RandomlyGeneratedUsername OP wrote
Reply to comment by quandyalaterreux in Is Tor Browser Safe and Completely Anonymous to Use? by RandomlyGeneratedUsername
I think it's pretty balanced. Tor is one of the best privacy tools, no doubt, but we also should be on guard and consider alternative projects like I2P, Lokinet, etc.
smartypants wrote
OP did not talk about TOR, he talked about the often backdoor exploited TOR BROWSER
TOR BROWSER is not Tor!
Tor browser is often proven to have exploits and backdoors. Read my posts from today.
RandomlyGeneratedUsername OP wrote
Well, there are three points: the Tor network, the Tor Browser and the Tor Project. Tor Browser is a patched Firefox with all its potential vulnerabilities, yep.
quandyalaterreux wrote
There is a big difference between outlining Tor's weaknesses and giving consideration to other alternative projects one the one hand, and making classic FUD points (such as the ones on funding, or OMG Roger Dingledine did a talk with law enforcement).
RandomlyGeneratedUsername OP wrote (edited )
Funding can influence a project pretty significantly. Even mastodons like Linus Torvalds had to obey politics. Tor Project has been subjected by the diversity politics pretty quickly. You would expect more independence from rebellious cryptopunks.
quandyalaterreux wrote
Funding can influence a project pretty significantly.
Not when done in a completely transparent manner in which the funding's objectives are clearly stated (e.g. https://gitlab.torproject.org/legacy/trac/-/wikis/org/sponsors/Sponsor58 ).
spc50 wrote
I encourage people to hold these projects accountable.
Auditing is a normal thing in the real world. Transparency is necessary to some level.
Tor will never be clean trustworthy project. Government directly invested in it. There are shortcomings in design and not enough nodes to mix things up by default, thus prior endpoint hacker data collection.
It's just a piece of a solution. Wear your web condom with a VPN, then Tor...
quandyalaterreux wrote
Wear your web condom with a VPN, then Tor...
Please see https://matt.traudt.xyz/posts/vpn-tor-not-mRikAa4h/
spc50 wrote
Thanks for the share.
I am reading and trying to get my head around what is posed there.
This--> "...If you connect to a VPN over Tor, this traffic separation goes away completely..."
People go connecting to their VPN via Tor? That's not ahh bright.
Normally: Computer ---> REMOTE VPN ---> TOR
No single tunnel there like claimed. Sure VPN is, but it's a drop in replacement in essence for your local gateway. Normal pedestrian leakage of IP and you get the VPN IP instead of your actual IP. More advanced leaking, well, nothing is saving you.
Then there is this ---> there's the matter of trust to consider again. Alice must be sure her VPN provider is worthy of the trust she will be placing in it. She must have paid her VPN provider in a way that can't be traced back to her. She must be sure that the VPN provider doesn't keep traffic or connection logs. She has to trust herself to never mess up and connect to her VPN without Tor. And for this VPN to be of any benefit at all, she must convince herself that her adversary can't somehow work with the VPN provider, compromise the VPN provider, or work with/compromise ISPs and ASes near the VPN provider.
This is why you need real provider for VPN that is exercising maximum transparency and who answers the tough questions. A compatible philosophy they live by is most important. But have to implement thing, not just lip service.
Same argument made for trust thy VPN provider NOT --- can be 100% extended to your ISP and its upstreams. This is why crypto matters and everything should be encapsulated in something, ideally multiple wrappers.
Peel back a layer of this and there is another layer - if your protection is working effectively.
For VPN to work in this mix you need provider that doesn't want to intimately knows its customers.
- Zero knowledge of customers.
- Anonymous payments (prepaid cards, cash, privacy coins, barter).
- No name or info required to maintain account. No logs on the servers.
- Forced DNS that is scoured clean of fluff and abuse 3rd party noise.
- Something better than a warrant canary - how about full posting of all abuse@provider inbound emails automatically?
That's a decent start.
You will see that around here soon as a thing. Cause the VPN industry is a marketing scam most of it. Gets exploited and they toss more into ad buys and placement spots. Fake privacy niche is a real tragedy.
Viewing a single comment thread. View all comments