Using Tor daily

18 réponses [Dernière contribution]
Aristophanes
Hors ligne
A rejoint: 10/05/2017

Is using the Tor network (via Tor Browser) for all online activities a good idea?

Tor Browser’s settings would be the default ones, so, for example, the security setting would be set to “Standard”.
The user would follow these important warnings: https://www.torproject.org/download/download.html.en#warning
All online activities may include, among many other things, browsing YouTube videos or banking.

fbit

I am a member!

Hors ligne
A rejoint: 07/07/2013

Not a good idea. Tor provides anonymity. If you log into a website that personally identifies you while you are using Tor, you have potentially lost that anonymity.

A good place to start would be to read the documentation: https://www.torproject.org/docs/documentation.html.en

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

>Not a good idea. Tor provides anonymity. If you log into a website that personally identifies you while you are using Tor, you have potentially lost that anonymity.

Just refresh it when you are done with the page ur logged into.. (new identity). Using Tor for everything is indeed a great idea and everybody should. Just consider the following: is it a good idea to slow down the network coz 'muh cats on the youtube must privacy'..?

Use Tor for everything is good :)

fbit

I am a member!

Hors ligne
A rejoint: 07/07/2013

This is bad advise.

Tor is only useful (if it works properly) to provide you a pseudonymous browsing session (i.e. giving you an IP address that is not related to you and untraceable to you, except against a global adversary).

Why would you use it for e-banking, as the OP suggested? Not only is this not a pseudonymous activity (for regular people at least), it is indeed an activity where you may want the bank to log the correct IP. If you have a breach in your e-banking account and you complain to the bank and all of your successful logins come from random exit node IP addresses, they may in fact have a reasonable excuse to doubt your claim. Further, you are adding an extra few layers of routing between you and the bank. Why would you want to do that? Most importantly, you do not know who runs exit nodes. In my opinion you should assume they are all run by nefarious characters. You should not run your e-banking through random exit nodes.

The question to ask is why you're using Tor browser. What is your threat model?

From the sounds of it, SuperTramp just wants every single connection to be from an IP that is not his (presumably home) address, which I assume is not even a fixed IP. Because?

If you use Tor, your communications are much more likely to be scrutinized, by diverse parties (and more importantly, whose identity is unknown to you). If you reveal your real identity on Tor, you may end up on a list somewhere. Your real identity may be scrutinized. Etc.

Finally, relying on the "new identity" button to separate all of your online activities is bad opsec. You will make a mistake. If you really want to do something online that has a high likelihood not to be traced back to you, keep your behaviors and your personas completely separate. In fact, for anything more than looking up something you're embarrassed about, you would be smart to run off a live Tails session instead.

P.S. Definitely don't use Tor to download torrents, as is explained in the documentation (RT_M?). Use Tor for everything is not good, and may even affect other users adversely as is the case with torrents.

onpon4
Hors ligne
A rejoint: 05/30/2012

> Most importantly, you do not know who runs exit nodes. In my opinion you should assume they are all run by nefarious characters. You should not run your e-banking through random exit nodes

I just want to point out that this doesn't really matter if you're using good encryption (which you should be doing anyway for online banking).

fbit

I am a member!

Hors ligne
A rejoint: 07/07/2013

While that's probably correct, thats also a big if^1. What's the need? Why would anyone want to use Tor to do their e-banking? And why would anybody advise them that they should do so? Saying that if you're using good encryption it doesn't matter is like putting sewer water through your water filter because the filter is just that good, when you have the choice of a clean water source. You should always try to stack things in your favor.

^1 I see no point going into details. You no doubt followed Snowden's revelations. Also, the encryption algorithm could be good but the SSL certificate could be compromised (i.e. some idiot could have e-mailed 23,000 private keys or something super unlikely like that).

onpon4
Hors ligne
A rejoint: 05/30/2012

It would be very unlikely for you to happen to end up with a final node run by a person who happens to have a way to decrypt your communication. Besides, Tor is not the only way to intercept your traffic, or even a particularly reliable way. It would be much easier for them to perform some other MITM attack.

I still don't see any point in using Tor for banking, but you are incorrectly suggesting that using Tor carries with it a significantly increased risk of MITM attacks. This simply isn't true.

fbit

I am a member!

Hors ligne
A rejoint: 07/07/2013

>but you are incorrectly suggesting that using Tor carries with it a significantly increased risk of MITM attacks. This simply isn't true.

It is very likely the case that traffic passing through Tor is more scrutinized than regular traffic through your ISP (at least in most "democratic" countries) and that an adversary may dedicate more resources to it.

Y'all go ahead and do your banking (or other sensitive, real identity revealing tasks) through Tor if it rocks your boat.

Aristophanes
Hors ligne
A rejoint: 10/05/2017

"Most importantly, you do not know who runs exit nodes. In my opinion you should assume they are all run by nefarious characters."

"If you use Tor, your communications are much more likely to be scrutinized, by diverse parties (and more importantly, whose identity is unknown to you). If you reveal your real identity on Tor, you may end up on a list somewhere. Your real identity may be scrutinized. Etc."

Correct me if I'm wrong, but it seems that you're not particularly keen on Tor, generally. That said, I acknowledge your comments in regard to not using Tor for online banking, as they sound sensible.

Do you use Tor?

Also, by "downloading torrents", do you mean configuring a BitTorrent application to use the Tor network, or visiting a torrent website via Tor in order to download a torrent file or open a magnet link?

fbit

I am a member!

Hors ligne
A rejoint: 07/07/2013

I'm fine with Tor for it's use case. If your goal is to achieve pseudonimity online and you follow good practices as explained in their documentation, it seems to be a good program.

I am skeptical of all programs, but particularly those that a person may directly trust their freedom or life on. I would not recommend you trust your freedom or life on Tor (or any software), unless you have absolutely no alternative.

Additionally, Tor is mostly funded by the US security state, whether or not you have a problem with that. You can read what Yasha Levine has to say about it. He has also disclosed some private communications between Tor and the security state, obtained through FOIA requests, which you may find interesting.

That said, Tor is likely as good a way as we have to be pseudonymous online. In a previous post I recommendeded Tails over Tor browser, which is an amnesic live GNU/linux distro that uses Tor (Warning: AFAIK the kernel contains proprietary blobs and firmware. There's a free software alternative called Heads, but I do not know who makes that and cannot say whether it seems trustworthy. You'd have to do your own research).

If you want to be pseudonymous online, technology is only the starting point. It is how you put it into practice (in the long-run) that will determine your success. Spoiler: most people end up screwing up at least once, and once may be all it takes.

By "downloading torrents" I mean the actual files, as is the case with other large files such as videos, which slow down the Tor network for everyone else.

strypey
Hors ligne
A rejoint: 05/14/2015

fbit:
> "Additionally, Tor is mostly funded by the US security state, whether or not you have a problem with that."

The US security state is also heavily involved in the development of the Linux kernel. The obvious explanation is that they use these tools themselves. It's important to remember that intelligence organizations need secure OS and anonymization software much more so than any of us do. Anything they did to compromise these tools would also compromises their own opsec. It's right to be sceptical, and share any solid information available pertaining to the security status of these tools, but paranoia based on who is involved in what, isn't really helpful.

> "There's a free software alternative called Heads, but I do not know who makes that and cannot say whether it seems trustworthy"

Heads is developed by Dyne and RastaSoft, developers of the Dyne:Bolic GNU/Linux, which is one of the distros on the FSF endorsed list. I think it's fair to say they're at least as trustyworthy as RiseUp Labs, who develop Tails. Since the work on Heads consists mainly of deblobbing the Linux kernel Tails, what's probably more important is how competent you consider RiseUp Labs to be at ensuring their distro is secure.

Finally, AFAIK the only thing keeping Tails off the FSF endorsed distro list is that they don't use a deblobbed kernel, so that Tails can run properly on the widest possible range of hardware. If your hardware doesn't need blobs, they won't be loaded, and AFAIK running Tails on your system doesn't depend on any non-free software. If anyone knows different, I would be keen to learn what you know about this.

BTW Tor has been discussed on these forums a number of times, including:
https://trisquel.info/en/forum/tor-really-bad
https://trisquel.info/en/forum/shopping-tor-browser-double-stupidity

Plus there are threads on Tor in the Spanish language version of the forum.

onpon4
Hors ligne
A rejoint: 05/30/2012

I wouldn't recommend using Tor to watch videos, because ways to do that either require JavaScript or may compromise your anonymity anyway and it slows down the network. For videos and large downloads, it's better to use a VPN.

And using Tor for activities that are by their very nature not anonymous is not helpful (e.g. banking).

But if you are anonymous on a forum, for example, using Tor is definitely a worthwhile thing to do.

Aristophanes
Hors ligne
A rejoint: 10/05/2017

How may one browse YouTube anonymously (if at all)?

Also, with regard to being on a forum anonymously, does that work if one's logged in to that forum (using a pseudonym), or would it only apply if one is merely a visitor?

onpon4
Hors ligne
A rejoint: 05/30/2012

> How may one browse YouTube anonymously (if at all)?

Like I said, use a VPN. Think Penguin sells a special router that can help you with that.

> Also, with regard to being on a forum anonymously, does that work if one's logged in to that forum (using a pseudonym), or would it only apply if one is merely a visitor?

If your pseudonym has never been connected to your name or IP address, that pseudonym is anonymous.

traxter
Hors ligne
A rejoint: 03/23/2018

The fact that some distros' repositories (e.g. Debian and Devuan) are available as onion services/Tor hidden services has not been discussed in this thread yet, but may be relevant.

In fact, users can replace the default adresses in the sources.list file with onion services/hidden services adresses so apt will get all its stuff anonymously over the Tor network.

Anyone having experience with this? Is it really such a good idea? There seem to be a few concerns, such as apt could leak metadata of the packages that could be used to identify users. Also, it is not clear how many users actually get their packages that way. If only few people do so, it could be a problem as well.

One advantage definitely is that these adresses are https, default Debian/Devuan repositories are just http.

Aristophanes
Hors ligne
A rejoint: 10/05/2017

Is the best way to install TorBrowser in Trisquel 8 to follow these instructions: https://www.torproject.org/projects/torbrowser.html.en#linux ?

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

Yes, but read this entire page before you start using it.

https://www.whonix.org/wiki/DoNot

As you'll see, even when you are not anonymous using Tor has the advantage of location privacy, but it is important to avoid mixing different levels of anonymity using the same identity. In order to avoid this, you need to understand which activities are deanonymizing. The page lists some common mistakes to avoid.

As for your usage of the Tor network affecting other users, proper use of Tor is generally good for the network. The more Tor users there are, the harder it is to identify them. (Consider the extreme example of there only being one user of Tor. They'd be very unique and therefore easily identifiable.) Moreover, if people only take steps to protect their privacy when they have something to hide, it makes the act of doing so suspicious. Helping to normalize protecting your privacy even when you have nothing to hide provides cover for those who do have something to hide, and if you ever do have something to hide you will not have to suddenly change your behavior and draw attention to the change in your circumstances.

However, improper usage of Tor is bad for the network. Don't slow it down for others unnecessarily by watching videos or downloading large files when anonymity is not absolutely vital. A VPN is better for such activities. If you don't already have a VPN and need information on choosing one, this site is a good resource.

https://thatoneprivacysite.net/vpn-comparison-chart/

SuperTramp83

I am a translator!

Hors ligne
A rejoint: 10/31/2014

don't know about best but you download the tar, verify, extract and run.

https://www.torproject.org/docs/verifying-signatures.html.en

strypey
Hors ligne
A rejoint: 05/14/2015

So, it's fine to use Tor for regular browsing, because this helps make it harder to identify any given Tor user, even if most of that browsing involved logging into websites and thus breaking anonymity? But I must turn Tor off before watching videos, torrenting, or downloading large files? Is that the consensus? Or am I misunderstanding.