not snoop on it.
So... don't do anything important without HTTPS. Same as always. As for the corporate spying... totally agree, worst case you didn't gain nor lose
Right, this is important to understand. The use of Tor isn't just about subverting government information gathering. But it's just as important in the fight against corporate collection, maybe even more so.
I'm (personally) less concerned about government spying on me than I am about corporations. That's not to justify government overreach, but I don't like the prospects of corporations like google, facebook, twitter holding as much (or more) of my information as the government does.
> From a privacy point of view, couldn't you use multiple VPNs?
I don't see what could be gained from nesting VPNs because you're identifying yourself to the innermost VPN. Tor is designed so that exit nodes don't know who you are.
I don't know if any of that was true and even if it was I'm sure a lot has changed with how Tor handles privacy and directs traffic. Are there any good resources for average Joe internet users to read about how the browser works so I can better understand the risks/rewards?
The basic idea is that with Tor, you make HTTPS connections to the "tor relay", a network of volunteers who route your traffic around the world to make it hard to track. You can use Tor in two ways: you can join the relay network and route traffic for others, or you can just use the browser and make queries. If you do decide to join the relay network you have an additional decision about whether you will be an "exit node", one that does the final request to the destination website and thus appears to be the initiator of the request. This is an option because it can be difficult on home internet setups: if someone uses your exit node to post a lot of stupid crap to Reddit and Reddit tries to IP-ban them, then you are suddenly IP-banned from Reddit at home, because you ran the exit node.
If you are just a user then the only thing you need to know is that there is a price for your privacy, which is that routing your traffic all the way around the world takes a little more time than sending it straight to you, and this has two effects -- a latency jump which exists basically no matter how big the network gets, and a slowdown in your bandwidth which depends on how big the network is relative to the number of people trying to browse with it.
I think there’s a lot more to worry about than reddit shitposts eg straight up criminal activity apparently coming from your router, and in way you’d have difficulty proving was tor and not you or your family.
One of those volunteers is nusenu: https://medium.com/@nusenu/the-growing-problem-of-malicious-...
Complete side note.. but this just reminds me of back when I was in college in the late 90s, and our entire apartment buildings traffic was a hub (not a switch).. so I had a packet sniffer running for fun on linux and could see everything from everyones internet since every single packet was rounting to every machine on the network, and lots of stuff had no encryption... nuts to think how open stuff was back in the day.
Not from the point of view of "legal intercept" stuff, more like "switch gets confused and doesn't know how to route, so broadcasts as a workaround".
After that, check out the video explaining how hidden services work.
If you want to see a simple implementation of an onion router, I built one in TypeScript: https://github.com/seisvelas/onion-router-ts
(be warned, I also did that as an exercise to learn more TypeScript. So it's not good TS. But improvements and issues are more than welcome from any TS gurus out there!)
https://blog.torproject.org/browser-fingerprinting-introduct...
More broadly, any privacy tech can be undone by poor 'operational security'. For example Ross Ulbricht - 'Dread Pirate Roberts' of Silk road - posted on StackOverflow under his own name to ask "How can I connect to a Tor hidden service using curl in php?" [1]
[1] https://arstechnica.com/information-technology/2013/10/silk-...
You will also be targeted for browser exploitation without a warrant. Tails in an isolated environment is probably the best way of using Tor.
Someone who knows more can probably elaborate, but after hearing them present year after year, and how much global advocacy they engage in, and their transparency, I find it unlikely they have NSA spooks embedded.
I use it when I need to read something objectionable through a VPN. (Still not perfect, because I run a VPN on EC2 and the exit zone is in the US...)
Not trying to be flame-baity here, but with Trump's ranting about making ANTIFA a terror org, and with the recent legislation that allows warrant-less IP tracking, I am legitimately concerned I might end up on a watch list because I visit a website this admin finds objectionable.
Sorry, can you explain what this means? Would my home IP address be the "entry IP address" you're referring to?
Tor works pretty much like this:
You -> Relay 1 -> Relay 2 -> Relay 3 -> The website
Each arrow is an encrypted connection. The content of the exchange on a single arrow is the address of the next hop and the query of the next hop. Thanks to this:
- Relay 1 only knows you're going through Relay 2
- Relay 2 doesn't know who's asking (you) but knows it passed through Relay 1 and is going through Relay 3
- Relay 3 doesn't know who's asking (you) and where you entered, but knows it's going to the website
The nodes in the middle know everything that goes through them, but don't have the big picture.
The entry IP address is the IP address of Relay 1. Your computer must know an address to connect to, and that address is distributed in listings by the Tor Project. Since this listing is public, it also makes it easier for censors to censor, or at least detect who's interested in connecting through Tor
https://en.wikipedia.org/wiki/CLOUD_Act
So, don't use EC2 or stuff hosted by other US companies for things to you want to keep private from the US gov.
Also note the US gov shares intelligence with other countries, as mentioned by a sibling post.
GDPR has specific exemptions for law enforcement and national security. Governments are allowed to get the data by claiming it's for national security. Some EU countries may have better protections than others.
To give better advice I guess people would want to know what your risk model is. Who do you think is after your data? What do you want to protect?
Mostly curiosity: what is the highest degree I can obscure my web use and meta data with off-the-shelf technologies?
Good. This is, in my opinion, one of the bigger pain points of the whole Tor experience.
I don't personally think the problem is with understanding how onion addresses work (I've explained them to my mother and she understands the concept pretty easily), it's just the user-experience that has always been kind of a pain - even for people that use Tor often and understand it well.
I don't use the Tor browser for a number of reasons, so I can only hope other browsers follow suit.
It's politicising software. Open-source software should never have an official, hard-coded opinion about any of the content findable through it.
I've seen the Firefox org increasing do similar things when reading their email newsletter. It even stopped me donating to Firefox.
A core idea of Tor is to not censor. When you give special access to some sites, it feels like the opposite of net neutrality. That is on the censorship spectrum.
I guess it's not too bad if they never block any content at the protocol or software level, but at some point, giving certain content privileged features at the software/protocol level is a two-edged sword. It means you're forced to deny supporting other content.
Indeed, once Tor starts having an official opinion about online content at the browser level, who's to stop people starting to pressure Tor to block certain content, since they're basically starting to be in that realm now? It can be a slippery slope.
I'd prefer at the very least it be toned down to a third party add-on. It's great to make onion sites easier to access, of course. But it should be in a way that doesn't involve political or legal barriers for content creators.
---
BTW, I highly encourage anyone with a linux box at home just sitting there 24/7 to start an obfs4 bridge relay. It's not that hard, and low on resources. #tor-relays IRC extremely helpful in getting you set up.
I've been running one for about a year and it's provided tens/hundreds of GBs of Tor Internet to people hopefully in Asia, South America, and the Middle East - protesters who really, really need some help in anonymization or gaining access to blocked content.
Not having memorable names makes it tough for people that use a non-persistent OS for Tor. I'm all for creating more accessible URLs.
Obviously that opens up additional attack surface for de-anonymization attacks, but I think it could be done reasonably securely given sufficient effort. (Hashing and key-stretching the login credentials, fetching bookmarks over a separate Tor circuit, storing the encrypted payload in a distributed database rather than a centralized server, etc.)
Done right, a system like that could potentially even lead to an open standard for synchronizing bookmarks, passwords, and other settings across different browsers.
I also didn't realize it was an open standard. Are there any other implementations besides the one in Firefox? I couldn't find any information on that.
It's never worked for me. Just shows a page with the Noscript "this is being blocked" logo.
Maybe you turned off Noscript?
Edit: nvm it is working now.
Automatic detection of onion versions of sites sounds great.
Edit: refreshed once, still worked. Refreshed again, "You are not authorized to access this page. " Refreshed a third time, worked again.
but you might start to get downvoted on HN when this gets fixed
Has anyone else had this problem (or had this work)?
<link rel="alternate" title="my site but on tor" href="superkuhbitj6tul.onion" />
The article didn't say the exact name of the header but it mentions support.torproject.org uses it so looking into its headers:
https://trac.torproject.org/projects/tor/ticket/28005
Give it a go if your experience wasn't great a few years back.
Yeah you can root the 'droid and ditch the Goog Play Store, but you can jailbreak iOS.
Few android manufacturers even have instructions to change your rom or root the phone. Lot of them support it while apple doesn't. Android is also open source so you can push your own changes at os level and reflash it . You can't do the same for iOS. You also have control over the hardware more than you do on iOS - way easily. Overclocking isn't possible on iphones.
For information, there was a similar initiative by Namecoin with .bit.onion: https://www.namecoin.org/docs/tor-resolution/ncprop279/stemn...
Tor connections against normal sites use 3 hops while they use 6 hops against onion sites. Controlling or potentially even analysing the traffic from 2 of the hops is enough to know where the user connects to (it might be 4 hops for the onion case but I am not sure). I am pretty sure that NSA has enough resources for their own nodes. I2P has a better architecture in general but it still does not solve the issue. I am looking into evaluating lokinet at the moment.
In general tor does not have a great track record. For example they took ages to upgrade from an 80-bit sha-1 truncated address scheme with dh1024 and aes128 into something more modern.
That aside, what do you concretely propose as alternatives to TOR for the seriously privacy-conscious (and those, such as activists and dissidents, who need anonymity in a life-or-death way.
This does not really help regarding what I mentioned.
> using said machines or TOR alone from an IP address that isn't one's own identifiable address
Slightly better I guess but in most cases you can still be identified.
> what do you concretely propose as alternatives to TOR for the seriously privacy-conscious
Honestly, no idea. I would keep using tor for the time being but we really need an alternative.
Do you have something that you disagree with? If so just say it.
I.e. either always use HTTPS sites, or .onion sites. No HTTP unencrypted sites.
Dissidents and activists have been busted using Tor and there’s always a friendly government damage control agent ready to pop up (any forum, any time of day) to remind people that Tor couldn’t possibly be backdoored or owned, it was always some other type of thing they used in parallel construction.
Over-shilling is what clued next in. You don’t get this kind of response without a massive panopticon dispatching reputation managers. Why the heck would the NSA write NSA proof software? LOL.
EDIT: this is in reply to mapgrep and his crew:
Did I say I won't use Tor Browser? Is it really necessary to put words into my mouth to make your point? I've noticed this a lot with people who are very very lightning fast, almost unbelievably fast, to defend Tor on any forum or platform on the Internet. The speed at which it occurs, and the typical over-the-top, rude, and unnecessary attempts to make people seem to say things they 100% have not.
You should apologize. Obviously the NSA has broken Tor, they made it. Forget about current funding, where'd it originate?
And why does the Tor Project publish a list of exit nodes?
We should absolutely be aware of funding sources, skeptical of code written by other people, etc, but if you were to actually enforce in your life a position that you won’t use any security or privacy technology with funding ties to the USG you will quickly find yourself in quite an untenable position.
Some others (such as chacha20) are pretty popular too. This is the only cipher used by wireguard and one of the ciphers used by ssh and tls.
> was designed by the NSA
No it was not. It was designed by two Belgian cryptographers (the same ones that did SHA3).
> for asymmetric crypto
Symmetric
No offence but you seem quite clueless.
* Exit nodes might be run by malicious actors and unless you enforce always https they might snoop credentials.
* If you login to platforms like google/facebook/twitter/stock overflow it might still be possible to track you.
If you're worried that your employer is spying on you then tor can't help because they already have administrative access on your computer. I personally have a rule to never log into personal accounts from corporate devices.
I'm (personally) less concerned about government spying on me than I am about corporations. That's not to justify government overreach, but I don't like the prospects of corporations like google, facebook, twitter holding as much (or more) of my information as the government does.
From a privacy point of view, couldn't you use multiple VPNs?
I don't see what could be gained from nesting VPNs because you're identifying yourself to the innermost VPN. Tor is designed so that exit nodes don't know who you are.
I imagine you could pick a few Anti US government VPNs and at least 1 wouldn't cooperate.
Assuming it's a commercial VPN it has your billing data and doesn't matter that you connected to it via another VPN.
You can hide the fact that you're using Tor by using bridges with or without pluggable transports.
> From a privacy point of view, couldn't you use multiple VPNs?
No amount of chained VPNs will offer you browser fingerprinting resistance or privacy by design.