proper/practical use of tor

17 replies [Last post]
cmhobbs
Offline
Joined: 06/24/2013

After the discourse in this thread: https://trisquel.info/en/forum/securing-trisquel#comment-48556

I asked about using Tor for all of my Internet traffic on my Trisquel netbook. Is it possible to configure all of my networked applications to use Tor, much like using Orbot on my Replicant device? Is that a good practice?

Also, the Tor bundle comes with a pre-configured browser. How do you handle things like bookmarks and addons with that? I've got a handful of useful plugins in Abrowser and I generally like it better than the bundled Tor browser. Can I get Abrowser to talk to Tor? I assumed that was a bad practice.

Sorry if this isn't the place to ask.

mYself
Offline
Joined: 01/18/2012

> Can I get Abrowser to talk to Tor?

Yes, you can! Just follow the procedure described here to install Tor, then install a Firefox plugin called QuickProxy by clicking on this link, and setup Abrowser using the attached screenshot.

abrowser-proxy.png
lembas
Offline
Joined: 05/13/2010

Note that the plugins might compromise tor.

https://www.torproject.org/download/download.html.en#Warning

bardock
Offline
Joined: 09/22/2013

I think it's better to use Tor Browser Bundle because is full supported and tested by thousands of people. Other configurations, as said, may leaks info dangerous for your anonimity.

As use case I think you can use TBB for all usual surfing activity, except for those that can reveal your identity (log in your bank account, various social network, personal blog etc etc.).

Here you can find some suggestions https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO about torifying applications.

Another good combination could be using some applications with proxychains + privoxy but i don't know how much secure is. I use it for some terminal applications.

GNUser
Offline
Joined: 07/17/2013

I think that if you want to use Tor and be "sure" that you are somewhat protected, you should begin by doing a little research on what Tor is and how it works.
These videos might help you:

https://www.youtube.com/watch?v=-hZZNFQm1Vs
https://www.youtube.com/watch?v=001VMHpsYlw
https://www.youtube.com/watch?v=3GanD_lCqLA
https://www.youtube.com/watch?v=864FxA3jmHk
https://www.youtube.com/watch?v=CJNxbpbHA-I

After you watch those, you will conclude that Tor is the safest way to do you everyday browsing, but you should stick to the Tor Browser Bundle and even so not mess too much with the configurations, because "anonimity loves company". So you want to look like everyone else, and not like someone sticking out in the crowd.
You don't really need to have Tor being used for updates anyway, for example, and the same goes for using Bank accounts and Facebook (unless you are on the run and don't want to get caught, lol, that case Tor will hide your physical location).
Anyway, watch those I mentioned, and you will be able to work it all out by yourself.

EDIT:: As for smartphones, using Orbot to transparently torify all traffic is a BAD idea. First, using Tor in a smartphone device will achieve little anonimity (smartphones were designed as spying tools, so there are too many things that can be done to "bypass" Tor or any other application and know what you do with your phone). Second, because most of the time your smartphone connects to servers where it identifies itself and so using Tor is nonsense (and in this case GPS will prevent you from hiding your physical location).
So, as far as smartphones go: use ONLY Orbot with Orweb, and even so DON'T use it for high profile activity, where the loss of anonimity would compromise your safety! The best way to use Tor right now is: in a computer, without vPro and TXT and other such technologies, in a free softare only distro (Trisquel and Debian for example) with security measures in place (firewall, rootkits checks everyday, etc) and using only Tor Browser Bundle (and Torbirdy if you need email with GPG). This is the SAFEST way to do it right now.

quantumgravity
Offline
Joined: 04/22/2013

A short question: if I activate the totem plugin in tor browser bundle this should be ok, shouldn't it?
I mean how should a free-software video plugin compromise me?
Or am I missing something?
I'm not very familiar with tor.
I would like to use tor browser bundle with greasemonkey and viewtube.

GNUser
Offline
Joined: 07/17/2013

In short, don't.
Look, when you use a plugin or addon, that piece of software might not obey the proxy settings, or it might gather some identifying information on your computer that might de-anonymize you. It doesn't matter that "it's free software", free software respects the user, but most software (free or not) was not made to be "anonymous" or "work over Tor". So, yes, free software will hardly betray you by having backdoors and anti-features. However, the way that the software itself works, might not work well with a software like Tor.
For example, a video plugin might be configured to send a report in case of an error, which might contain the website that you visited. It is not a case of "the developer trying to control the user", it might just be an attempt at making the software better. However, in security and privacy matters... you can't afford any mistake. The first identifying bit of information that leaves your computer ruins everything else that you have protected so well.

You can, however, try to audit the software yourself. Get in contact with Tor project and ask what tests you should run to see if those addons would hurt Tor's anonymity. You can run a few tests, report back the results and have the software get better adjusted to your needs. But one can't say "using addons on Tor is fine as long as they are free software".

If I remember correctly, there was the same debate on TAILS. I don't know how it is right now, but back in the day, the idea that people had was that "Totem will probably respect proxy settings and if it doesn't it will just fail the connection, but it is not 100% secure because it was never audited". Try checking with them, maybe they have something better to offer now =)

quantumgravity
Offline
Joined: 04/22/2013

Okay this makes sense. I think it would be great to have some tor-friendly free-software video player.
Thanks for the explanation!

GNUser
Offline
Joined: 07/17/2013

Well, in fact we do... HTML5 is a player that can load any video, Tor Browser supports it very well. The problem is the video format/codec. Most websites use mp4 and flv. Firefox (and Tor Browser of course) don't have those patented codecs. Only can play webm and ogg. That's why MediaGobblin works well with Tor Browser. As does youtube (they converted everything to webm).
In any case, you don't need to do anything special to get a video playing in Tor Browser. If you have a server, you can just put the videos there, and whenever you click the video, if it's webm or ogg, it will play instantaneously. You can see tor project media for example:
https://media.torproject.org/video/
It would work just as well if it was a tor hidden service. Basically one could have "youtube hidden service" as long as we had a server that could host the files and if people would respect the service (no illegal stuff so it wouldn't get taken down, no porn or at least have it in a separate page so it would be "kid friendly" and such).
I honestly don't know why people that make hidden services would use any format other than webm and ogg.
You don't even need JS to use html5. You can click NoScript, make "block all" and when html5 player comes up, you just right click instead of left click.
I would love to contribute to a "youtube hidden service" kinda thing. We could have documentaries and presentations on free software, privacy and anonimity matters, activists around the world could expose the wrong things happening, it would be helpful to whistleblowers... Oh well.

In the meantime, you can use archive.org
Most of their stuff is playable inside Tor Browser (and if it complains about JS or flash, just go to the download file and click like I told above). Tor Browser also can read PDF inside without download and without JS.

quantumgravity
Offline
Joined: 04/22/2013

So you have JS still disabled though tor browser has it enabled by default?
I don't really know what's the right thing to do here.

At the moment I really do a lot of reading on tor and start to use tor browser for my every day browsing, but I'm still a bit skeptical about it (like about any new technology I'm using).
Somehow I'm a bit afraid that I may get accused for something someone else did due to a technical phenomenon, since tor is certainly used by a lot of criminals.
But with the information I found at the moment this seems to be impossible to me.
I made sure that I'm not running a server by enabling "client only" mode in torrc and hope things will work out this way. Unfortunately I can't even contribute to the tor project by running an "not-exit" relay because my isp (it's basically the university) forbids to run any kind of server.

About archive.org... it sure is a great platform, no doubt about that, but it could be a bit more easy to browse. I'm having a hard time finding good stuff though it's certainly there.
Mediagoblin sounds very promising, but we both know that they are in an early level and have some problems. I don't understand why they don't implement a search feature. With this, we could start using it like youtube.

Unfortunately, not every video on youtube is playable with html5 or more specific: with html5 and the webm format.
Maybe things will change in the future.

Beside of this, I'm really surprised how fast the browsing with tor is. They improved in this point.

And I'm ready to make some sacrifices since I'm really pissed off ab out everyone knowing what I'm doing online.
It's none of their business.

GNUser
Offline
Joined: 07/17/2013

I didn't say that I have JS disabled ;)
What I said was i tried html5 player without JS and it works ;)
To your question, there is no "perfect answer". Should JS be disabled or enabled by default?
Tor Browser Bundle is a tool that millions of people use, and most of them need for it to be as simple as "download, open, run". Most people wouldn't use Tor if they had JS disabled by default because many people don't even know what JS is. So, instead of disabling JS entirely, the Tor Team made some modifications to the browser so that it is safer even running JS.
Now, of course, given what we know about JS and the attacks recently used against Tor (hidden services, network, browsers, etc) we should use it disabled. Being users who are at "power user level" we can manage to have temporary JS allowed in a certain site we need and set everything back to normal after that. It is safer and I sometimes use JS disabled. But I don't think it would be the right choice for Tor Browser Bundle default.
Your fears are a little bit unwise. If I am correct you are from france, and france has a large community of Tor users. You will hardly have problems with using Tor. Running a relay is something different and can't really give you advice on that.
You can use startpage to search media gobblin. Like this
SEARCHITEM site:SITETOSEARCH
an example is "rms site:gobblin.se"
yes, it should be already implemented in Gobblin, given that they can even use startpage for it :P
Tor is faster yes, a lot than it was 10 years ago. However, it is not mainly because Tor has improved. Of course, they did improved they way circuits are handled and they encryption has been strengthen as well, but speed is better now because we have communities like torservers.net who have been keeping high speed exit relays running 24/7. 10 years ago we didn't had any of that so, it is really a matter of "having enough high speed relays from trusted sources" so that the network is fast to handle the use we give it.

Remember: fight to live, don't live to fight ;) If you start making too many sacrifices, one day you will not be using a computer anymore because "it might not be safe". See Fernando last post and my reply there to get what I mean. we should improve the tools we have to be safe and we should use them wisely, but we should not stop living our lives because of the NSA or someone else.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

A website can easily know if the browser has JavaScript disabled. Even if the Tor Bundle browser is used. Since almost nobody disables JavaScript, that helps in "de-anonymize" you, i.e. works against the very objective of Tor.

akifo

I am a member!

Offline
Joined: 12/23/2011

I guess that "torify" command is good solution for turning all important traffic to TOR. For example you can change your ~/.bashrc and add some aliases such as "alias pidgin='torify pidgin'" et cetera for all your network applications )

But if you want to torify everything, the best way is to use privoxy with tor and setting it as global proxy for your system.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

I would say it is a "bad practice" to route your P2P file download though Tor. That heavy load slows down the service to everybody else (including activists who really need Tor).

quantumgravity
Offline
Joined: 04/22/2013

Activists can't be protected in a network which is only used by activists and few other people.
Anonymity loves company.
And beside of this everyone deserves the right of privacy.

So the goal for tor should be to provide anonymous browsing for everyone all the time.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

I agree with everything you say. I am not talking about browsing. I am talking about P2P file sharing. As far as I understand it is a significant load for the current Tor network. Sure that helps hiding whatever activists want to do... but they end up doing it so much slower that some may abandon Tor for this very reason.

GNUser
Offline
Joined: 07/17/2013

Let's keep in mind that using Tor for bittorrent for example is just plainly stupid, as it will provide little if any anonimity.
I agree with everything else that has been said, Tor needs to be a tool used for everyday browser, so that the "sensitive browsing" done by activists and such becomes "hidden" and "obfuscated" in the middle of it. However, that requires the Tor network to grow (running relays and funding projects like torservers.net). Also, it is important to notice the work that needs to be done in the Tor software itself (the work done to improve scalability really paid off lol otherwise we would be crushed by the botnet thing), because the better the Tor network is handled by the software the less chances are that an attack might bring it down. Good thing they are doing their work on it ;) just check their latest blog update.

quantumgravity
Offline
Joined: 04/22/2013

I think also the developers of free software tools like totem/vlc or a pdf viewer could help the tor project very much with little effort by just implementing an "offline option" which makes sure that the program will not connect to the internet and harm privacy (and I'm really surprised that they haven't done this by now).
With a greasemonkey and a totem plugin I could easily do almost all of my browsing through tor without even recognizing a huge difference to my normal browser (really, I'm surprised myself but it's the truth).

I hope many normal people will start using tor; the increasing number of users will cause more and more noise in the statistical method of the spying agencies.
Maybe I'm a bit too optimistic but I see some kind of hope for the internet this way.