How safe is TOR really?

Dude, I love the idea and swear I thought of this when I was 15 after smoking a bowl out of an onion with a friend. lol just kiddin, or am I ?

well I can’t remember so I wanted to ask, How safe is TOR really? I mean the US Navy made it in collab with DARPA yea? I mean they made this reall cool thing then, said oh shit, there is no use for this, so let’s give it to MIT to see what those guys can do with it? Is this really trusted without any malicious intention?

I read today, that they can track people through TOR, decrypt the entry and exit data points to / from the Onion router network, so I was just curious as to your thoughts. After reading a few comprehensive reviews, I see others feel the same way? What say you?

From what I understand, it is still one of the more secure options available to anonymously browse and use the web. The issue comes in that as you increase security and privacy, you have more and more things you have to do exactly right to prevent being identified. This means you have to be extremely strict, and your attention to detail needs to be near fanatical.

There was a case awhile back of a guy who submitted a bomb threat through tor, but was caught because despite utilizing tor, he was identified due to the simple mistake of where he used it. Simple mistake, but he was ID’ed.

Not to say that you are wanting to do illegal things; Most users of tor just value their privacy. Most likely, your traffic is just ignored. But… Even on tor, Best not to draw attention to your traffic, and read through and follow best practices while using it.

3 Likes

I mean its ok but who are you hiding from? I mean you can be identified if a big enough fish wants to know.

7 Likes

Just by using tor, you’re on a list.

TOR attracts more attention than it hides, so unless youre ordering hooker assassins to deliver cocaine, I would just stick to normal browsing.

13 Likes

And to clarify, yes. If you own the exit nodes, you own the users. That said, they implemented some patches to attempt mitigation on it, but I think the NSA just said “let’s not mention this next time we break it”

9 Likes

Also, building on this, don’t forget that the govt literally runs/owns a lot of the nodes on the TOR network specifically because of this.

So, by all means, it’s useful, as long you don’t get the NSA or someone a good reason to go after you.

2 Likes

Right, and what good reason would be to put someone on a list? I remember reading about some people who did that, in middle school, and I wonder what reason they gave them to be put on a list. You realize where this is going right? Just by using the Internet, will be a reason to target you. It’s already been happening for crying out loud. Who do I have to watch out for? Who is big brother? yes, who is big brother . . .
Do I really need a reason to shy away from unconstitutional violations of my civil and constitutional rights?

Seems kinda sad, the white house lead cyber sec guy quite outright and stated the US are like children compared to China when it comes to compute. We are only the product after all, there are no rights. This is the reality we live in today.

1 Like

Not sure what your getting at? Like, we live in one of the Five Eyes. The govt believes in being proactive in keeping an eye on the us all, for good and ill.

/shrug

Saying that we think it’s a terrible situation from a privacy and security perspective doesn’t really affect anything.

1 Like

Make sure you don’t stray any further toward pol your close to the line, but still on the correct side.

5 Likes

I don’t mean to get political. I see the Gov ramping up agendas as it needs but after we have a huge war, that is usually self inflicted and I just can’t help but connect the dots. Its an easy repeating pattern that has occurred more than three times which by scientific standards is not a coincident. Now I am depressed. Time for a walk.

1 Like

TOR needs legitimate traffic in order to create sufficient noise surrounding it to be effective in anonymizing the users. How many normies do you think know and use TOR? Do you think it is enough to mask and hide you?

Its probably reasonably safer to use a VPN to ride with all people exploiting availability of the Netflix/Hulu/Amazon Prime shows and hide with their traffic all over the net.

3 Likes

Yep.

A lot of people fall into this trap of thinking that what they want to do is use burner accts, hardened Firefox configurations, etc…

The trap being that you actually become easier to fingerprint and differentiate from normal traffic.

Some of the best ways to stay anonymous nowadays is to work at blending in with other traffic

4 Likes

I learned today that this is called obfuscation. :smiley:

4 Likes

>How safe is TOR really?
As safe as you make it to be. Now we have to define “safe.” I will assume “safe from a potential adversary.”

AFAIK, Tor is relatively safe, as long as you stay inside the network, however, there are a lot of stuff to consider. Besides the “attacks” (they are just dumb links) that redirect you from a .onion domain to a clearnet domain, there are things that can be used to track you, mostly JavaScript, used for browser fingerprinting. Then, there is the human element. If you use the same browser on Tor that you use for the clearnet, you’re in for a big surprise when cookies and tracking pixels identify you. For that matter, it’s better that you use an entirely different device or VM for that and that you lock it really tight. If you start logging in to sites that have .onion domains (like facebook), well, then you’re doing it wrong. Also, don’t use the same pseudonyms that you used on the clearnet. And don’t use emails that are not available as a hidden service.

https://geti2p.net/en/comparison/tor

All the links have some information about Tor and some usage. TBH, there is not much of a reason to go on Tor, unless you got friends there already. Sorry for shilling for Mental Outlaw so much, but he’s got good and entertaining videos (well, at least I find them entertaining).

6 Likes

Silly question - but I assume, you can’t dictate exactly which exit node is used right? (isn’t that part of the design?). Reason I ask is suppose you could cloud host your own exit node in a particular region.

Ignoring the fact that the owner of the root cloud account would be traced, potentially, if you could use that exit node, you can at least guarantee that as long as the VPC/computer node running said exit node is not compromised?

I made too many assumptions here - thoughts? Just playing devils advocate :thinking:

2 Likes

Most people that use TOR forget that TOR is for a very specific purpose. You can track a person directly via IP address, indirectly via traffic flow and indirectly via cookies.

TOR only protects against direct tracking. These days, AIs will see “Oh, you visit Level1Tech, LinusTechtips and Youtube, you also visit CryptoNews and mine some bitcoins, oh and I can see you’ve been to Amazon to look at some graphics cards.”

This information is enough to uniquely identify you or atleast narrow it down to 10 people or so. Should you be stupid enough to visit any of these sites on TOR, you risk exposing yourself. Add to this that the web was never anonymous, but pseudonymous. True anonymity require both a lot of inconvenience and knowledge to pull of, and even then any usage will leave a clue to your real identity.

So, yeah, TOR is to be seen as a first step towards anonymity, but TOR alone is like expecting an armored glove will give adequate protection in a swordfight.

5 Likes

*giggles in chainmail mittens*

1 Like

Oh, don’t get me wrong here, armored gloves are great protection… But won’t do you much good if the sword lands on your arm, right? :slight_smile:

1 Like

One of the best solutions I’ve seen is using a 2 VM setup - one to connect to TOR and create a proxy, and nothing more. There’s some linux OVAs out there for this. This proxy VM will have 2 network interfaces External / Internal. Then spin up a new VM with your flavor of O/S and junk. This VM will only have 1 network interface: internal. Configure it to use the TOR for all traffic.

This helps prevent things like DNS leaks or the OS doing some shady shit (in case you want winders).

However it does nothing to prevent self-sabotage. If you use the same screen names, write in the same way, visit the same sites, and all that garbage - you will be fingerprinted. There’s a couple good books / documentaries on the dread pirate roberts and how he got caught. Wasn’t the technology’s fault.

Outside of that, if nobody is looking for you then TOR is fine as a layer to once remove a layer of your identity.

2 Likes

I have been meaning to make a thread theorising about that; but I wonder if it would be better to write about such things via a separate account, though having typed this, any new account writing about such things will now be suspected to be me…

Frankly, I find thinking about such things utterly enthralling.

Edit:
Regarding non-technical attacks on anonymisation, I am reminded of the setup I imagined in another thread post:


I would assume that you can; your Tor client should be the only one that knows the full circuit, no? So the client would be the one to choose all three servers, including the exit.

What I am curious about, is whether there is a technical limitation on the number of hops? Can I compile my own version of Tor that uses two or more relay/middle servers rather than one?

Edit:
This stackexchange post mentions the possibility of a one-hop circuit, and the answer mentions that servers can opt out of providing these with the AllowSingleHopExits toggle; I think this still makes sense even if clients choose the entire route, because an exit node could simply be detecting that the Tor instance it is being asked to exit for is not in the server directory, so must either be a bridge node or an end user.
Keep in mind I am theorising here, but if I am correct, there is no way for an exit node to distinguish a 2-hop circuit from a 3-hop.

1 Like