[CONTENT-CHANGE] Remove/Edit recommendations of Tor #19
Comments
|
This is all very true The thing I've found hardest about maintaining this list is documenting all trade-offs, and addressing users of different levels in a single list- what is good for an advanced user probably isn't appropriate for someone just getting started, and visa-versa. I don't mean to give anyone a false sense of security- with Tor being a good example. It's sometimes hard to get across the point that just using the software won't make someone instantly anonymous and secure. Sometimes it could actually degrade security if not used correctly. And that each item has trade-offs: bugs, undiscovered vulnerabilities, questionable origins etc I've now added a note about this, here. And for Tor specifically I made a small update: 7218abd to address the issue. Thanks for raising this 🙌 |
|
But for the other software on the list, it probably doesn't go far enough - there could be a whole list of issues and warnings related to almost every item in the list, and although I've documented the most serious of those (like PGP, VPN etc in the #word-of-warning sections), there is a lot missing. I'm not sure if it would be viable right now to include all the drawbacks of all the software, since most issues either overlap, or are being discovered and fixed all the time. I would hope that people have a threat model, or at least do bit of research, before heavily relying on anything |
|
Yes, I see what you mean about the trade-offs. You took the time to write this so you can decide what the policy is. In my view it would be more helpful to structure it as:
|
|
Yeah- that makes sense, and was what I was trying to do with the middle column here, do you think it isn't clear enough? So you think if I ranked it as |
|
I wish there was a bit more flexibility with Markdown, I would add Tags to each item with Level, License, Language and IsMaintained. That would make things so much clearer to the reader. Am thinking of ditching this and creating a website instead, so that I can highlight important info in a much clearer way. |
This is exactly what I was thinking when editing the list. Personally I'd go with the Hugo open-source framework to build a very lightweight static website. Plus, it's really easy to deploy the site on Github pages with Hugo.
Only using |
|
late to the party, but i have a couple comments here...
i would passionately argue that point - most people DO have hostile ISP's that spy, inject data into the stream and/or are more than happy to comply with requests by law enforcement i agree that Tor is likely not a great choice for most people (i wrote about that here if interested), but i personally think one should absolutely be using either a VPN and/or Tor and protecting themselves against ISP threats which are very real
this is mitigated with a VPN so far as i'm aware
how so?
a real problem indeed - on the VPN side, any decent VPN will offer DNS as well - with Tor, i'm not sure there are any normal DNS lookups, are there?
i would posit that the only browser one should use with the Tor network is the one built by Tor which is a Firefox fork that is pretty well hardened and, though i'm not positive, i would certainly expect that any security bugs found are probably patched immediately |
|
Hey @atomGit I think your blog post is more balanced than this checklist was in March. I go a bit further in seeing more risks, and fewer benefits, in VPNs, for most users. I think https://gist.github.com/joepie91/5a9909939e6ce7d09e29 is a pretty good argument against them. For the sake of simplicity let's talk about users in first world mostly-free countries, which seems to be the primary audience of this English language FAQ. The situation is so different in China or North Korea, where the government does very aggressive filtering on both the network and endpoint. First of all, we have to set a baseline that users are running everything important over TLS from a modern implementation, and preferably secure DNS, otherwise none of these approaches have much safety.
I have seen some stories about ISPs manipulating http or DNS, but I am not aware of data showing this is happening to most people. The highest-profile pattern I know of is turning DNS NXDOMAIN into a redirect to an ad "Redirecting DNS for Ads and Profit", Weaver, but this is pretty trivially avoided by using DNS-over-HTTPS which security-sensitive users will want to do anyhow. I'm not aware of any ISPs successfully injecting into, or blocking, HTTPS traffic, on a wide scale. ISPs will comply with requests from law enforcement. Whether they are "more than happy" is hard to tell - some assert they will comply only as much as is required, and push back on over-broad requests. VPN providers will also need to comply with law enforcement requests and they cannot opt out. Possibly you can arbitrage or raise the bar by using a VPN headquartered in a different, or more privacy-respecting, country. Users also need to make a personal assessment whether law enforcement action is in their top risks, and if it is, whether network traffic is a likely vector. There are some for whom this is true but the majority of people are not the subject of an investigation, and are much more likely to suffer from untargeted cybercrime. I think it's very difficult for end users to ascertain with confidence whether X VPN provider is more or less likely to protect their privacy than Y ISP. Some ISPs have behaved badly and some VPNs have behaved badly. ISPs primarily sell network connectivity, which is what I want to buy. Although they may be tempted to extract marginal profit by playing tricks, they also have large capital bases, are local companies subject to regulation, and have reputations to worry about. VPNs are capital-light, often in niche jurisdictions, and much of their pitch is snake oil.
The majority of hits there are about copyright infringement notices due to torrenting. For the specific case of users that want to torrent pirated content, a VPN might be an improvement. (Although it also gives an obvious place to attack.)
Yep, that's a reasonable use for it. I would primarily trust in my application TLS implementation. If I wanted additional protection I would run my own VPN, or use noe from a very credible company.
The similarity is that you can:
Seems like a toss up to me.
In theory all DNS can be sent over the VPN too. In practice it may be easy for lookups to leak if the user has turned the VPN off, or before the VPN is established. If the user strictly only ever uses the VPN and the computer is configured never to send un-encapsulated traffic, maybe it's OK. What happens when you encounter a captive portal or need to debug network problems? If I was serious about this, then perhaps I'd have a separate Linux router strictly enforcing the VPN policy and dropping all other traffic, and a separate client connected only to that router and only used for whatever is the VPN's purpose. I wonder how many people will get that right. It seems to demand a lot of opsec from the user and leakage is highly unlikely to be noticed by the user but noticed by a serious attacker. This sort of slip up contributed to the incarceration of Ross Ulbricht. For any prophylactic measure that requires a careful user you have to think about the theoretical protection versus the actual protection when used by a typical user with all the normal distractions in life and human falibility.
Yeah, actually, this does not seem to be a problem. It seems like the Tor Browser releases are nearly simultaneous with Firefox ESR releases. Good for them. So to sum up:
|
|
Just to stay on topic with the actual checklist:
|
|
i think we'd agree that digital trust is a pipe dream, so whether it's a vpn, tor, etc., nothing can be trusted that said...
swap 'vpn' for 'tor' in that article and at least several of the arguments are still applicable, also the article isn't entirely against vpn's...
a vpn is going to provide far better transparency (ease of use) for users than tor
comcast caught injecting at DuckDuckGo
assuming the vpn doesn't log, there is massive difference between the 2 - sure they can cooperate, but there should be little or nothing to share whereas any and all isp's are legally required to log a great deal of network data also a vpn is bound by its privacy policy which, for any decent vpn, is gonna be a hell of a lot stronger than any mainstream isp granted, a vpn is a roll of the dice, but so is everything else and unless the privacy issues are overwhelmingly one-sided, i think a vpn makes sense for the majority given the average threat model (i.e. not an investigative journalist, whistleblower, etc.) |
|
With Tor, malicious exit nodes are very limited in the damage they can do when the user is visiting any HTTPS site. A couple of years ago, this was a big problem, as it was easily possible to do this - as Dan Egerstad did, when he setup a malicious exit node, and successfully sniffed mail server credentials, allowing him to intercept 1000's of private emails between foreign embassy officials. If a user is only browsing, and not entering any information- or only enters pre-encrypted data, then malicious exit nodes become much less of an issue. And of course this issue disappears while using .onion sites, because they don't require you to leave the Tor network. But I agree that the risk of bad exit nodes, especially when visiting improperly secured websites should still be mentioned, I will add a note about this in the checklist |
We do. It's all a question of tradeoffs and managing the risks, and it inherently depends on the user's threat model and capabilities.
I agree.
Neither am I. I just think for many users, in many situations, they are not a good use of time or money. (Specifically: person in an at least mostly-free country, not doing any crimes, on a reputable ISP.)
probably agree
None of these seem to be about injection into HTTPS. Although there is a good report by Citizen Lab about those countries forcing downgrades to HTTP and then injecting crypto mining malware. I think this is probably too overt to happen in the west because ISPs, unlike Tor nodes, can be held accountable.
I think the real heart of the matter here is that you can use an offshore VPN, whereas you must use a local ISP. It brings a different set of tradeoffs: they may not be easily reachable by your local law enforcement, but they are also not subject to your home country's privacy regulator. You're basically taking their word that they don't and can't log anything. |
I personally would still worry about a malicious network even if I think all my traffic is HTTPS:
I acknowledge there are scenarios where it's a good tradeoff, I just don't think they apply to most users most of the time. The alternative case is that the server sees their IP, and the ISP sees their traffic patterns and remote IPs (but not even domain names any more).
I'm not sure there's a reliable distinction of passively read-only access on the web today. If the attacker can break the stream, they can inject new javascript, collect credentials, etc. |
"Advanced" is not clear at all to me, especially for cases like mine where I am advanced user without need for extreme security. I would definitely not route all my traffic through Tor - sadly, many things would break making this tradeoff not viable to me. And as far as my time is worth allocating there are more effective tasks to handle leaking data. Maybe
|
- fix typos - change "optimal security" to "increased security", in many cases it would not be optimal given how many things will break on Tor - link issues discussing tradeoffs In general I would make it more clear that it is not always worth doing. Maybe "Advanced" should be "Advanced, has serious tradeoffs" with word tradeoffs linking separate page documenting issues mentioned in Lissy93#19?
|
Thanks for linking to the issue in #64, @matkoniecz. The new text still has
which, personally, I don't think is a robust general recommendation.
Right, I think good security recommendations ought to think about complexity as well. Adding more things takes up the user's time, makes the system more complex and harder to understand, and increases the risk that one of the components itself becomes vulnerable.
Maybe rather than categorizing them as "more security" or whatever the FAQ could talk about user archetypes in a partial order something like this:
|
|
@Lissy93 said...
then why do they exist, especially since most traffic is SSL'd now? could be exploration, or... the security of Tor assumes encryption is secure and i have very little faith in that assumption if it's the ISP or the corporation that is the enemy, encryption may be/is fine, but if it's the intelligence apparatus, there's no way of knowing and given that they have access to computing power orders of magnitude in excess of anything in the public sector, it seems to me it is only logical to assume that encryption is useless in that regard - matter of fact, those are the exact words ("encryption is useless") told to me buy a guy i sold a PC to who claimed to have once worked for the U.S. gov (or as a contractor) and who had a crypto clearance - we talked about some sensitive subjects and i suggested we continue using encrypted mail when he fired back with those words furthermore, Tor funding by DoD is a huge turn-off DoD funding of Tor • MuckRock - look at the time span of these requests Yasha Levine | Privacy Spooks: Tor was (and is) funded by the US government US government increases funding for Tor, giving $1.8m in 2013 | Encryption | The Guardian lastly, an entire Tor network can apparently be run on a single machine by a bad actor (your ISP) using something like the Shadow Network Simulator in the end nothing can be trusted, not Tor nor a VPN, so take the above for what it's worth and don't stop speaking out due to fear of being surveilled |
Looking at this one year later, and with fresh eyes- I think I was wrong when I said this. I will update the Tor section accordingly. |
|
On a side note, and just my own thoughts... And for .onion sites, there's still very few of them that are actually useful. Not many sites have a .onion version, and those which do are frequently still making requests to clearnet CDNs. Many of the links found in the hidden wikis are not trustworthy, it's too easy to land on a fake mirror. There's also a ton of degenerate content often, but I guess that one is to be expected. |
|
Hi, I thought this may be useful as extra insight into Tor for those making an educated decision, having been around a while myself back in the 1990s when Tor first surfaced as a tool, and like any tool, understanding how it works means you don't end up losing a finger... Anyway, it is worth noting that yeah, DoD Fund of Tor links articles really only give a small part of the picture, it is worth having a look at the 'Archived' version of the original 'Onion Router' site if you've never seen it before, many will not have... You can find it at 'https://www.onion-router.net/', the 'History' and 'Sponsors' pages are good for clearing up everything, much better than gloss the Tor Project have on their site tbh. Like the Internet itself (so many people forget that) DARPA alongside the ONR (Office of Naval Research) started the project, the first 3 generations (by first 3, I mean gen 0, 1 and 2) of Tor were developed by the ONR, NRL (US Naval Research Labs) and DARPA. It is only relatively recently changes in Tor have moved away from what the those groups built in the early 2000s after it was given in essence to the public domain in the 2004. If memory serves, part of the initial requirement for this btw, came from US Naval Intelligence prior to the end of the cold war for it to be used by Spooks to stay hidden from the Soviets, it always makes me smile when I think about it now with so much of the 'hidden crap on Tor' these days is now run by the Russians.... |
and others
Justification
Tor has complex security tradeoffs, and isn't a good recommendation for everyone.
On the up side, it hides your traffic from your wifi operator or ISP. On the downside, traffic eventually exits through an exit node who is completely unknown and unaccountable to you, and this exit node can both inspect and modify the traffic.
So as a baseline, Tor is a good choice for people who would rather roll the dice in trusting anyone in the world than trust their local network. That might be the case for criminals, political dissidents or people suffering domestic abuse, but it doesn't seem like the right tradeoff for the majority of users, who have a not-actively-hostile commercial ISP.
You say, and I would agree, that you should be careful in connecting to public wifi, because it may conduct active or passive attacks. But very similar problems apply to using Tor, with perhaps less obvious benefit.
As well as the performance impact, one should also consider:
The text was updated successfully, but these errors were encountered: