Now Everyone Wants to Sell You a Magical Anonymity Router (opens in new tab)

(wired.com)

66 pointscyphersanctus11y ago10 comments

10 comments

I think Tor is great. But Tor is inherently insecure, and the easier you make it for "normal" users to utilise Tor the more users who will get caught out by Tor's inherent insecure nature.

You're trading security for anonymity. That's should be Tor's unofficial tag-line.

I don't even need to convince you of Tor's relative insecurity, there is a front page article right now all about it:

https://news.ycombinator.com/item?id=8501557

xnull11y ago

You mean that by design Tor acts as MITM, and that end-to-end crypto should be used to provide integrity?

The major users of Tor need to consider even their ISPs as an adversarial agent - that they are being actively monitored and MITMed. In this sense, these users are not trading security for anonymity.

For those who trust their telecommunications carriers (in the US even in the face of CALEA) - they are certainly introducing a MITM. It's also important to note that the linked article considers the 'security bug' to be owned by software updaters and software vendors that that do not sign binaries - the vulnerabilities are not specific to Tor, but it does provide one mechanism to exploit them.

This is all a good reminder, as the Tor team themselves regularly say, that secure operational browsing and software practices are crucial to anonymity and security even with Tor installed.

ZenoArrow11y ago

It's even simpler than that, Tor has been hacked to remove the protection of anonymity... http://www.theguardian.com/technology/2014/jul/22/is-tor-tru...

From that article... "anyone with $3,000 could de-anonymise users of Tor".

That article was from July 2014. As far as I know the fix isn't implemented yet, but I could be wrong. Here's the most recent article I could find about a fix... http://securityaffairs.co/wordpress/26982/hacking/tor-workin...

2 more replies

sitkack11y ago

The problem with Tor is that anonymizes your endpoint but not the traffic itself. What it needs to do is scrub YOU from the stream. No logging into services, or providing bugmenot temporary alternatives. Once you are on a Tor session and you leak a single piece of info, that session is tagged to your user profile. Tor by itself is fairly low security. Great for getting out of shitty places, but it does not anonymize you in any way.

Istof11y ago

If I wanted to be truly anonymous, I would rather use some device that I don't use for anything else that I purchased with cash and browse from an open wifi or something similar

1 more reply

j / k navigate · click thread line to collapse