How safe is TOR really?

Science, Engineering, & Tech Security
15

Silly question - but I assume, you can’t dictate exactly which exit node is used right? (isn’t that part of the design?). Reason I ask is suppose you could cloud host your own exit node in a particular region.

Ignoring the fact that the owner of the root cloud account would be traced, potentially, if you could use that exit node, you can at least guarantee that as long as the VPC/computer node running said exit node is not compromised?

I made too many assumptions here - thoughts? Just playing devils advocate :thinking:

2 Likes
16

Most people that use TOR forget that TOR is for a very specific purpose. You can track a person directly via IP address, indirectly via traffic flow and indirectly via cookies.

TOR only protects against direct tracking. These days, AIs will see “Oh, you visit Level1Tech, LinusTechtips and Youtube, you also visit CryptoNews and mine some bitcoins, oh and I can see you’ve been to Amazon to look at some graphics cards.”

This information is enough to uniquely identify you or atleast narrow it down to 10 people or so. Should you be stupid enough to visit any of these sites on TOR, you risk exposing yourself. Add to this that the web was never anonymous, but pseudonymous. True anonymity require both a lot of inconvenience and knowledge to pull of, and even then any usage will leave a clue to your real identity.

So, yeah, TOR is to be seen as a first step towards anonymity, but TOR alone is like expecting an armored glove will give adequate protection in a swordfight.

5 Likes
17

*giggles in chainmail mittens*

1 Like
18

Oh, don’t get me wrong here, armored gloves are great protection… But won’t do you much good if the sword lands on your arm, right? :slight_smile:

1 Like
19

One of the best solutions I’ve seen is using a 2 VM setup - one to connect to TOR and create a proxy, and nothing more. There’s some linux OVAs out there for this. This proxy VM will have 2 network interfaces External / Internal. Then spin up a new VM with your flavor of O/S and junk. This VM will only have 1 network interface: internal. Configure it to use the TOR for all traffic.

This helps prevent things like DNS leaks or the OS doing some shady shit (in case you want winders).

However it does nothing to prevent self-sabotage. If you use the same screen names, write in the same way, visit the same sites, and all that garbage - you will be fingerprinted. There’s a couple good books / documentaries on the dread pirate roberts and how he got caught. Wasn’t the technology’s fault.

Outside of that, if nobody is looking for you then TOR is fine as a layer to once remove a layer of your identity.

2 Likes
20

I have been meaning to make a thread theorising about that; but I wonder if it would be better to write about such things via a separate account, though having typed this, any new account writing about such things will now be suspected to be me…

Frankly, I find thinking about such things utterly enthralling.

Edit:
Regarding non-technical attacks on anonymisation, I am reminded of the setup I imagined in another thread post:

I would assume that you can; your Tor client should be the only one that knows the full circuit, no? So the client would be the one to choose all three servers, including the exit.

What I am curious about, is whether there is a technical limitation on the number of hops? Can I compile my own version of Tor that uses two or more relay/middle servers rather than one?

Edit:
This stackexchange post mentions the possibility of a one-hop circuit, and the answer mentions that servers can opt out of providing these with the AllowSingleHopExits toggle; I think this still makes sense even if clients choose the entire route, because an exit node could simply be detecting that the Tor instance it is being asked to exit for is not in the server directory, so must either be a bridge node or an end user.
Keep in mind I am theorising here, but if I am correct, there is no way for an exit node to distinguish a 2-hop circuit from a 3-hop.

1 Like
21

In The Art of Invisibility by Kevin Mitnick | Mitnick Security Kevin goes over how just TOR isn’t enough, and honestly, even with all the gymnastics he says you have to be doing at the end of the book to have an anonymous persona, you still aren’t truly anonymous.

Stuff like TOR is cool, but for a while now it hasn’t been about the data, it has been all about the metadata.

3 Likes
22

I spent about three weeks digging into this rabbit hole once.

At the end of the tunnel I came out going:

“Fuck it. None of this is worth the amount of effort and hassle.”

It’s honestly kinda terrible just how easy it is to get burnt out on the topic; says a lot about the state of things too

1 Like
23

I think what is feasible and the effort required is highly dependant on what you want to do; imagine even with perfect technological anonymity, no “costs” at all, what is the end goal:

  1. Are you trying to create an entire persona?
    Ex: a undercover agent/spy
  2. or are you having one conversation only?
    Ex: an anonymous source
  3. or are you making a one-off submission?
    Ex: a whistleblower, or more maliciously: dox-er or dumping a trove of stolen Twitch data
  4. or are you just using browsing, but not writing or creating/submitting anything?
    Ex: reading news in some authoritarian state

I suppose an awful lot of variance falls into the persona category I have concocted; pretending to be a normal forum user might require much less time than emulating a prolific user of social media.

2 Likes
24

You can Vpn then run a VM with another VPN and Another then TOR. Depends on your care factor.

Me I google boobs all the time. Opps Bombs.

1 Like
25

People argue that VPN to VPN to Tor is worse than just using Tor, exactly because of traffic flow + that you can’t be anonymous when using a VSP (VPN Service Provider). The best it gets is Mullvad paying with crypto, but they still get your IP address, so a powerful adversary will get you nonetheless.

But if you just want to hide something that you wouldn’t want your coworkers to know (idk, you’re into BDSM or ASMR or other 4 letter dubious sounding activities), you don’t need n VPNs and Tor. In fact, just Tor or just a VPN would suffice. Depends on your threat model and what are you willing to do.

1 Like
26

Come done to does the VPN really not save logs.

27

Many VPNs don’t save logs until they do. Like it happened with ProtonMail in Switzerland (the French LEO asked Interpol to ask the Swiss LEO to force ProtonMail to log a user’s IP). This can happen to any VPN company in the 14 eyes, which includes Mullvad. And you can’t know for sure that it won’t happen to someone in non-14 eyes either, like BoxPN.

So, the conclusion is that you cannot trust people, you can only trust math and sane designs. And even then, you could have to worry about implementations and vulnerabilities.

28

So I have not seen this mentioned here so I will throw it out. Back in the late 2000s and early 2010s I was involved in a project known as garlic routing.

The basic concept is while an onion has many layers, you can still be identified by that one onion. Garlic routing take as slightly different approach. One clove of garlic has many pieces. While you are still attached to the clove of garlic, you can break it up into smaller pieces that detach and reattach to different cloves to make you look like normal traffic along the way. The only problem with this is that it is slower than onion routing and while you can define how many times your can detach and reattach, exit nodes can override that and force more, but never less.

Just like Tor, it uses its own protocol and because there were far less users of the system, It was extremely slow. The other issues good/bad, was that it could never drop out to access the regular internet. You would never be able to use it to check your gmail.

4 Likes
29

Based!

1 Like
30

From my understanding, the Navy didn’t develop this awesome routing protocol (TOR) alongside DARPA and say “Oh shit, we don’t know what to do with this, lets just give it to MIT”. The release to the public was always part of the plan and critical to how TOR works. If the only people using TOR were alphabet agency spooks, diplomats, specops etc. then it would be entirely useless. Anybody looking for endpoint connections on the network would immediately know they’re looking at a person of interest.

By letting the TOR network be open for anyone to use it provides security through obscurity for the state actors using the network. It could be a US agent connecting, or a criminal, or a paranoid schmuck surfing ebay; there’s no way to tell them apart. That is the layer of anonymity that the US Govt wanted when they released TOR to the public.

2 Likes
31

This. Same with p2p file sharing protocols. Anonymity comes from blending into the background noise. Using a unique protocol — specifically designed to avoid detection — that is used by only a tiny number of people is like painting a massive bullseye on your chest and waving a red flag.

“Obscurity” got a bad name from the “Security vs Obscurity” debate, but it really does have a place in the toolkit of folks that care about privacy.

4 Likes
32

As with most things, everything is good in moderation and the truth is “a little of column A and a little of column B”

It’s like saying:

Bank Manager: “We have the most secure bank in the world! We’re located at ***** ; just try and break in!”

a short time later

Same Bank Manager: “…I can’t believe they managed it…”

lol the new CoD DRM comes to mind where they did the same thing, effectively.

You should always strive to implement good, mult-layered security, but why on earth would you then go and fucking brag about it? You’re security layers aren’t something you want people testing

1 Like
33

“nvidia unhackable driver”

I would argue you would want people testing your security, to make sure it actually works. That’s why Tor is public.

To stay on topic. TBH, most of Tor’s “issues” aren’t really Tor, the protocol (onion routing), issues, but user errors and the modern bloated web issues. If you are using sites you trust (basically like alphabet boys do), it should be fine, but when you don’t trust the sites you browse and you keep JS enabled, you always risk hitting a honeypot or a malicious website and get in trouble for no good reason other than curiosity.

Obscurity vs obfuscation

It has a bad name for a good reason. Just because you run Telnet on port 22 (SSH port) or an unencrypted website on port 443, that doesn’t make those protocols secure or even hidden, you can see the unencrypted traffic. And arguably this is somewhat better than doing what some people do and run insecure protocols, like RDP, on an ephemeral port (this can get discovered within minutes and you can see failed login attempts in the logs). But still, it’s not secure.

I think the term you are looking for is Obfuscation. Obscurity and Obfuscation are sometimes used interchangeably, but they are not quite the same (and no, I’m not “akhshually” you). In a dictionary, obfuscation means “hiding the truth behind complicated sounding words” (basically what politicians and lawyers do), while obscurity means “hard to see or rare.” In IT, obscurity has the meaning of “hiding in plain sight,” like the aforementioned usage of insecure protocols on well-known ports of secure protocols or on ephemeral ports, while obfuscation means “blending with something else.”

To give some examples of obfuscation, there are some privacy tactics that use obfuscation, like Ad Nauseam and TrackMeNot. Ad Nauseam is an ad clicker, as opposed to a mere ad blocker. It does hide ads from a webpage, but it also registers a click on every ad that gets blocked. The content doesn’t get loaded on your machine, but the ad servers will see a registered click. That way, your real preferences will get hidden in plain sight, with no real ability for profiling you, because you “like everything” and “click on everything.” TrackMeNot works in a similar fashion. The obfuscation part comes by doing random search queries on major web searches at random intervals, so your real preferences get hidden (like it searching for “dog food” for you, but you don’t have a dog). That way, your real queries are hidden among a sea of useless garbage queries, with not much one can do to profile you.

In the years, there might have been updates to search engines and ad networks to prevent these kinds of tampering, not sure if those browser extensions got updated to counteract them though (simple things like having to click a link in your search engine query would show which were the real and which were fake queries, so TrackMeNot would need to also send a fake click on links too, just as an example, not sure what is happening behind those, because I’m not using them anymore).

Onion vs garlic obfuscation

This gets into the obfuscation of onion routing and garlic routing. Both onion and garlic routing work by creating virtual tunnels that your traffic has to go through. In onion land, obfuscation comes from the fact that all users’ traffic goes through certain nodes and get mangled together, so you don’t know which request comes from where. With Tor, it gets a little sketchy when a powerful actor can launch many nodes and monitor the traffic, because onion routing is vulnerable to timing analysis (basically monitoring the metadata, so one can guess with a pretty good accuracy that a certain computer made a connection to another computer when you control a part of the tunnel and especially when you also control a honeypot). Garlic routing obfuscates traffic by combining multiple users’ packets (“cloves”) into a single bigger packet (“garlic”). When there is not enough traffic to make a whole “garlic,” from what I recall, additional junk is added to hide the real size, making timing and traffic analysis exponentially harder to do, if not impossible. Bonus point for garlic is that every user is a node (router) and the tunnels are short-lived, so traffic can go anywhere and you can’t guess which user goes where or if one goes anywhere at all and is not just traffic from other users.

Garlic routing suffers from the same web 2.0 issues that onion routing does, so a user can be deanonymized through malicious fingerprinting code (JS) and through user habit and speech (unless you only live inside the darkweb and you don’t have a persona on the clearnet - or if you did have one in the past, you used different enough speech and patterns to not be recognizable, not to mention not using the same usernames).

Anyway, the original point, which I deviated from, was that obscurity is garbage when it comes to security, obfuscation has its benefits in regards to privacy, but privacy cannot exist without security and people could use a good amount of both.

1 Like
34

There are very practical and life-saving reasons to use TOR, such as a reporter in an oppressive country who wouldn’t think twice to launch a missile at an independent news reporter’s location.

TOR has it’s uses. It adds a layer of security, but how you use it is the key to make it secure.

If you want to use it, you have to determine who you are trying to protect yourself against. A full on government sponsored agency, or hide your torrent of Emoji movie torrent from your ISP (or anything in-between) and use it as such to achieve the level of anonymity you need

BTW: Please don’t use TOR for torrents. It just slows down the network for everyone else. I was just making a point.

1 Like