I don't know if any of that was true and even if it was I'm sure a lot has changed with how Tor handles privacy and directs traffic. Are there any good resources for average Joe internet users to read about how the browser works so I can better understand the risks/rewards?
The basic idea is that with Tor, you make HTTPS connections to the "tor relay", a network of volunteers who route your traffic around the world to make it hard to track. You can use Tor in two ways: you can join the relay network and route traffic for others, or you can just use the browser and make queries. If you do decide to join the relay network you have an additional decision about whether you will be an "exit node", one that does the final request to the destination website and thus appears to be the initiator of the request. This is an option because it can be difficult on home internet setups: if someone uses your exit node to post a lot of stupid crap to Reddit and Reddit tries to IP-ban them, then you are suddenly IP-banned from Reddit at home, because you ran the exit node.
If you are just a user then the only thing you need to know is that there is a price for your privacy, which is that routing your traffic all the way around the world takes a little more time than sending it straight to you, and this has two effects -- a latency jump which exists basically no matter how big the network gets, and a slowdown in your bandwidth which depends on how big the network is relative to the number of people trying to browse with it.
I think there’s a lot more to worry about than reddit shitposts eg straight up criminal activity apparently coming from your router, and in way you’d have difficulty proving was tor and not you or your family.
After that, check out the video explaining how hidden services work.
If you want to see a simple implementation of an onion router, I built one in TypeScript: https://github.com/seisvelas/onion-router-ts
(be warned, I also did that as an exercise to learn more TypeScript. So it's not good TS. But improvements and issues are more than welcome from any TS gurus out there!)
https://blog.torproject.org/browser-fingerprinting-introduct...
You will also be targeted for browser exploitation without a warrant. Tails in an isolated environment is probably the best way of using Tor.
Someone who knows more can probably elaborate, but after hearing them present year after year, and how much global advocacy they engage in, and their transparency, I find it unlikely they have NSA spooks embedded.
I use it when I need to read something objectionable through a VPN. (Still not perfect, because I run a VPN on EC2 and the exit zone is in the US...)
Not trying to be flame-baity here, but with Trump's ranting about making ANTIFA a terror org, and with the recent legislation that allows warrant-less IP tracking, I am legitimately concerned I might end up on a watch list because I visit a website this admin finds objectionable.
Sorry, can you explain what this means? Would my home IP address be the "entry IP address" you're referring to?
Tor connections against normal sites use 3 hops while they use 6 hops against onion sites. Controlling or potentially even analysing the traffic from 2 of the hops is enough to know where the user connects to (it might be 4 hops for the onion case but I am not sure). I am pretty sure that NSA has enough resources for their own nodes. I2P has a better architecture in general but it still does not solve the issue. I am looking into evaluating lokinet at the moment.
In general tor does not have a great track record. For example they took ages to upgrade from an 80-bit sha-1 truncated address scheme with dh1024 and aes128 into something more modern.
Dissidents and activists have been busted using Tor and there’s always a friendly government damage control agent ready to pop up (any forum, any time of day) to remind people that Tor couldn’t possibly be backdoored or owned, it was always some other type of thing they used in parallel construction.
Over-shilling is what clued next in. You don’t get this kind of response without a massive panopticon dispatching reputation managers. Why the heck would the NSA write NSA proof software? LOL.
EDIT: this is in reply to mapgrep and his crew:
Did I say I won't use Tor Browser? Is it really necessary to put words into my mouth to make your point? I've noticed this a lot with people who are very very lightning fast, almost unbelievably fast, to defend Tor on any forum or platform on the Internet. The speed at which it occurs, and the typical over-the-top, rude, and unnecessary attempts to make people seem to say things they 100% have not.
You should apologize. Obviously the NSA has broken Tor, they made it. Forget about current funding, where'd it originate?
And why does the Tor Project publish a list of exit nodes?
* Exit nodes might be run by malicious actors and unless you enforce always https they might snoop credentials.
* If you login to platforms like google/facebook/twitter/stock overflow it might still be possible to track you.
If you're worried that your employer is spying on you then tor can't help because they already have administrative access on your computer. I personally have a rule to never log into personal accounts from corporate devices.
I'm (personally) less concerned about government spying on me than I am about corporations. That's not to justify government overreach, but I don't like the prospects of corporations like google, facebook, twitter holding as much (or more) of my information as the government does.
Edit: nvm it is working now.
Automatic detection of onion versions of sites sounds great.
Edit: refreshed once, still worked. Refreshed again, "You are not authorized to access this page. " Refreshed a third time, worked again.
but you might start to get downvoted on HN when this gets fixed
It's never worked for me. Just shows a page with the Noscript "this is being blocked" logo.
Maybe you turned off Noscript?
Yeah you can root the 'droid and ditch the Goog Play Store, but you can jailbreak iOS.
Few android manufacturers even have instructions to change your rom or root the phone. Lot of them support it while apple doesn't. Android is also open source so you can push your own changes at os level and reflash it . You can't do the same for iOS. You also have control over the hardware more than you do on iOS - way easily. Overclocking isn't possible on iphones.
From a privacy point of view, couldn't you use multiple VPNs?
I don't see what could be gained from nesting VPNs because you're identifying yourself to the innermost VPN. Tor is designed so that exit nodes don't know who you are.
I imagine you could pick a few Anti US government VPNs and at least 1 wouldn't cooperate.
You can hide the fact that you're using Tor by using bridges with or without pluggable transports.
> From a privacy point of view, couldn't you use multiple VPNs?
No amount of chained VPNs will offer you browser fingerprinting resistance or privacy by design.
Not having memorable names makes it tough for people that use a non-persistent OS for Tor. I'm all for creating more accessible URLs.
Obviously that opens up additional attack surface for de-anonymization attacks, but I think it could be done reasonably securely given sufficient effort. (Hashing and key-stretching the login credentials, fetching bookmarks over a separate Tor circuit, storing the encrypted payload in a distributed database rather than a centralized server, etc.)
Done right, a system like that could potentially even lead to an open standard for synchronizing bookmarks, passwords, and other settings across different browsers.
Has anyone else had this problem (or had this work)?
<link rel="alternate" title="my site but on tor" href="superkuhbitj6tul.onion" />
The article didn't say the exact name of the header but it mentions support.torproject.org uses it so looking into its headers:
$ curl -I https://support.torproject.org/
[redacted]
Onion-Location: http://4bflp2c4tnynnbes.onion/index.html
[redacted]Good. This is, in my opinion, one of the bigger pain points of the whole Tor experience.
I don't personally think the problem is with understanding how onion addresses work (I've explained them to my mother and she understands the concept pretty easily), it's just the user-experience that has always been kind of a pain - even for people that use Tor often and understand it well.
I don't use the Tor browser for a number of reasons, so I can only hope other browsers follow suit.
It's politicising software. Open-source software should never have an official, hard-coded opinion about any of the content findable through it.
I've seen the Firefox org increasing do similar things when reading their email newsletter. It even stopped me donating to Firefox.
A core idea of Tor is to not censor. When you give special access to some sites, it feels like the opposite of net neutrality. That is on the censorship spectrum.
I guess it's not too bad if they never block any content at the protocol or software level, but at some point, giving certain content privileged features at the software/protocol level is a two-edged sword. It means you're forced to deny supporting other content.
Indeed, once Tor starts having an official opinion about online content at the browser level, who's to stop people starting to pressure Tor to block certain content, since they're basically starting to be in that realm now? It can be a slippery slope.
I'd prefer at the very least it be toned down to a third party add-on. It's great to make onion sites easier to access, of course. But it should be in a way that doesn't involve political or legal barriers for content creators.
---
BTW, I highly encourage anyone with a linux box at home just sitting there 24/7 to start an obfs4 bridge relay. It's not that hard, and low on resources. #tor-relays IRC extremely helpful in getting you set up.
I've been running one for about a year and it's provided tens/hundreds of GBs of Tor Internet to people hopefully in Asia, South America, and the Middle East - protesters who really, really need some help in anonymization or gaining access to blocked content.
Give it a go if your experience wasn't great a few years back.
For information, there was a similar initiative by Namecoin with .bit.onion: https://www.namecoin.org/docs/tor-resolution/ncprop279/stemn...