Comments

You must log in or register to comment.

quandyalaterreux said ()

This article is full of FUD. (e.g. whaaa Tor gets funds from DARPA! US gov is behind Tor!)

3

RandomlyGeneratedUsername OP said ()

I think it's pretty balanced. Tor is one of the best privacy tools, no doubt, but we also should be on guard and consider alternative projects like I2P, Lokinet, etc.

2

quandyalaterreux said ()

There is a big difference between outlining Tor's weaknesses and giving consideration to other alternative projects one the one hand, and making classic FUD points (such as the ones on funding, or OMG Roger Dingledine did a talk with law enforcement).

2

spc50 said ()

I encourage people to hold these projects accountable.

Auditing is a normal thing in the real world. Transparency is necessary to some level.

Tor will never be clean trustworthy project. Government directly invested in it. There are shortcomings in design and not enough nodes to mix things up by default, thus prior endpoint hacker data collection.

It's just a piece of a solution. Wear your web condom with a VPN, then Tor...

2

quandyalaterreux said ()

Wear your web condom with a VPN, then Tor...

Please see https://matt.traudt.xyz/posts/vpn-tor-not-mRikAa4h/

1

spc50 said ()

Thanks for the share.

I am reading and trying to get my head around what is posed there.

This--> "...If you connect to a VPN over Tor, this traffic separation goes away completely..."

People go connecting to their VPN via Tor? That's not ahh bright.

Normally: Computer ---> REMOTE VPN ---> TOR

No single tunnel there like claimed. Sure VPN is, but it's a drop in replacement in essence for your local gateway. Normal pedestrian leakage of IP and you get the VPN IP instead of your actual IP. More advanced leaking, well, nothing is saving you.

Then there is this ---> there's the matter of trust to consider again. Alice must be sure her VPN provider is worthy of the trust she will be placing in it. She must have paid her VPN provider in a way that can't be traced back to her. She must be sure that the VPN provider doesn't keep traffic or connection logs. She has to trust herself to never mess up and connect to her VPN without Tor. And for this VPN to be of any benefit at all, she must convince herself that her adversary can't somehow work with the VPN provider, compromise the VPN provider, or work with/compromise ISPs and ASes near the VPN provider.

This is why you need real provider for VPN that is exercising maximum transparency and who answers the tough questions. A compatible philosophy they live by is most important. But have to implement thing, not just lip service.

Same argument made for trust thy VPN provider NOT --- can be 100% extended to your ISP and its upstreams. This is why crypto matters and everything should be encapsulated in something, ideally multiple wrappers.

Peel back a layer of this and there is another layer - if your protection is working effectively.

For VPN to work in this mix you need provider that doesn't want to intimately knows its customers.

  • Zero knowledge of customers.
  • Anonymous payments (prepaid cards, cash, privacy coins, barter).
  • No name or info required to maintain account. No logs on the servers.
  • Forced DNS that is scoured clean of fluff and abuse 3rd party noise.
  • Something better than a warrant canary - how about full posting of all abuse@provider inbound emails automatically?

That's a decent start.

You will see that around here soon as a thing. Cause the VPN industry is a marketing scam most of it. Gets exploited and they toss more into ad buys and placement spots. Fake privacy niche is a real tragedy.

2

RandomlyGeneratedUsername OP said () (edited )

Funding can influence a project pretty significantly. Even mastodons like Linus Torvalds had to obey politics. Tor Project has been subjected by the diversity politics pretty quickly. You would expect more independence from rebellious cryptopunks.

2

smartypants said ()

OP did not talk about TOR, he talked about the often backdoor exploited TOR BROWSER

TOR BROWSER is not Tor!

Tor browser is often proven to have exploits and backdoors. Read my posts from today.

2

RandomlyGeneratedUsername OP said ()

Well, there are three points: the Tor network, the Tor Browser and the Tor Project. Tor Browser is a patched Firefox with all its potential vulnerabilities, yep.

1

div1337 said () (edited )

I think the recent arrest news should tell us that Tor is not completely anonymous.

Here's how to be 99.99% anonymous:

  • Buy 2nd hand laptop
  • Park outside a library with free Internet
  • Use something like Tail OS to further hide your identity
3

spc50 said () (edited )

It's more secure than Brave :) Just look at how Brave has been leaking addresses to regular DNS for how long? (who can feed me a URL with their old releases so I can test?)

Seriously you should be running Tor browser with javascript off. JS is a nuisance and privacy sewer and by design. Javascript creator should be charged with crimes against humanity.

Oh isn't that fellow the lad behind Brave?

2

smartypants said () (edited )

NO!!! Tor browser dangerous to trust!

OVER three times Tor browser caught leaking hundreds of thousands of peoples IP addresses to FEDS, though the https traffic contents secure up to the endpoint.

TOR BROWSER in TAILS routinely has code inserted to subvert it, or borrows javascript code that has exploits in it known to FBI and NSA as proven in many federal court prosecution transcripts.

TOR BROWSER INSECURE FROM HOME, even if all javascript disabled (proven below)

HTTPS is secure, but sadly, once connected to https://ramble.pw or any https site, backdoor exploits added to tor browser , by NSA/CIA, in the form of "ACCIDENTAL CODE SUBMISSIONS" to tor browser used in TAILS, leaks your IP to the target. This means...

... that using one or even a chain of VPNS can have the ENDPOINT (https://ramble.pw or ISP of https://ramble.pw) exploit your TAILS tor browser via javascript (typically), or WebRTC (in the past) to LEARN YOUR ACTUAL TRUE IP ADDRESS!!!

This means that the HTTPS encrpyted traffic is still secure, end to end, but your IP address can still be logged using VPNS, by the endpoint.

Thse ways and means show up in federal court cases when FBI is forced to reveal tactics under a Judges order in court trials.

They for years tor browser in TAILS had hidden backdoors proven if you read the release notes of TAILS TAILS too? Yup, Even the famous https://tails.boum.org/

...had WebRTC enabled by accident (or by mossad on purpose) in past versions of TAILS, and if you read ALL THE CHANGE NOTES OF ALL VERSIONS you will learn I am telling the truth on the one little note they fessed up.

https://medium.com/@blackVPN/critical-windows-exploit-webrtc-can-expose-your-real-location-ip-address-even-when-using-a-vpn-4555d2fd280d

https://www.exploit-db.com/exploits/44403/

https://blog.ipvanish.com/webrtc-security-hole-leaks-real-ip-addresses/

https://thehackernews.com/2015/02/webrtc-leaks-vpn-ip-address.html

https://www.reddit.com/r/VPN/comments/2tva1o/websites_can_now_use_webrtc_to_determine_your/

That is NOT the only weakness in Tor browser, there were other non-WebRTC leaks!!!! Javascript (required for every free speech social site) and (required for Cloudflare) had exploits in summer 2019 that leaked endpoint IP addresses, and even allowed kernel level OS alteration on Mac OS using TAILS!!!!!! Many years of tails exploits prior too.

NO large web browser should EVER be trusted not to divulge IP addresses over VPN

Anyone trusting using TAILS along with its graphical browser, is a patsy. The rest are in prison already if they were criminals.

Only use text messaging , not a graphical web browser, when using TAILS, or tor services and VPNs! No fancy web browsers!

Even better, use a "one time visit" concealing gait and face, to a coffee shop.

Remember TOR/TAILS often runs unstoppable javascript using exploits by FBI, such as the infamous recent noscript vulnerability!...

https://www.netsparker.com/blog/web-security/noscript-vulnerability-tor-browser/

javascript code can cause lots of problems for your anonymity, and even root your machine , as in summer of 2019.

HTML5 fingerprints and indestructible cookies also thwart SOME VPN users too :

https://33bits.wordpress.com/2010/02/18/cookies-supercookies-and-ubercookies-stealing-the-identity-of-web-visitors/

25% of sites fingerprint you using javascript (CloudFlare and others, require javascript to connect)

2020.08 : A quarter of the Alexa Top 10K websites are using browser fingerprinting scripts! https://www.zdnet.com/article/a-quarter-of-the-alexa-top-10k-websites-are-using-browser-fingerprinting-scripts/

In 2021, hundreds of research papers on novel fingerprinting techniques of browsers exist, and even I designed some using html5 graphics, not yet widely known by other researchers and not yet stopped in Google Chrome.

TAILS? use HiddenVM too

If you must try t connect to a https web site anonymously, use a hidden privacy VM OS and a set of privacy tools, at a public wifi :

https://github.com/aforensics/HiddenVM

https://news.ycombinator.com/item?id=22492343

There are many reasons why you may want to use HiddenVM.

whonix OS! inside HiddenVM, for TAILS on a USB, for coffeeshops or libraries: ...

I SUGGEST if you do not need OSX or Windows, to install Whonix secure Tor anonymization and TAILS inside your HiddenVM !!!
https://www.whonix.org/

TL/DR : Tor browser is not safe from home. NO CONNECTIONS MADE FROM YOUR HOME ARE SAFE FROM FBI/NSA if using a BROWSER, vs text chat. Hopping does nothing to protect HTTPS more than it already provides

1