
We Can Choose an Internet Without Surveillance - Sami_Lehtinen
https://blog.torproject.org/we-can-choose-internet-without-surveillance
======
zionic
Can you imagine if Mozilla went with the nuclear option and replaced "private"
tabs with Tor tabs? Going further, what if every Tor tab (by default, letting
you opt out) acted as a node on the network and donated some minuscule
bandwidth? I can see some tech heads being against such a thing, but your
average user would have no idea 0.5Mb/sec (or some % of a speed tested value)
is being used while their private tab is open and the number of users/nodes
would _skyrocket_. Imagine the ever Tor tab potentially being an exit node!

~~~
aloknnikhil
> Can you imagine if Mozilla went with the nuclear option and replaced
> "private" tabs with Tor tabs?

That's one thing I really like about Brave. There's an option for a private
Tor session.

~~~
ignoramous
Sending traffic over Tor and using the Tor browser are different things: The
former is just a proxy, the latter an anonymity tool. Is Brave doing the
former or the latter?

~~~
bcrypt
i run security at Brave and here's the answer from Taylor, our lead Tor dev:

Using the Tor network is one part of internet anonymity, serving to conceal
where you are. But using the Tor network does no good if the application
helpfully adds X-My-Actual-IP-Address: 123.45.67.8 to every HTTP request, and
browsers tend to do a lot of things like that which we have to play whack-a-
mole with. What we implement in Brave is somewhere between (a) naively just
setting a SOCKS proxy, like you can do in vanilla Firefox or Chromium, and (b)
mimicking everything about the Tor Browser and following the Tor Browser
Design Document to the letter
([https://2019.www.torproject.org/projects/torbrowser/design/](https://2019.www.torproject.org/projects/torbrowser/design/)).
So, while you are right that there's more to Tor and that we're not the Tor
Browser (and that's why we are careful to say 'private windows with Tor' and
not 'Tor windows', per agreement with the Tor Project about branding), there's
also more to what Brave does than just setting a SOCKS proxy like in Firefox
or Chromium and leaving it at that.

~~~
ignoramous
It is great to hear that Brave is indeed doing more than just proxy.

It has a great UX already and with VPN0 announced a month or so back, Brave is
really pushing the envelope and do seem to have the right mindset.

Also, thanks a lot for responding.

------
svara
What if there was a browser extension that randomly selected, say, about 1% of
requests to be routed through tor? Everybody using it would help make Tor
safer, while being just minimally annoyed by the latency and the CAPTCHAs.
Plus it might incentivize hosts to be less annoying to Tor users, if they saw
a bigger fraction of legitimate traffic. I think I'd chip in and use it...

Anything wrong with that idea?

~~~
schoen
It would be lacking the isolation and anti-tracking stuff that Tor Browser
does, so the level of anonymity that users would get would be much worse. But
it seems like in your proposal the users aren't _expecting_ to get anonymity,
so they wouldn't necessarily object when they don't get it.

Many clearnet sites would be extra-confused by seeing requests that are
partially Tor and partially non-Tor (with subresources being requested from
different locations). But the behavior isn't necessarily invalid in any way,
so maybe sites should get used to it. :-)

I think the performance hit would be pretty considerable if you think about
the optimization that some sites, browsers, and CDNs have been doing. If you
imagine users who choose browsers (or sites) based on perceived speed, they
might not react that well to deliberately slowing down connections for
privacy.

(I think your idea is interesting.)

------
sp332
The Tor browser helps with websites, but with a "privacy router" you can make
sure connections from apps and the OS are routed as well. E.g.
[https://www.kickstarter.com/projects/glinet/mudi-4g-lte-
priv...](https://www.kickstarter.com/projects/glinet/mudi-4g-lte-privacy-
router-for-road-warriors)

~~~
schoen
I was excited about this concept a few years ago and talked it over with the
Tor developers. Their concern is that the Tor Browser has an elaborate ongoing
effort to prevent tracking by removing unique identifiers and isolating
session state. A regular browser used through Tor would be extremely trackable
because it wouldn't hide or isolate any of these things, and indeed you could
associate Tor activity with non-Tor activity easily.

Other software doesn't normally take these precautions, and so you would often
end up leaking a ton of identifying information when applications that didn't
expect it were proxied by Tor.

~~~
scohesc
So it would be pretty much similar to all these dime a dozen VPN companies
shilling "Ultimate anonymity! Safe from hackers! Screw the fed!" but it's just
in a physical form.

Interesting!

------
clvx
The problem with TOR adoption is being able to act as an exit node without
getting a subpoena, and that depends on the laws of each region.

------
1996
You want to help? Add a native .onion address to websites you work on.

You save bandwidth and contribute to normalization.

~~~
Forbo
To add to this, with v3 onion services you can designate your site as a
single-hop rendezvous if your service doesn't need to be truly "hidden". This
helps reduce latency significantly.

------
oneepic
There don't seem to be any good choices here. Use normal Web browsers and you
will get tracked/have your privacy invaded. Use Tor and you will look/get
monitored like a terrorist. What do we do next?

~~~
Liquix
1.) Download (IceCat) or roll your own (FF+addons) security-focused browser

\+ Very secure if done properly

\+ Fully controllable/customizable

\- Takes a considerable amount of time and energy to create & keep updated

\- Unique combinations of addons exacerbate fingerprinting concerns

2.) Encourage anyone who cares about privacy to use Tor, with the aim of
normalizing (de-terrorist-izing?) Tor traffic (think HTTP->HTTPS transition,
HTTPS traffic was suspicious 15 years ago)

\+ Most maintainable/viable long term solution

\+ Standard configuration cripples some fingerprinting

\+ Easy for anyone to set up and keep updated

\- Concern regarding US intelligence controlling a large number of exit nodes
and/or currently have the capability to de-anonymization Tor users

\- Hard to get people to switch browsers

\- Very hard to get people to switch to a slower browser

\- Will take a while

------
MadWombat
Didn't FBI track down and catch Dread Pirate Roberts despite all the Tor
network/browser anonymity? Did he do something stupid to break his anonymity
or did FBI break Tor in some way?

~~~
eindiran
Ross Ulbricht made some mistakes by reusing account names etc that he had made
on the clearnet[0, 1]. But at the time there were (tinfoil-hat-wearing) folks
that thought that this was actually parallel construction and Tor was
backdoored.

Here is the relevant section from the Times article on the IRS agent that
figured it out:

"""

Mr. Alford’s preferred tool was Google. He used the advanced search option to
look for material posted within specific date ranges. That brought him, during
the last weekend of May 2013, to a chat room posting made just before Silk
Road had gone online, in early 2011, by someone with the screen name “altoid.”

“Has anyone seen Silk Road yet?” altoid asked. “It’s kind of like an anonymous
Amazon.com.”

The early date of the posting suggested that altoid might have inside
knowledge about Silk Road.

During the first weekend of June 2013, Mr. Alford went through everything
altoid had written, the online equivalent of sifting through trash cans near
the scene of a crime. Mr. Alford eventually turned up a message that altoid
had apparently deleted — but that had been preserved in the response of
another user.

In that post, altoid asked for some programming help and gave his email
address: rossulbricht@gmail.com.

"""

[0]
[https://en.wikipedia.org/wiki/Ross_Ulbricht#Silk_Road,_arres...](https://en.wikipedia.org/wiki/Ross_Ulbricht#Silk_Road,_arrest_and_trial)

[1]
[https://en.wikipedia.org/wiki/Silk_Road_(marketplace)#Arrest...](https://en.wikipedia.org/wiki/Silk_Road_\(marketplace\)#Arrest_and_trial_of_Ross_Ulbricht)

[2] [https://www.nytimes.com/2015/12/27/business/dealbook/the-
uns...](https://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-
agent-who-put-a-face-on-the-silk-road.html)

~~~
einpoklum
The Silk Road guy was using _GMail_ ? Heh. Interesting.

~~~
ngcc_hk
And not move from time to time? May be you always get caught.

------
olivermarks
If DARPA created the internet aren't there are all sorts of backdoors and
systems we don't know about built in? I've never really understood - if you
can - those fundamentals.

~~~
gambler
You should read up on the history of the internet. ARPA was funding
researchers who ended up creating what we call the internet today. This
doesn't mean it was "ordered" by Pentagon or something of that sort. Most of
the ideas came from individuals acting on their own accord.

~~~
olivermarks
Very aware of the history of the ietf public internet, and the US Military
Network (MILNET) for Unclassified traffic Defense Secure Network One (DSNET 1)
for Secret traffic Defense Secure Network Two (DSNET 2) for Top Secret traffic
Defense Secure Network Three (DSNET 3) for Top Secret/Sensitive Compartmented
Information (TS/SCI).

~~~
schoen
What sort of backdoors does that history make you suspect?

~~~
olivermarks
Something at a progenitor level that no one is aware of but which is called by
certain actions

~~~
schoen
Implemented in hardware? Software? Protocol flaws? By ISPs? By other
infrastructure operators?

