I had been meaning to run a Tor relay for a while. The EFF Tor Challenge [0] motivated me to get it done. It was incredibly easy. If you have a VPS with unused bandwidth, please consider taking a few minutes to set up a Tor relay.
Keep in mind though when setting this up to take a close look at your exit policy settings, to ensure you only route the traffic you want and where you want it.
I span up a relay at home to play around with, but just skimmed over the exit policy settings and ended up running an exit node. Not big deal really, as it was only advertised for about 14 hours before I noticed and disabled it. It was only after a few weeks when my girlfriend was complaining she kept getting messages from websites refusing to show her content on the basis that she was connecting over the Tor network (which she wasn't) that I realised my home IP was blacklisted, and it took a while for me to get a new lease and IP.
I'm not telling people to not run exit nodes, but people shouldn't just go and spin up a Tor relay with default settings, because it will by default run as an exit node, and depending on the hosting provider, this may or may not be an issue.
My distro's tor setup (arch in this case) should default to not being an exit node, relevant default lines in the torrc:
ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
ExitPolicy accept *:119 # accept nntp as well as default exit policy
ExitPolicy reject *:* # no exits allowed
Installing via `pacman -S tor` and enabling via `systemctl enable tor.service` doesn't start an exit node / relay but a simple client.
As I recall, best practice for running an exit node at home (if you want to do it) is to have a separate Internet connection for it. That way you keep your traffic separate from the exit node traffic.
I have a very strong suspicion that Tor is completely compromised, and that's actually how they caught Ross Ulbricht (Silk Road). All the stuff about his previous posting, etc, is tenuous and circumstantial-- it seems totally feasible that it is parallel construction.
The "Tor Sucks" document is from 2012. It talks about the GCHQ running Tor nodes. What could have happened in the years since?
What many people don't realize is that Tor has only ~5000 exit nodes and ~3000 relays. If you control 50% of the nodes, Tor is essentially compromised. Half is ~4000 servers.
Seems like a lot for an individual person, right? Just a rough estimate, at $40/month for a cheap linode VPS, 4000 nodes would cost $160k/month.
But that's _nothing_ for a nation-state. $160k/month isn't even a rounding error. And that's all it costs to _completely_ compromise Tor.
These nation states don't want anyone to know they compromised Tor, so they won't waste it on little fish. They'll save it for real terrorists and major criminal actors like Ulbricht. But if they compromised Tor, they're certainly recording _all_ that activity somewhere. It's sitting in archived storage ready to be mined if necessary.
> All the stuff about his previous posting, etc, is tenuous and circumstantial-- it seems totally feasible that it is parallel construction.
I've done similar things in the past (trying to find a user's real identity, when that user has taken active steps to stop anyone finding out - before you ask, tracking scammers, not doxxing innocents) and to me it sounded totally plausible. He made exactly the same kind of mistakes many of the people I've tracked down did, and they found him the same way I would have gone about it.
My suspicion is essentially the opposite: Tor is secure, but the two high profile arrests (Freedom Hosting and Silk Road) where given priority to make the general public a.) feel that the entire function of Tor is illegal and often repulsive activity b.) that Tor is not safe.
The latter part of that theory, that law enforcement agencies intentionally stepped up the resources for both the FH and SR cases in order to intentionally create disgust and distrust of Tor, is of course merely conjecture. Basically I find it an amazing coincidence that the two most notorious parts of the Tor hidden service world where busted very quickly after a huge amount of positive public attention was brought to Tor right after the Snowden leaks. Additionally if you actually look at the details of the FH exploit the FBI unleashed it is fairly useless, but very terrifying when you read just the headline. Legally there seems no useful reason to use such an easy to discover exploit that would have delivered no particularly interesting information. However from the stand point of creating public fear it worked marvelously. If you talk to even technical people that don't understand security and Tor well they often assume that the feds "hacked Tor". Which, in my opinion, is exactly what state actors want people to think.
As for the former part of the claim, that Tor is secure, look at the Snowden leaks about the methods that the NSA was thinking about for attacking Tor. Egotistical Giraffe, the attack used on FH, as mentioned was not a particularly useful exploit, and attacks user behavior not the network. Other similar leaks also suggest that neither the NSA nor any other state agency, has the ability to completely compromise Tor.
Finally,if you are a state agency and you have completely compromised Tor, you would actually want the general public to think it is safe. It is an amazing advantage to have your adversary think they are on a secure line when they absolutely are not. On the other hand if you haven't (and probably can't) compromised Tor you want the majority of people to think you have so that they disregard one of their best tools for defense.
Now of course there is plenty of evidence that federal agencies can perform targeted timing attacks against specific individuals. Tor does not and really cannot guard against this, and this has always been the case and fairly well known. If a state agency is targeting you specifically, I don't think there is anything you can do. However, given the information that is available to us, I do think it's reasonable to assume that Tor is secure from general, large scale, untargeted surveillance.
You don't address my specific point; namely that it is not only possible but relatively inexpensive for any nation-state to compromise users' anonymity on Tor en masse not by cracking its cryptography but by running >50% of the nodes themselves.
a bit of a pedantic note: If you want to control 50% of the servers by adding servers, you actually have to double the total server count... ie, 8k servers now, if you want to control 50% you have to add 8k of your own servers for 16k total servers ...
Indeed, but my proposition is that they already did that, some time ago. It's just such a small amount of money that it seems unlikely that they _didn't_ do this.
- Accessing BBC Liveplayer as if I'm in England (using lots of normally discouraged add-ons and defined exit-nodes)
- Bypassing paywalls (possibly still criminal?)
- Bypassing censorship (which is what it really is) on organizational wifi networks (in Canadian hospitals). The funniest block was to ginger.io, a big data smartphone data analysis play (but blocked by an over-aggressive filter for obvious reasons).
Does anyone else have some unexpected/interesting use cases?
I use Tor hidden services to punch through NATs (mostly for SSH); it's also useful in that only you can access the service (since only you know its address), so a hidden service + random port is a cheap "port knocking" implementation.
I've also used Tor to debug firewalls. It's a good way of saying "put me in a random spot on the Internet."
Outside of that, I use Tor for whatever I can: downloading RSS feeds, instant messaging, downloading email, mostly. There's no reason not to have Tor on these things because they're all either batched or tolerant of bad latency, and it destroys a little bit of my personal information that would otherwise leak.
The onion addresses of hidden services are not themselves secret. The onion address is in fact well known, published in the directory. It's only your server's IP that a hidden service is hiding.
So please, don't treat knowledge of the onion address itself as a secret! You still have to authenticate to your service in some way.
Tor itself has a nice built-in method of authentication you can use. I don't know of a good howto, but it's documented in the man page. Search for "HiddenServiceAuthorizeClient": https://www.torproject.org/docs/tor-manual.html.en
tl;dr it's possible, and you don't have to rely on crawling the web searching for .onion addresses. You can instead become a HS directory authority, and pick your place in the DHT. Eventually you'd be able to get every address that goes into the DHT.
Latency is a problem for me. Maybe for some users, who already have very slow internet, or who live in areas with more TOR relays, it is not so noticeable, but for me the speed difference is about 10 times. Mostly not because TOR would be unbearably slow (it is not slower than regular internet 8 years ago), but because regular internet is very fast where I live.
I mean, you'll notice my strategy is to never torify anything where I'd have to actually wait for it. Except IM, which is small enough that it doesn't matter, anything I've torified is downloaded in the background anyway.
Commenting on news site which shows IP address from work after some incident where IP got banned for a while for some comment. Problem is simple google search with IP and the site in question shows all the comments you wrote "anonymously" from work and it may cause problems.
Also TOR is heavily used by shills in same sites (namely Russian ones), so it's not too uncommon to stumble upon IP that is already banned.
:( on the bbc one. There are plenty of free proxies that you could use that wouldn't waste the tor network bandwith for something that doesn't really need 100% anonymity.
I'm probably going to take some flack for this, but I don't trust Tor. When you access Tor, you're masking your origin IP to the remote address by trusting one of a couple hundred volunteer exit nodes who raised their hands and said "Trust me! You can route all of your internet traffic through me and I promise I won't monitor or inject anything..."
I think most Tor users don't have an adequate understanding of the threat model. It doesn't help that the Tor Project has at times upsold the anonymity provided to a ludicrous extent[1] (to be fair, they do address the risk in their FAQ[2]). Is it more likely that that Comcast will MITM me, or some random exit node? I might expect Comcast to maybe inject an ad into an HTTP connection or do some DNS redirect to shoot me an advertisement, but I don't worry about them stealing my credit card or injecting a buffer overflow or something. In fact, they have a profit incentive to not do so. I don't have that guarantee with a random exit node. It might be a generous privacy advocate, or it might be someone who has more nefarious profit incentive in mind[3]. If you're only connecting through Tor just to avoid the NSA, then you have to assume that both a) the NSA is targeting you to begin with, and b) that exit node you're going through isn't controlled by the NSA (or GCHQ/FSB/PLA/etc).
sslstrip[4] undermines the prospect of protecting yourself by connecting solely over SSL through Tor. Even then, in my experience more than half of the sites I visit don't support SSL to begin with. The HTTPS Everywhere plugin that EFF provides and is included in the Tor Browser Bundle is implemented backwards - it connects over SSL only when the site matches a whitelist[5] (I use KB SSL Enforcer on Chrome myself).
Sorry if this came off as a rant - I just see too many articles like this that prop up Tor as a silver bullet without discussing the risks and establishing an adequate threat model that allows the user to make an informed decision regarding the risks/benefits of using Tor.
I hope you realize you just described the entire Internet. Which is the ultimate irony of complaining about the security of tor: you're trusting someone else to forward your packets. Yes, yes they can modify the traffic to and from your host, and yes, yes they can monitor everything you're doing. The difference with the non-tor Internet is that it's far far easier to do that.
You're absolutely correct in that it is a trust issue. However, when Comcast forwards my packets they have both a profit incentive to not go stealing my all of my credit card info (their customers would quickly take their business elsewhere) and a legal incentive (they're a known entity inside the US - someone's going to court). With Tor, I'm putting all of my trust in someone likely on the other side of the globe who has only given me no more identifying information than an IP address and promises no more than that they'll offer me free bandwidth. That person could have set up shop a few hours ago and may be gone tomorrow.
And what if they did sslstrip your connection to your bank's website? Would Tor catch it if the exit node only did it for a week or two and only to .5% of the connections? Would any of the victims be able to determine the source of the attack? How many people on Tor actually keep track of what exit nodes their traffic is going through?
How many people keep track of the route their packets take? (Dare I say none?) How many third parties will it pass thru? (Many). How many of them can trusted to not monitor you (this is why ssl and even ssh was invented), how many have adequate security controls to prevent data theft (again this also why ssl and other tools were invented), how many can be trusted to not forward your data to a hostile government, etc.
It's the same problem, trust. And since when was the internet considered a trusted network? Calling out Tor for inherent trust issues with the path is ironic, neither the internet nor tor is a trusted network. Tors solving a different problem: monitoring. Both have the same problem which neither solves: tampering, but other technologies do (ssh, TLS, etc.)
In both cases, you shouldn't trust a third party (or an intruder into that third parties network) to either not modify your packets or to respect your privacy. At least tor helps with the later, the former isn't solved by blindly trusting an ISP or assuming your entire route is trusted (NSA anyone?).
Trust no untrusted network. At least tor is Upfront about this.
What's the point of using Tor to access your bank's website though? I don't think that is a normal use case at all because there's no point using an anonymity network for that, because your bank probably knows who you are. Exactly the same as with credit cards.
If you're going to pay for something over Tor, it should probably be with a prepaid credit card (or bitcoin). And if you're buying something anonymously then you know you're taking a risk.
Same as with email accounts or any other account. It doesn't make sense to use any account through Tor that you've used outside it, as it could already be identifying information.
Or many customers in the US. For most consumers you have one choice of broadband provider due to local government monopoly grants. It's either comcast, or verizon or another big telco/cable company, but rarely is there a second equivalent option.
I think the key is that Tor should only be used with HTTPS connections. Anyone that's like "zomg, my HTTP connections are being recorded by Tor exit nodes don't use Tor!" is kinda being a bit silly. I know personally people the have designed hardware for major ISPs to specifically record HTTP traffic for non-benign purposes.
I don't trust Tor for a completely different reason: you become a threat. Just by sending Tor traffic from your home, you're flagged as a potential active monitoring target, and I don't really need the additional heat.
Lets address your concern by talking about security and probability for each of those issues.
Credit card thieves in Comcast vs in TOR. Given the number of employees who has remote access to customers routers (ie support), sysadmins that has remote server access, and personale who has physical access to switching equipment, whats the risk that one of those people has a criminal record? This will always be non-zero, and one can never actually test it.
In TOR, this risk can be tested[1]. Exit note can be probed by sending unique credit card numbers or other profitable personal information, and then observed by seeing what the node owner does. If they act on the information, the node then get blocked. You can not do this with Comcast since your identity is known to the personal of Comcast.
The NSA threat, as talked about, is reduced by using TOR. Doing statistical analysis is in theory possible but in practice very hard. Out of all the Snowden leaks, not a single one present this as a ongoing work happening. Non-tor traffic analysis is however presented as business-as-usual and should be assumed to happen at every point in the network.
Last, the HTTPS Everywhere you mention is a direct answer to the SSLstrip for the most commonly used websites. Claiming it is implemented backwards because it uses a blacklist is a bit unfair, since blacklist and whitelist each has their own tradeoff in security. HTTPS Everywhere has no false positive and protect against the common threat, but will be vulnerable against uncommon ones. If they had gone with a HTTPS-only approach, it would have caused a extreme amount of false-positives, and users would have turned it off. This trade-off (security vs false positives) is commonly the distinction between user products and server products.
KB SSL Enforcer do not protect against sslstrip and MITM[2] for new installations. If the Tor Browser Bundle included KB SSL Enforcer, it would worsen the security of the Bundle compared to HTTPS Everywhere, and would be counter to the design. Rather than leaving no records of the sites you go to, KB SSL Enforcer have to record and permanent store it.
You can test Comcast in the same way that you can test a Tor exit node - the technique is exactly the same. The threat of a rogue network admin is similar to that of a rogue waitress stealing credit card info - significant criminal liability if caught. To top that, people in a position to carry out such an attack are generally easily identifiable by their employers if there is a criminal investigation. The same can't be said for the administrator of a Tor node in a foreign country.
The NSA threat relies on the assumption that they are targeting you specifically; the risk with a rogue exit node is that you are exposing yourself to an adversary that doesn't care who their victim - i.e. most criminals. My issue with Tor advocacy is that it's attempting to mitigate the risk of a perceived adversary by exposing users to a much more realistic threat. My spouse and I have both had our credit cards stolen before, but I've never had any reason to believe that I've been targeted by the NSA.
There is a definite tradeoff with regards to the whitelist/blacklist model, but ultimately both solutions are really just patching over inherent flaws in SSL trust model. I wasn't clear in earlier post - my issue is not necessarily with the HTTPS Everywhere model, but rather the perception that it gives the user pervasive end-to-end encryption and solves the issue of rogue exit nodes.
If you test comcast in the same fashion, the rouge employee can see that you are sending several thousands unique credit-card number to some website and are thus behaving in a very strange and obvious manner. They can see plainly if the request comes the investigating branch of the police.
With a tor exit-node, the operator can't identify who is sending them the traffic. They can't distinguish a investigating police from a victim.
You can disagree and think that rouge Comcast employees are easier identified than Tor operator. This is a trust question, and everyone is free to pick who they trust and who they don't. The argument given in favor of Comcast just don't sway me, and it would likely require a research paper with test data in order to actually prove what has higher risk associated with it.
The NSA do not target people specifically. That was proven by the revelations from Snowden, and has been quite obvious for quite a long time. NSA doesn't care who their victim is when they are collecting the information. It is cheaper and more effective to target everyone, and then data mine the result after everything is in their hands.
Yes. The list of tor nodes are handled by a small list of directory authorities. They vote on a list, which then each client tally in order to create a list called consensus. Since the number of directory authorities are few, bad nodes get quite fast blocked.
If you want to see nodes that are blocked, http://torstatus.blutmagie.de/ looks to be a good site. There has also been several research projects which has explored different avenues for finding bad nodes, and the TOR Project created a few years ago a python project which incorporated most those methods to automatically scan for malicious nodes (https://svn.torproject.org/svn/torflow/trunk/README).
>you're masking your origin IP to the remote address by trusting one of a couple hundred volunteer exit nodes
No! When using Tor, you are not trusting any single node, and that's the whole point. The exit node does not know your IP or anything else about you, and the other nodes do not know what server you're communicating with. And you should never send any personal information over Tor, such as your credit card, because the end server would be able to identify you and steal that information (and why would you trust the end server? The idea is not to trust anyone when using Tor.)
The simple answer is most people that use an electronic device -- Tor or otherwise -- have no idea what they are doing. Because Tor is advertised as extremely safe, they think they are safe. Anyone wanting an interesting stream of data just has to operate as many exit nodes as their budget can handle.
Additionally, I'd assume that most organizations that are able to run or back-door a large percentage of TOR exit nodes are also able to mint SSL certificates under keys that most browsers would accept as legitimate.
That's why I mention sslstrip (check out the presentation - it's scary) and overall lack of SSL on the internet. To provide some anecdata, my browser window currently has 8 tabs open right now.
Those that support HTTPS: news.ycombinator.com; twitter.com; www.torproject.org
Those that don't:
cryptome.org (!); zzaper.co.uk (the Vim tips article from a few days ago); forbes.com; vimeo.com; nytimes.com
End-to-end encryption would be great, but the internet at large just isn't there yet in terms of both HTTPS support on most sites and safeguards against SSL tampering.
I will say safeguards against tampering are getting better for newer browsers. I'm working on a software stack for PirateBox type systems but focused on security, so I get a pretty good glimpse at how a lot of sites handle incorrect certs, since it's an internetless portal and redirects everything to its hosted SSL page. Both gmail and hackernews will refuse to load at all, as they properly support HSTS. Well gmail "cheats" and is hard coded in chrome.
What is the use to an exit node in knowing that someone is reading cryptome zzaper forbes vimeo and nytimes? Presumably you are not going to transfer any identifying info to these sites.
a) The NSA collects first and targets later
b) The NSA may control the exit node your traffic is going through vs the NSA collects all network traffic from everywhere.
This is incorrect and dangerously misleading. The NSA collects data that crosses the US border. An internet user in America is more likely to have their data cross a border if they use TOR. In this respect, TOR makes your data more likely to be collected unless you have reason to believe you're already being monitored anyway.
But only exit nodes are the problem here. Traffic between nodes is encrypted anyway. If the encryption is sound (and there is no reason to assume the contrary), they may collect as much as they want.
There is anyway no guarantee at all, that non-TOR traffic doesn't cross borders. And you can't assume that any three letter agency acts within the (intended) legal boundaries. To be safe, only end-to-end encryption helps.
Sorry if I wasn't clear, but this is exactly my point. Most of your traffic as an American will stay within the country's borders because most of the services you access are in the US. By using TOR, your traffic will now appear to come from an exit node that has a greater than zero probability of being outside the US. The average American user thus has increased the likelihood of their data being analyzed by the NSA by using TOR. Under great-grandparent's particular threat model, the user is worse off.
Also, we can assume that the NSA operates within those bounds because that's what Snowden's leaked documents say in describing their systems. We have their internal documentation as proof.
My worry is that by using Tor at all you become a target for active monitoring, even if the content and destination of your Tor communication can't be decrypted.
Which is why it is important that many people use it. I don't think it is a viable strategy to MITM everyone (at least it will not go undetected), if that is what you assume being a target for active monitoring. Or to send agents to every house. If we are forcing them to do that, we have won.
"It is also important to remember that if you log into services like Google and Facebook over Tor, you will be sacrificing your anonymity to those services."
It is important to note that both Google and FB can track you on 3rd party websites through things like "Like" button. Consider disabling 3rd party cookies completely or using plugins like Ghostery.
I've been browsing the internet for 15 years with 3rd-party cookies disabled.
I never had ANY problems with any website - no idea if there would have been more functionality with 3rd-party cookies enabled. But then again, how can functionality depend on THIRD parties?
Also activated the setting for my girlfriend years ago, no complaints so far.
This feature should really be the default for any browser and any user. Too bad Android Chrome doesn't have such a setting. Too bad for Google I'll use something else instead.
Safari has always shipped blocking third party cookies by default; just about everything works with it. I remember there used to be some nasty trickery to make iFrame resident Facebook games work, but that was about it.
I am actually running both of them side-by-side (together with ABP and a few other plugins). So far, I find Ghostery to be blocking more than Privacy Badger does.
I have always wondered about that. What if I completely switch all my network traffic to Tor continue using all the services as I currently do? What are the implications involved here?
It ate all my monthly bandwidth limit within an hour. By simple analysis I found out it's mostly BitTorrent traffic, but I didn't dig very deep so I might be wrong.
I would love to run a Tor relay, but I just do not have unlimited bandwidth to do that.
It would seem there is more demand than supply when it comes to Tor relays. If there were a safe, anonymous way to pay for using Tor relays (Torcoin?), then there would be a lot more incentives to have people run relays. That means the speed will be bumped up and at one point there will be an equilibrium between supply and demand. The system might also provide preferential treatment to users who are willing to pay more.
There is an option in the config to limit the amount of bandwidth used by the relay.
BandwidthRate N bytes|KBytes|MBytes|GBytes
In combination with accounting you can limit monthly or daily usage - has to be over 30kb/s to be usable by the network, so may not be feasible, but worth knowing.
"4. No One in the US Has Been Prosecuted For Running a Tor Relay"
That's a bit of a misleading statement. I'll agree that there haven't been any people prosecuted because they ran a TOR relay directly but there has been at least one case where they prosecuted or at least harassed a guy on child pornography charges because he was running a TOR exit node and saw the activity coming from his IP. Perhaps that wasn't in the US but still.
I agree Tor isn't as slow as many think. It's just slightly slower. My biggest problem with Tor, though, is having to enable Javascript even for common tasks, like logging in to Reddit, which hopefully they aren't doing on purpose, considering Reddit is known for a site where you can use pseudonyms as much as you want.
One usually sees a list like this presented as debunking myths. The myths are given bold headings that state the opposite of what the author wants to say. This format is so much clearer because they state the position they are taking instead of the opposite of their position.
>A live CD would not have helped any FreedomHosting victim.
Yes it would have. That attack relied on both a Windows-specific vulnerability, and accessing the internet without Tor. Neither would have happened to a user of Tails.
established accounts are allowed to use tor on HN. If you make an account over tor, its posts will be killed for two weeks, then it will be a normal account.
Didn't the feds take down Silk Road because the owner paid a cop posing as a hitman to kill someone?
Also, there is a problem where hidden services can be enumerated by scanning IPs. With IPv4, it is practical for a well connected entity to scan the entire internet and search for hidden services, making it possible to match to IPs. This is only an issue for people running hidden services, not Tor users.
Hidden services can't be located in that manner unless the owner has badly misconfigured the service so it's reachable by IP address. A typical configuration would have the service listening on 127.0.0.1 or a private (RFC 1918) network address only, and have Tor connect to that.
I specifically addressed this in the article. The feds located freedom hosting by using an exploit in Firefox which was able to deanonymize users. I don't know enough about the silk road case, but it seems probable that traffic correlation was used in that case.
I agree that things can change in a year, but the essential point that Tor is not cryptographically broken is still true, IMO.
>The feds located freedom hosting by using an exploit in Firefox
That doesn't even make sense. Firefox is client software. How would I locate a hidden service, a server, via an exploit in Firefox? Servers don't generate websites with Firefox.
Tor is not cryptographically broken, I agree. But see my post above about the number of nodes-- it is trivial for any nation-state to spend a small bit of money to completely compromise Tor.
I guess we should also should include that with every Linux kernel release too. The US government has funded a lot of publicly available security technology that you may not even be aware of, even through the NSA (SELinux).
It is a good thing the US government supports these things.
The protocol and the code is open. It doesn't matter who funds it, but let it be also clear that the US government is one of the funders. Also, the government is not one coherent entity that all of its bodies want to spy on people.
>They have been able to compromise certain Tor users in specific situations. Historically this has been done by finding an exploit for the Tor Browser Bundle or by exploiting a user that has misconfigured Tor.
I'm not touching TOR until I figure out how they managed to capture Ross Ulbricht.
He exposed his email address containing his name as a contact email for silkroad business, so he pretty much gave himself in. With that kind of "attention to details", I wouldn't be surprised if he even had misconfigured TOR.
Not exactly. He exposed his email address as a contact for bitcoin related development, then used the same username some time later as one of the first people to _discuss_ silk road. It's a tenuous connection at best, but this seemingly minor opsec lapse gave the investigators a hint to follow.
This isn't accurate. It doesn't mention that the u.s government can in very high likelihood de-anonimize users , sometimes even without cooperation from foreign governments , and sometimes even ISP's can do that.
If you use tor correctly (https everywhere, don't leak cookies) you can be pretty safe.
I'm fairly sure I know what I'm talking about, but feel free to point to some articles and I will try to explain one by one what Tor can and what it can't do.
Here, some links on Tor operational security, do read them carefully:
And i've read other work that talks about using machine leanring to create realistic attacks, and another by a guy that even deanonimized some anonymous remailers. And let's not forget most implemented protocols like tls have bugs.
A somewhat pessimistic view would probably say that the only protection you get is that the nsa doesn't use this capability too often, because it doesn't want to expose it.
> The Tor design doesn't try to protect against an attacker who can see or measure both traffic going into the Tor network and also traffic coming out of the Tor network. That's because if you can see both flows, some simple statistics let you decide whether they match up. Because we aim to let people browse the web, we can't afford the extra overhead and hours of additional delay that are used in high-latency mix networks like Mixmaster or Mixminion to slow this attack. That's why Tor's security is all about trying to decrease the chances that an adversary will end up in the right positions to see the traffic flows.
Well yeah, that sucks. Correlation attacks are a real threat. If an adversary controls both entry and exit, they can correlate. I personally don't think NSA are doing it (yet!) but that's a speculation. I still claim your statement is incorrect:
> It doesn't mention that the u.s government can in very high likelihood de-anonimize users , sometimes even without cooperation from foreign governments , and sometimes even ISP's can do that.
Correlation attacks are a real threat but if they are "high likelihood" it only depends on your path selection and use case. Rotate your paths, don't use bittorrent, choose entry and exit points wisely.
> A somewhat pessimistic view would probably say ...
A somewhat optimistic view would say: the tools are there, use them, use them wisely! Using tor is still _so much_ better for anonymity than pretty much anything else.
As of the Snowden-leaked documents creation (so at least 2006-2009), the NSA was not, in fact, using that capability at all.
Nor was the FBI or DEA in a recent high-profile case against a certain Tor hidden website. Nor were international LEAs going after Freedom Hosting.
Also note that the final author on the Users Get Routed paper is Paul Syverson, inventor of onion routing and still an active Tor designer. Academic attacks are pretty common against Tor because Tor is the most serious and therefore most well-studied anonymity system. Most of them aren't feasible in the real world regardless of what the abstracts say.
There are numerous problems with anonymizing remailers none of which have anything to do with Tor whatsoever. The two main problems are that there are not enough nodes (between three and six running at any particular time) and their protocol is overly complicated and implementations are bug-ridden, leading to mistakes that leak information.
A passive observer that is as big as NSA/GCHQ etc. can correlate traffic to de-anonomise some traffic, some very small amount of the time. It is extremely unlikely that a single ISP would ever have enough information to do that though.
> Tor is a well-designed and robust anonymity tool, and successfully attacking it is difficult. The NSA attacks we found individually target Tor users by exploiting vulnerabilities in their Firefox browsers, and not the Tor application directly.
It is hard, perhaps, but a good attack for the NSA would be to run many of the exit nodes.
The intelligence gathered this way would be very valuable, as the traffic on the TOR network is has a much higher intelligence value. This is because it is used by those trying to hide something, something which the NSA may like to know.
If I wanted to support the NSA, I'm sure I'd do volunteer work for those organizations -- and if I ran an intelligence agency, I'm sure I'd recruit assets off university campuses across the globe. Just saying.
[0] https://www.eff.org/torchallenge/