Is Tor really any help at all? And other privacy/anonymity/freedom/security thoughts and questions

25 replies [Last post]
GrevenGull
Offline
Joined: 12/18/2017

When the default settings in Tor browser is to have Javascript execution enabled, how is that any privacy/security improvement? And what is really the point with encryption like GPG?

I can't seem to wrap my head around all these subjects and concepts of freedom/privacy/security etc.

Freedom I get, freedom is easy. Can anybody read and change the code of the program now that's cool, I understand that.

But privacy/security/anonymity here it gets blurry for me, because I can't really see how you can achieve any of those things today.

zigote
Offline
Joined: 03/04/2019

> I can't really see how you can achieve any of those things today.

Not only today. It is the human thought that is the problem, not the technology. Technology is simply the tool that thought develops to enhance its selfish demands.

> When the default settings in Tor browser is to have Javascript execution enabled, how is that any privacy/security improvement?

Security - no.

Privacy - could be an improvement because most people have JS enabled (which can be detected by a website). Having it disabled can contribute to a fingerprint (along with other factors). Of course JS itself opens the door to much more fingerprinting. In the end it depends on the website what it will detect and correlate. That's why I say "could be". Generally you are safer without JS.

> And what is really the point with encryption like GPG?

End-to-end encryption.

> Is Tor really any help at all?

It hides your real IP address.

The 4 FOSS freedoms do not guarantee you any of the above.

Libreshop
Offline
Joined: 10/27/2018

Tor Browser is a tool to "anonymously" browse the web. They also mention at their website, that using only Tor isn't enough for anonymity, you also need to change the way you use the browser.
Why they are not setting "Safest"-option as their default, I don't know, but I assume(guessing), because not every Tor user knows how to change those settings, so they are keeping it simple for those who need JS to run, or maybe they have statistics that most users are using the JS-enabled setting, so they made it their default setting.

GPG is encrypting your message with the public key of the person who you are talking to, so you only send the encrypted message and the receiver can decrypt it with his private key. So if there are network-sniffers or man-in-the-middle attacks, they can't see what's the message you've send.

Another use is signature.
eg. you are sending a plain-message, but you add signature, and you encrypt it with your own private-key, and you send your message(of course everybody can see your public key), so they will use it to decrypt your signature. Using this way, you can proof the message is from you and not from someone who pretends to be you.

The private key stays at your computer, no one knows it, even your email provider(self hosted or using an email service provider) doesn't knows it.
The public key is know to everyone, you can upload it to a keyserver, or put it on your website or attach it to every email you send, so your contact can use it to communicate with you.

Today, if you want to be anonymous on the internet, you need to change the way you use the internet.
- use Tor, but don't login the websites, as this will authenticate you(and the website will know you are using Tor)
- if you need to login, create a dummy account, and use that one instead.
- when communicating with others, check if they use PGP, and try to communicate using that.
- don't send anyone, your private info
- if you need to buy something, let it delivered to a PostOffice, instead of your home address, and preferable, if the post office will ask for a secure code instead of id card.
- Or let it delivered to a friend, who don't mind that your stuff is delivered at him.
- Try to use burner-phone if you really need to enable your account by a phone number, in EU, it is not possible to "just buy a simcard", you need to authenticate, so ask a friend who don't mind that you use his phone for that, but do it with someone you trust, who will not use his phonenumber to hijack your account.
- Use different VPN services(of course, this can be costly, so be careful when doing this...)
- If it's possible, change your Mac-address every time you connect to internet
- only share your email address with someone you trust, and ask them to use PGP to communicate.

Privacy:
- try using PasswordManager, and generate all your passwords for every service you use(So the password guessing based on your social profile will be eliminated).
- use pseudonames, not your real name, and don't post much about yourself. try to cover it up with unreal names, ...

Security:
- Keep your system up to date with security fixes.
- Check PGP signature and SHA256/SHA512/MD1 sums of everything you download.
- Check the SSL of the websites(This is optional, most of the website can use LetsEncrypt, which will only confirm that the communication is encrypted, but doesn't confirm the identity of the website)
- Do not ignore the Browser or Anti-virus warnings
- Don't copy commands from internet(or mostly StackOverflow), because it is the best possible answer...
- Disable third party cookies and scripts

Those are just tips, you do with it whatever you want.

zigote
Offline
Joined: 03/04/2019

> - If it's possible, change your Mac-address every time you connect to internet

https://networkengineering.stackexchange.com/questions/29063/can-my-mac-address-be-identified-by-a-web-site

Libreshop
Offline
Joined: 10/27/2018

Nice to know, thanks for learning me something new today :)

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

> Why they are not setting "Safest"-option as their default, I don't know, but I assume(guessing), because not every Tor user knows how to change those settings, so they are keeping it simple for those who need JS to run, or maybe they have statistics that most users are using the JS-enabled setting, so they made it their default setting.

I recall reading that the reasoning is that if "safest" were the default then new users might not understand why some sites are broken, whereas if they set security level to "safest" manually they are more likely to understand that the security settings are the cause of sites breaking. I'm not sure I agree with this reasoning, but that's what I've read.

GrevenGull
Offline
Joined: 12/18/2017

> GPG is encrypting your message with the public key of the person who you are talking to, so you only send the encrypted message and the receiver can decrypt it with his private key. So if there are network-sniffers or man-in-the-middle attacks, they can't see what's the message you've send.

I wouldn't trust this if I was seriously in need of anonymity. Because you need to trust the GPG program and email program and the computer you are using etc etc. So many pitfalls. Same with the signature.

If you want to be anonymous on the internet nothing of these programs and Tors make any difference. If you want to be anonymous on the internet you need to build your own PC from scratch so you know every inch of hardware and software on it yourself, and then you need to connect it to some random internet somewhere and when you are on the internet don't communicate at all.

I just.. maybe I'm being pessimistic here.. But I just.. these encryption things and VPN things just.. feels pointless to me. Please do convince me otherwise

Libreshop
Offline
Joined: 10/27/2018

GPG is not a tool to use for anonymity, I mean for sending a message to someone(email as you have mentioned it), it's basically a tool to encrypt the message and protect from others reading it.
When I send you a mail, my email address and your email address is known, so someone sniffing the network will also see this info, what he can't see, is the content of the message(you can also encrypt the subject of the mail).

An email client or computer is just an interface to make it easier for you to do the GPG encryption. Of course you need to trust the tools you are using to perform the operation for you, or you can try to calculate by head(without using computer) to encrypt your message GPG-style then send it with local post service or deliver it self :)

VPN is also not the tool to be anonymous, but it is advertised like that.

VPN(using for anonymity) is good if you don't want that others sniff your internet behavior when you are on a public wifi. You can setup your own VPN server at home, so when you are in a coffee shop, you can connect to your home-vpn, so if there is someone sniffing the wifi of the coffee shop, he can again see your ip and the ip of your home-vpn, but that's about it, that connection is an encrypted tube, and all your browsing is done in this tube, so sniffers, can't see what's inside the "tube".

Tor is using (if I'm not wrong) 3 different VPN connections each time you connect to the internet(of course this impacts your browsing speed). And is also compiled with custom settings and addons(TorBrowser), it is free(dom) and open-sourced software, so many people(with skill) can audit it's code, so when there is something raising flags, it can be reported publicly, so you can base your trusts on that(or not), it's up to you.

To be a little bit secure, you need to use some tools, based on your trust level in those things.

To be anonymous, the "little bit" security is not enough, and you need to change the way you use things.

I hope it is a now clear

gd_scania
Offline
Joined: 09/13/2017

That's why i block all the password saving, webcams, microphones, location and so on unwanted permissions which are about to leak against you. I also keep nothing (will always be removed after exit, even never save them) but just opposed-party cookies and site prefs to keep my web browsing UX private, but also without any conveniences.

zigote
Offline
Joined: 03/04/2019

Remember though that blocking various things which are not blocked by default may increase your fingerprint as it makes your browser different and from that more unique.

Libreshop
Offline
Joined: 10/27/2018

One thing you can do is. Use or create an addon(or if it's possible with the browser you're using, change some settings) to set your browser config to something generally used.
I mean, you are using "Abrowser vX.X german on Trisquel Mini", but your browser sends info like "Chrome vY.Y en_US on Windows 10 Home"

zigote
Offline
Joined: 03/04/2019

Changing user-agent string is a thing which you can do without addons. However it is just a small piece of the fingerprint. A fingerprint can include many more things - cookies (or the fact they are blocked), encryption protocols supported by the browser, HTTP request headers (perhaps even the order in which they are sent), etc. So it is not that simple.

traxter
Offline
Joined: 03/23/2018

>> But privacy/security/anonymity here it gets blurry for me, because I can't really see how you can achieve any of those things today

Anonymity in its actual definition is probably an illusion anyway, at least when we're talking about the internet.

Software like Tor (if used correctly) makes it very hard to identify or track a person - in many (or most) cases so hard that people who want to do this will likely come to the conclusion that it's not worth the work and the time.

GrevenGull
Offline
Joined: 12/18/2017

> Software like Tor (if used correctly) makes it very hard to identify or track a person

Could you explain to me why and how Tor does this? It seems to me there are to many points of failure, for starters the computer you are using. That you have bought somewhere with your bank account.

GNUser
Offline
Joined: 07/17/2013

Well, most replies already explain everything but I thought I could add my 2 cents.

Privacy is not about being super-anonymous-level-cracker. It's about how much of your personal information you wish to disclose and to whom you wish to disclose it to in the first place. An example:

A smartphone, running the default pre-installed ROM, with Facebook app and Chrome as default browser, plus Youtube official app, and using a Gmail account as default email option. All these apps will have enough permissions to access all data in your device (pictures, messages, emails, microphone, etc) and because they are proprietary (closed-source) you can't trust the apps not to do so. Now let's see another alternative:

A smartphone, running LineageOS, with SlimSocial app for accessing Facebook, Privacy Browser installed as default browser, with Invidious as the default choice for accessing youtube videos, and using a ProtonMail email account. Now, as you can see, there is no Tor involved yet, but by using Free Software apps you are already making it harder for companies to access your data (SlimSocial has no need for permissions that official Facebook app uses) and Invidious and ProtonMail are run by people who actually try to respect and protect its users. Notice the difference? NO Tor, and yet you are more private than before. Now, of course if you add Orbot to the mix and use it on top of SlimSocial and Privacy Browser, and you are already getting some information about your location hidden (even if using the same old accounts you had, ProtonMail and Facebook cannot know where you are anymore). It's another baby step that helps to go a long way!

Privacy is all about being as private as you want to be. Me personally, I am careful about my privacy online, to the point of using anonymous accounts only. But I recognize it's hard to do it this way, so for most people I suggest a baby step a day. After some time you will hardly be surprised with the visit of some low level criminal who has all your information and is blackmailing you with it. A law enforcement agency? They still have the power to target you if they so choose. But if they choose to target YOU specifically, maybe you actually did something worth of being investigated? Not all investigations run by FBI, NSA, etc are evil in nature. I am glad that criminals who hurt people (pedophiles, assassins, drug lords, etc) are caught even when using Tor (they usually screw their OpSec and not because of Tor, but still). But I am also glad that Tor gives me security when using an open public Wifi so other people cannot sniff my data.

So, yeah... use Tor, and if you can, run a relay. Use GPG or maybe ProtonMail (which takes care of that for you in a way). Maybe try BitMessage. Or even I2P, who knows? Be private when you wish to be private. Don't simply blame Google for taking the data that you put out yourself in the first place... Do your part ;)

zigote
Offline
Joined: 03/04/2019

> Don't simply blame Google for taking the data that you put out yourself in the first place... Do your part ;)

You cannot "do your part" unless you are isolated from society.

When you give your phone number to someone, that someone puts it on his iPhone/Android with your name next to it. So you may own the best possible super privacy respecting FOSS phone but your data is still in big tech's clouds, the phone calls with you can still be monitored etc. And although you don't give consent to personal data processing to Apple/Google, your personal data is still going to be processed by them (as well as by all the companies which have software on your friend's phone).

So privacy is not just about "I am private because my devices are clean" but about common (perhaps even global) social change. Unfortunately nothing like it is going to happen any time soon.

Masaru Suzuqi -under review-
Offline
Joined: 06/06/2018

>Unfortunately nothing like it is going to happen any time soon.

So what are you waiting for?

GNUser
Offline
Joined: 07/17/2013

I would have to partially disagree with you. You CAN do your part and SHOULD do your part.
In the above example, both phones have calls and messages being monitored, yes. But if you have the official Facebook app installed it has access (permissions) to all the photos on your device. In the second example, SlimSocial doesn't have it. So, Facebook will only get the photos that you choose to upload there. That's a major difference! If you upload a photo to Facebook (or any other website) you most likely want that photo to be public, and shared. BUT if you have a photo on your phone that you want to keep private, it's your responsibility to keep it safe. Yes, big tech corporations abuse their power, but that has been the way it is for a long time. Right now we have tools to be more in control than before, we should use them.

You are right that a global change is needed, but that only happens when everyone starts taking baby steps. Remember, if the FBI chooses to investigate you, they have ways to monitor your computer usage (moot point if you use Tor or not, they simply hide a camera pointing at your computer screen for example). But there is no way they can harvest everyone's information by simply monitoring their internet connections. Anonymity (or privacy) loves company.

All in all, the simple fact that smartphones come with proprietary apps pre-installed is the biggest issue, because those are so easily replaced with other FOSS apps, and that would go such a long way! Firmware and drivers aside, apps give control of your data to any company out there.

The OP might be interested in reading these two blog posts from Tor Project Developer, Mike Perry:

https://blog.torproject.org/mission-impossible-hardening-android-security-and-privacy

https://blog.torproject.org/mission-improbable-hardening-android-security-and-privacy

Read all of this, read the comments because a lot of people asked questions that might be answered in a way that helps you (it helped me!!) and remember that you don't need to be SUPER_LEVEL_SECURITY_CRACKER_ANONYMOUS!!!!! You just need to have your private stuff private from the public in general.

GrevenGull
Offline
Joined: 12/18/2017

These tips are all dandy, but I still don't really understand the Tor, GPG, Protonmail thing. I mean... With Tor you are sending your internet activity through several VPNs. So instead of giving your information to your ISP and the website you are visiting, you are giving your information to VPNs.. What's the point really? Why do you trust these VPNs? I don't get it.

And Protonmail, same thing.. Their website is not accessible without JS. Now Disroot, they I understand, they give you a lot of things, you can sign up without JS etc.

Also GPG, I just don't understand the whole encryption thing.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

You need to understand the basics of encryption if you want to understand GPG or Tor. And you need to understand some math to understand a specific cypher (e.g., some number theory for RSA).

Yes, using Tor is basically using three VPNs, in layers. One only knows who you are, and neither what you are sending nor to whom. Another one knows nothing (a security against real de-anonymizing attacks). The last one knows who you are contacting, and, if the protocol is not encrypted (e.g., HTTP instead of HTTPS) what you are sending. Owning some Tor nodes is not enough to de-anonymize.

GNUser
Offline
Joined: 07/17/2013

https://2019.www.torproject.org/about/overview.html.en

I believe this page might help newcomers to better understand how Tor works.

MagicBanana is right, you need to have a basic understanding of how encryption works, to understand why Tor and GPG and other such tools are important.

Read my comments above, you will also realize how being private is a simple matter in many ways.

GrevenGull
Offline
Joined: 12/18/2017

Also checksums like sha and MD5 and stuff like that, how does that make anything safer?

GNUser
Offline
Joined: 07/17/2013

Those are mostly for making sure that your download went the right way and there are no errors in the file. GPG assures you that your downloaded file came from the original sender in the first place.

Libreshop
Offline
Joined: 10/27/2018

I was using Abrowser(Trisquel) and IceWeasel(Parabola) as my default.
But I switched to Tor and set the safest option, and only enable(or Trust) websites I want, and all the others are disabled by default.

zigote
Offline
Joined: 03/04/2019

Tor != Tor Browser

Tor has no "safest option", Tor Browser does.

Libreshop
Offline
Joined: 10/27/2018

Srry for that.
Indeed I mean Tor Browser