30 votes

Tor’s shadowy reputation will only end if we all use it

38 comments

  1. [2]
    knocklessmonster
    Link
    It will only go away if we can run exit nodes without being accused of being accessories to illegal activity. This would require laws to allow for dumb network pipes that can't control what goes...

    It will only go away if we can run exit nodes without being accused of being accessories to illegal activity. This would require laws to allow for dumb network pipes that can't control what goes through them.

    I don't see life-changing risks being worth it, however small they are, for most people who would simply benefit from a VPN and a means to scramble their online fingerprint.

    32 votes
    1. Reapy
      Link Parent
      Someone I know lost their job because they ran a tor exit node from their previous residence, which was used for cp, which resulted in his door being kicked down and him brought in to jail. Job...

      Someone I know lost their job because they ran a tor exit node from their previous residence, which was used for cp, which resulted in his door being kicked down and him brought in to jail. Job wanted nothing to do with it, even though it eventually got cleared up once the higher level people saw it was tor traffic. I'm not sure if /when he got his equipment back either. Not to mention the local cops all thinking he's a pedophile and treating him as such the whole time.

      As much is I believe in freedom/privacy and all that I guess I'm personally not willing risk that kind of attention.

      22 votes
  2. Kitahara_Kazusa
    Link
    There's too many downsides for this to ever happen, IMO. First is the lag, they address this in the article by saying it's minimal, but that was not my experience when I used it. It was noticably...

    There's too many downsides for this to ever happen, IMO.

    First is the lag, they address this in the article by saying it's minimal, but that was not my experience when I used it. It was noticably slower loading basic pages and I can't even imagine trying to watch anything live on it, or using it to download big files.

    Second is the fact that because it's so often used for bots, many websites will block the endpoints entirely or litter them with Captchas. And I mean an absolute ton of Captchas.

    Plus, the benefits mentioned in the article aren't real. If you're a spouse being abused and want to look for help secretly, TOR would be a very odd choice. In most cases Incognito Mode in chrome would be enough for this use case. In the unlikely event the abuser checks your ISP's logs, he'd also see the TOR usage so TOR doesn't help you there either. The best case would be to use a smartphone on data in incognito mode, that would be even harder for anyone to check, and maybe even impossible without a government warrant, I've never tried to access my phone's data logs.

    Or if you're a worker trying to secretly unionize, unless the business is planning to either hack every single messaging company used by employees, or get the government to get a warrant somehow, then again TOR is useless. If I make a private Twitter account then no business is capable of seeing what's on there, I don't need TOR.

    Especially compared to a VPN there's no real reason to use TOR except if you're doing something incredibly illegal (to the point that you're worried the government will get a search warrant and compel the VPN company to keep an eye on you specifically) or are just highly paranoid. A VPN provides enough security with much reduced downsides (still the occasional blocked website, Captcha, and slower speed, but not half as bad as Tor) for 99% of people who are concerned about privacy.

    22 votes
  3. [9]
    Carighan
    Link
    But why would I want to use tor? I don't have a self defense turret on my car either, for most normal applications tor is massive overkill for no gain

    But why would I want to use tor? I don't have a self defense turret on my car either, for most normal applications tor is massive overkill for no gain

    15 votes
    1. [8]
      zenen
      Link Parent
      just because we live in a place with adequate freedom of speech laws doesn't mean that we don't want to support others who don't. First they came for the Hong Kong activists...

      just because we live in a place with adequate freedom of speech laws doesn't mean that we don't want to support others who don't.

      First they came for the Hong Kong activists...

      6 votes
      1. [6]
        Kitahara_Kazusa
        Link Parent
        Does a random person in America or Europe deciding to use Tor actually do anything to support people in Hong Kong or the rest of China who may be using it?

        Does a random person in America or Europe deciding to use Tor actually do anything to support people in Hong Kong or the rest of China who may be using it?

        3 votes
        1. [5]
          zenen
          Link Parent
          Yes. If you're running a tor node (doesn't even have to be an exit node), then you're acting as part of the network and helping to secure it. Tor paths bounce all over the world, which is part of...

          Yes. If you're running a tor node (doesn't even have to be an exit node), then you're acting as part of the network and helping to secure it. Tor paths bounce all over the world, which is part of the reason it's slooow sometimes.

          9 votes
          1. [4]
            stu2b50
            Link Parent
            If you’re a Chinese dissident you absolutely should not rely on Tor, the CCP is one of the entities that absolutely has the capability to abuse the litany of security holes in Tor to track you.

            If you’re a Chinese dissident you absolutely should not rely on Tor, the CCP is one of the entities that absolutely has the capability to abuse the litany of security holes in Tor to track you.

            3 votes
            1. [3]
              zenen
              Link Parent
              Can you please explain to me some of the "litany of security holes" in Tor? Doing some basic research leads me to understand that the community has already tackled this.

              Can you please explain to me some of the "litany of security holes" in Tor? Doing some basic research leads me to understand that the community has already tackled this.

              9 votes
              1. [2]
                stu2b50
                Link Parent
                Traffic analysis, timing attacks, and metadata leakage.

                Traffic analysis, timing attacks, and metadata leakage.

                3 votes
                1. zenen
                  Link Parent
                  What about if you're using it to browse onion sites and avoiding exit nodes entirely?

                  What about if you're using it to browse onion sites and avoiding exit nodes entirely?

                  4 votes
      2. Carighan
        Link Parent
        That however makes for an actual use case for it. My point is exactly that I currently don't have one, and it's pretty normal to rarely if ever have.

        That however makes for an actual use case for it. My point is exactly that I currently don't have one, and it's pretty normal to rarely if ever have.

  4. [2]
    EgoEimi
    (edited )
    Link
    I recently read a story by a guy who stopped running a Tor exit node because people were using it for child porn and state hacking. How absolutely horrible. I think it's true that Tor's shadowy...

    I recently read a story by a guy who stopped running a Tor exit node because people were using it for child porn and state hacking. How absolutely horrible.

    I think it's true that Tor's shadowy reputation will end (edited because I oopsied and Engrished) once everyone uses it. But that's the end state: my god, I would not want to be an early sacrificial lamb.

    10 votes
    1. Glissy
      Link Parent
      It does seem like running a TOR exit node is pretty much a guarantee you're going to have contact with the law, sometimes that can mean getting raided too since it will be used for illegality. A...

      It does seem like running a TOR exit node is pretty much a guarantee you're going to have contact with the law, sometimes that can mean getting raided too since it will be used for illegality.

      A lot of people have also noticed that TOR seems faster than ever, it's almost as if there's a lot of high speed exit nodes these days and it makes you question who exactly wants to devote server time to something that will get them on the radar of police? a lot of people are coming to the conclusion that more often than not the people prepared to do this are authorities themselves who are interested in sampling the traffic at that exit node looking for identifying information.

      TOR works but... it's always going to be a risk for all involved.

      7 votes
  5. [23]
    Earthboom
    Link
    From my understanding, TOR is slow and easily trackable. It's not as secure or hidden as it was when it started out. Tor is also blocked on various consumer grade routing equipment. Tor also opens...

    From my understanding, TOR is slow and easily trackable. It's not as secure or hidden as it was when it started out. Tor is also blocked on various consumer grade routing equipment. Tor also opens you up to nasty parts of the internet ripe with scams that are actively monitored by the alphabet boys.

    If the tor technology were to be used in the home like VPNs now it would need to be updated, reconfigured to not allow access to terrible parts of the internet, and performant. Requiring users to keep the network up is also a no go but as soon as it goes into hands of corporations it defeats the purpose and it just becomes another internet that's ridden with ads and telemetry.

    Even VPNs are under fire, same as ad blockers. The age of the internet being ours, the user, of privacy and rights, is over. Tor is something from the old world that's dead on arrival.

    The more interesting question is how do we continue the cycle by leaving the controlled world into a new frontier. Where is the new frontier we can squat in for a bit before it gets controlled too.

    9 votes
    1. [15]
      kacey
      Link Parent
      Sorry, could you elaborate on Tor being easily trackable? I’ve heard a couple people mention that off-handedly now, and I wasn’t able to dig up any info on it. Totally agreed that it’s slow,...

      Sorry, could you elaborate on Tor being easily trackable? I’ve heard a couple people mention that off-handedly now, and I wasn’t able to dig up any info on it. Totally agreed that it’s slow, though, and has problems with abuse — state level actors could pretty easily DOS the whole public network if they wanted to!

      4 votes
      1. [8]
        Earthboom
        Link Parent
        Before you enter a TOR node, you are leaking DNS information through ipv6 or ipv4 or your web browser is ratting you out. This information includes your WAN IP, your browser and operating system,...
        • Exemplary

        Before you enter a TOR node, you are leaking DNS information through ipv6 or ipv4 or your web browser is ratting you out. This information includes your WAN IP, your browser and operating system, date and time, and ISP. When you enter the TOR network, you're activities are hidden and encrypted...until you exit. When you exit, to interact with a website that isn't a .onion site, your public IP comes back into play.

        If the entry node or exit node is tapped by an ISP or government agency, there's no way for you to know this unless you know all anonymous node operators, or unless you're anonymous going into the tor network.

        So if you're ISP, browser and operating system are ratting you out every step of the way, it really doesn't matter if you go through a maze to get to the shady site on the other side, they'll know. Unless the site is an onion site. Then they only know you entered the tor network and are in it but they don't know what you're doing in there...unless you're visiting a honeypot onion site of which there are many. You don't know how deep the government has gone I there and what's tapped and what's not.

        True secrecy and anonymity is hard to pull off these days.

        Ideally, you'd want to tunnel into an empty vm at your house, have the vm go through a VPN you set up or trust heavily, and then enter tor after that.

        But for why. What are you a journalist in north Korea?

        You'll get 2kbps.

        The average user will never do this, never will need to do this, and will never want to do this and if a corporation is selling you this, it's tapped and in bed with government.

        16 votes
        1. zenen
          Link Parent
          If you're a journalist in North Korea, hopefully you're using Tails and communicating with a site that is being hosted in your country of origin.

          If you're a journalist in North Korea, hopefully you're using Tails and communicating with a site that is being hosted in your country of origin.

          6 votes
        2. [2]
          kacey
          Link Parent
          I didn’t think the Tor Browser would leak info via DNS lookups, since it should be able to push traffic onto DNS-over-HTTPS to resolve that way? But yeah, assuming that tapping an exit node means...

          I didn’t think the Tor Browser would leak info via DNS lookups, since it should be able to push traffic onto DNS-over-HTTPS to resolve that way?

          But yeah, assuming that tapping an exit node means executing a timing attack, agreed that that’s a concern :) also — for context, since this comment seems phrased like an argument against using Tor? — I’m just curious how the attacks worked technically, since it’s been years since I read a white paper on onion routing. Thank you for the ELI5 however, I’m sure it’ll be a nice summary for other folks stumbling over this thread.

          3 votes
          1. Earthboom
            Link Parent
            It's not about tor leaking information, tor works fine, it's about you leaking information before you get to tor and after you leave tor. But, for further reading, here's a DNS Cache issue where...

            It's not about tor leaking information, tor works fine, it's about you leaking information before you get to tor and after you leave tor.

            But, for further reading, here's a DNS Cache issue where attackers can probe DNS information while inside tor. https://www.usenix.org/system/files/sec23summer_458-dahlberg-prepub.pdf

            Here's a man in the middle attack using an infected exit node (tapped entry and exit nodes) https://www.cs.utexas.edu/~ecprice/papers/tor.pdf

            And of course, from TOR itself on what it can't defend against: https://support.torproject.org/about/attacks-on-onion-routing/

            Which is, leaking before hand, leaking after, entry and exit nodes, and compromised onion sites.

            5 votes
        3. [4]
          unkz
          Link Parent
          I’m not really sure all of (or any of this) is true, generally speaking. Most people are using a hardened tor browser that doesn’t leak any of this information. And how does your public IP come...

          Before you enter a TOR node, you are leaking DNS information through ipv6 or ipv4 or your web browser is ratting you out. This information includes your WAN IP, your browser and operating system, date and time, and ISP. When you enter the TOR network, you're activities are hidden and encrypted...until you exit. When you exit, to interact with a website that isn't a .onion site, your public IP comes back into play.

          I’m not really sure all of (or any of this) is true, generally speaking. Most people are using a hardened tor browser that doesn’t leak any of this information.

          And how does your public IP come into play when you exit the tor network? That’s like, the specific thing that tor protects.

          3 votes
          1. [3]
            Earthboom
            Link Parent
            Ipv6 DNS leaks are very difficult to stop without outright turning off ipv6. Users report DNS leaks with the tor browser if your exit node supports ipv6. If you're leaking DNS info, your Wan goes...

            Ipv6 DNS leaks are very difficult to stop without outright turning off ipv6. Users report DNS leaks with the tor browser if your exit node supports ipv6.

            If you're leaking DNS info, your Wan goes with it. You're encrypted inside the tor network but not before or after.

            The tor browser is only good as the machine you're on. It's not full proof.

            1. [2]
              Kitahara_Kazusa
              Link Parent
              Even then my $4/month VPN always stops IPV6 leaks whenever I check my IP address while using it, if you're doing something illegal enough that you're worried about the feds actually going after...

              Even then my $4/month VPN always stops IPV6 leaks whenever I check my IP address while using it, if you're doing something illegal enough that you're worried about the feds actually going after you specifically surely you can afford that? Just use the VPN before entering Tor and now how can Tor leak your information that it isn't even receiving

              1 vote
              1. Earthboom
                Link Parent
                The entire point off criticizing TOR is to illustrate there's flaws that need circumventing. For you or I that's easy and obvious. For the average user the product is not going to do what they...

                The entire point off criticizing TOR is to illustrate there's flaws that need circumventing. For you or I that's easy and obvious. For the average user the product is not going to do what they think it will do. Worse still if there's a kid in the home that heard about hiring hitmen on the dark webz.

                Having a VPN from a trustworthy host is good enough in almost all cases. Almost. That's not a full proof plan either.

                Being a criminal is a full time job and it's not a matter of "getting away with it" it's getting away with it and never letting your guard down afterwards. In the tech world you never want to shit where you eat, a criminal in cyber space has to be extra paranoid to actually get away with it.

                Even buying the 4 dollar VPN doesn't guarantee safety. If the host keeps logs, if you have telemetry in your browser, if you are using the same browser you use on your personal time, if your OS is phoning home with identifying information, it's not difficult to track the individual.

                Giving prying eyes due cause to track you, that's what you're referring to. But now you're asking for the computer user to have common sense and that's in short supply too.

      2. an_angry_tiger
        Link Parent
        If you run a Tor exit node, you can, last time I checked, snoop in the traffic going through the exit node. If someone had access to a lot of servers, like say, the NSA or FBI, they could run a...

        If you run a Tor exit node, you can, last time I checked, snoop in the traffic going through the exit node. If someone had access to a lot of servers, like say, the NSA or FBI, they could run a lot of exit nodes and snoop on a lot of traffic.

        If you aren't careful about which exit nodes you connect to, and ensure you have all of the security and privacy settings that could prevent this enabled, then you may be sending all your traffic off to whoever is running the exit node anyway.

        The second link below seems to imply this is harder to do with more recent Tor versions, but also says most Tor users aren't using the recent versions.

        https://www.vice.com/en/article/4x3qnj/how-the-nsa-or-anyone-else-can-crack-tors-anonymity

        https://www.techtimes.com/articles/262645/20210709/tor-encryption-can-allegedly-be-accessed-by-the-nsa-says-security-expert.htm

        https://deeponion.org/community/threads/nsa-owns-90-of-all-tor-nodes.5929/

        4 votes
      3. [5]
        stu2b50
        Link Parent
        It’s vulnerable to timing attacks.

        It’s vulnerable to timing attacks.

        3 votes
        1. kacey
          Link Parent
          Aah, thanks! Looks like there’s a list of speculative vulnerabilities here which covers it all in detail.

          Aah, thanks! Looks like there’s a list of speculative vulnerabilities here which covers it all in detail.

          3 votes
        2. [4]
          Comment deleted by author
          Link Parent
          1. [3]
            freddy
            Link Parent
            Only well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. This doesn't...

            Only well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis. This doesn't discount the possibility of exposing yourself by mistake, such as if you share too much information about your real identity.

            1 vote
            1. tinyzimmer
              Link Parent
              So government agencies. Who run exit nodes as a means to deanonymize people.

              Only well-funded adversaries with the capability to passively watch most network traffic over the globe have a chance of deanonymizing Tor users by means of advanced traffic analysis.

              So government agencies. Who run exit nodes as a means to deanonymize people.

              2 votes
            2. stu2b50
              Link Parent
              The issue exactly is Tor for? For what threat model is https, dns-over-https, and a vpn not sufficient, but Tor is sufficient?

              The issue exactly is Tor for? For what threat model is https, dns-over-https, and a vpn not sufficient, but Tor is sufficient?

              1 vote
    2. vord
      Link Parent
      Both the speed and timing attacks are problems that are mitigated by an abundance of exit nodes and relays. If every home in the USA was an exit node, and every PC was a relay during operation,...

      Both the speed and timing attacks are problems that are mitigated by an abundance of exit nodes and relays.

      If every home in the USA was an exit node, and every PC was a relay during operation, Tor would be both lightning fast and more resiliant to timing attacks.

      2 votes
    3. [6]
      Kitahara_Kazusa
      Link Parent
      By design Tor can't not allow access to the terrible parts of the internet. If you are actually anonymous, then nobody can stop you from sharing illegal materials. And the whole point of Tor is to...

      By design Tor can't not allow access to the terrible parts of the internet. If you are actually anonymous, then nobody can stop you from sharing illegal materials. And the whole point of Tor is to be very anonymous. It's not perfect, but it's the closest thing, which is why so many people use it for illegal activities.

      1. [5]
        Earthboom
        Link Parent
        Once you have the tor browser, unless something changed in recent years, it's a hop skip and a jump to the "dark web". If average people got to the silk road, that's one of many dark web sites....

        Once you have the tor browser, unless something changed in recent years, it's a hop skip and a jump to the "dark web". If average people got to the silk road, that's one of many dark web sites.

        Being actually anonymous is difficult to pull off. Tor's goal is anonymity but it depends on mass adoption to pull that off and the dark web being a mainstream meme, with the silk road being a honey pot, with you not knowing what's government monitored anymore, there is no security or anonymity. For tor to continue it needs to be reconfigured and it needs to evolve.

        1 vote
        1. [4]
          Kitahara_Kazusa
          Link Parent
          There's certainly less anonymity, but saying there's none at all is an extreme exaggeration. There's still only a handful of people who have been arrested while using Tor and most of them slipped...

          There's certainly less anonymity, but saying there's none at all is an extreme exaggeration. There's still only a handful of people who have been arrested while using Tor and most of them slipped up and made a mistake while using it, rather than caught by the feds exploiting an error in Tor itself.

          1. [3]
            Earthboom
            Link Parent
            To me anonymity is either or. If you're not fully anonymous, you can be tracked, the only variable is how much time will it take to track you. If tor fails the average person because of issues...

            To me anonymity is either or. If you're not fully anonymous, you can be tracked, the only variable is how much time will it take to track you.

            If tor fails the average person because of issues before and after and with compromised sites inside the network and if the average person isn't anonymous to government agencies, then you're not anonymous. To me there's no such thing as partly anonymous.

            And on the modern internet, there's rarely true anonymity.

            Arrests off of tor network activity aren't an indicator on how anonymous the average person is that uses it. There's many reasons for the arrests and lack of arrests. If mass arrests occurred, no one would use the tor network, government agencies can't nab anybody. They need that network to stay "safe" with people thinking they're private so they can keep snooping and fishing for the people they want to catch.

            If the operators of silk road goofed up and got caught, the average person can be caught even easier.

            1. [2]
              Kitahara_Kazusa
              Link Parent
              By that logic nobody has ever been anonymous in the history of the internet. If enough people with enough time and money want to catch you, they'll always find a way given enough time, if only...

              By that logic nobody has ever been anonymous in the history of the internet. If enough people with enough time and money want to catch you, they'll always find a way given enough time, if only because sooner or later you're bound to slip up. Even if you only met people in person you wouldn't be fully anonymous because of the possibility that the person you're meeting is actually a spy.

              In the normal sense of the word you're still anonymous even when there's the potential for the government or another actor to identify you, as long as they haven't actually done it yet. TOR helps you to be anonymous but it isn't foolproof and that should have been obvious to begin with.

              1 vote
              1. Earthboom
                Link Parent
                It's not obvious though. Not with the way it's marketed. The average person doesn't have the required level of understanding to know tor won't guarantee you privacy. Anonymity is the wrong word...

                It's not obvious though. Not with the way it's marketed. The average person doesn't have the required level of understanding to know tor won't guarantee you privacy.

                Anonymity is the wrong word anyway. Hardened is a better word. How hardened is your privacy? That allows for a gradience. Tor helps, VPN helps, DNS over https helps.

                It all helps and it all makes it harder for the observer to get you. Nothing is full proof.

                And you're right, by my definition no one is truly anonymous. It's true. Some people are really private, others less so.

                In the end, the benefits tor brings don't outweigh the risks in my opinion. Everything tor does a VPN can do minus the onion sites. VPNs have their cons too and if the host keeps logs then it does nothing for you either way.

                2 votes
  6. stu2b50
    Link
    Tor is overkill. It comes with serious compromises even if everything goes right, as there's just no way not to have significant bandwidth and latency impacts when your traffic routes through...

    Tor is overkill. It comes with serious compromises even if everything goes right, as there's just no way not to have significant bandwidth and latency impacts when your traffic routes through multiple, random nodes.

    Sometimes it's good to be tracked. Captchas are an example - the reality is that the internet is full of bad actors, and that filtering these is a necessary step. If you use Tor, you better like doing captchas and being ip blocked. No one is doing anything wrong here, it just is what it is.

    If you're under serious investigation, Tor is also insufficient. It's easy to track Tor users via timing attacks. If you want to avoid timing attacks, you'll need to move into the next "phase", that is, garlic routing. But that's just a miserable UX.

    4 votes