
Things You Should Know About Tor - cooperq
https://eff.org/deeplinks/2014/07/7-things-you-should-know-about-tor
======
cottonseed
I had been meaning to run a Tor relay for a while. The EFF Tor Challenge [0]
motivated me to get it done. It was incredibly easy. If you have a VPS with
unused bandwidth, please consider taking a few minutes to set up a Tor relay.

[0] [https://www.eff.org/torchallenge/](https://www.eff.org/torchallenge/)

~~~
iamtew
Keep in mind though when setting this up to take a close look at your exit
policy settings, to ensure you only route the traffic you want and where you
want it.

I span up a relay at home to play around with, but just skimmed over the exit
policy settings and ended up running an exit node. Not big deal really, as it
was only advertised for about 14 hours before I noticed and disabled it. It
was only after a few weeks when my girlfriend was complaining she kept getting
messages from websites refusing to show her content on the basis that she was
connecting over the Tor network (which she wasn't) that I realised my home IP
was blacklisted, and it took a while for me to get a new lease and IP.

I'm not telling people to not run exit nodes, but people shouldn't just go and
spin up a Tor relay with default settings, because it will by default run as
an exit node, and depending on the hosting provider, this may or may not be an
issue.

~~~
untrothy
My distro's tor setup (arch in this case) should default to not being an exit
node, relevant default lines in the torrc:

    
    
      ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
      ExitPolicy accept *:119 # accept nntp as well as default exit policy
      ExitPolicy reject *:* # no exits allowed
    

Installing via `pacman -S tor` and enabling via `systemctl enable tor.service`
doesn't start an exit node / relay but a simple client.

Are you using linux, windows or osx?

------
hendersoon
I have a very strong suspicion that Tor is completely compromised, and that's
actually how they caught Ross Ulbricht (Silk Road). All the stuff about his
previous posting, etc, is tenuous and circumstantial-- it seems totally
feasible that it is parallel construction.

The "Tor Sucks" document is from 2012. It talks about the GCHQ running Tor
nodes. What could have happened in the years since?

[https://metrics.torproject.org/network.html](https://metrics.torproject.org/network.html)

What many people don't realize is that Tor has only ~5000 exit nodes and ~3000
relays. If you control 50% of the nodes, Tor is essentially compromised. Half
is ~4000 servers.

Seems like a lot for an individual person, right? Just a rough estimate, at
$40/month for a cheap linode VPS, 4000 nodes would cost $160k/month.

But that's _nothing_ for a nation-state. $160k/month isn't even a rounding
error. And that's all it costs to _completely_ compromise Tor.

These nation states don't want anyone to know they compromised Tor, so they
won't waste it on little fish. They'll save it for real terrorists and major
criminal actors like Ulbricht. But if they compromised Tor, they're certainly
recording _all_ that activity somewhere. It's sitting in archived storage
ready to be mined if necessary.

~~~
Homunculiheaded
My suspicion is essentially the opposite: Tor is secure, but the two high
profile arrests (Freedom Hosting and Silk Road) where given priority to make
the general public a.) feel that the entire function of Tor is illegal and
often repulsive activity b.) that Tor is not safe.

The latter part of that theory, that law enforcement agencies intentionally
stepped up the resources for both the FH and SR cases in order to
intentionally create disgust and distrust of Tor, is of course merely
conjecture. Basically I find it an amazing coincidence that the two most
notorious parts of the Tor hidden service world where busted very quickly
after a huge amount of positive public attention was brought to Tor right
after the Snowden leaks. Additionally if you actually look at the details of
the FH exploit the FBI unleashed it is fairly useless, but very terrifying
when you read just the headline. Legally there seems no useful reason to use
such an easy to discover exploit that would have delivered no particularly
interesting information. However from the stand point of creating public fear
it worked marvelously. If you talk to even technical people that don't
understand security and Tor well they often assume that the feds "hacked Tor".
Which, in my opinion, is exactly what state actors want people to think.

As for the former part of the claim, that Tor is secure, look at the Snowden
leaks about the methods that the NSA was thinking about for attacking Tor.
Egotistical Giraffe, the attack used on FH, as mentioned was not a
particularly useful exploit, and attacks user behavior not the network. Other
similar leaks also suggest that neither the NSA nor any other state agency,
has the ability to completely compromise Tor.

Finally,if you are a state agency and you have completely compromised Tor, you
would actually want the general public to think it _is_ safe. It is an amazing
advantage to have your adversary think they are on a secure line when they
absolutely are not. On the other hand if you haven't (and probably can't)
compromised Tor you want the majority of people to think you have so that they
disregard one of their best tools for defense.

Now of course there is plenty of evidence that federal agencies can perform
targeted timing attacks against specific individuals. Tor does not and really
cannot guard against this, and this has always been the case and fairly well
known. If a state agency is targeting you specifically, I don't think there is
anything you can do. However, given the information that is available to us, I
do think it's reasonable to assume that Tor is secure from general, large
scale, untargeted surveillance.

~~~
hendersoon
You don't address my specific point; namely that it is not only possible but
relatively inexpensive for any nation-state to compromise users' anonymity on
Tor en masse not by cracking its cryptography but by running >50% of the nodes
themselves.

~~~
maerF0x0
a bit of a pedantic note: If you want to control 50% of the servers by adding
servers, you actually have to double the total server count... ie, 8k servers
now, if you want to control 50% you have to add 8k of your own servers for 16k
total servers ...

~~~
hendersoon
Indeed, but my proposition is that they already did that, some time ago. It's
just such a small amount of money that it seems unlikely that they _didn't_ do
this.

------
Scoundreller
Things I've used Tor for:

\- Accessing BBC Liveplayer as if I'm in England (using lots of normally
discouraged add-ons and defined exit-nodes)

\- Bypassing paywalls (possibly still criminal?)

\- Bypassing censorship (which is what it really is) on organizational wifi
networks (in Canadian hospitals). The funniest block was to ginger.io, a big
data smartphone data analysis play (but blocked by an over-aggressive filter
for obvious reasons).

Does anyone else have some unexpected/interesting use cases?

~~~
tedks
I use Tor hidden services to punch through NATs (mostly for SSH); it's also
useful in that only you can access the service (since only you know its
address), so a hidden service + random port is a cheap "port knocking"
implementation.

I've also used Tor to debug firewalls. It's a good way of saying "put me in a
random spot on the Internet."

Outside of that, I use Tor for whatever I can: downloading RSS feeds, instant
messaging, downloading email, mostly. There's no reason not to have Tor on
these things because they're all either batched or tolerant of bad latency,
and it destroys a little bit of my personal information that would otherwise
leak.

~~~
zaroth
The onion addresses of hidden services are not themselves secret. The onion
address is in fact well known, published in the directory. It's only your
server's IP that a hidden service is hiding.

So please, don't treat knowledge of the onion address itself as a secret! You
still have to authenticate to your service in some way.

~~~
chobo
Are you saying there is a complete directory of onion addresses?

~~~
wfn
There isn't a definitive/exhaustive directory, but see this post:
[http://donncha.is/2013/05/trawling-tor-hidden-
services/](http://donncha.is/2013/05/trawling-tor-hidden-services/)

tl;dr it's possible, and you don't have to rely on crawling the web searching
for .onion addresses. You can instead become a HS directory authority, and
pick your place in the DHT. Eventually you'd be able to get every address that
goes into the DHT.

------
csandreasen
I'm probably going to take some flack for this, but I don't trust Tor. When
you access Tor, you're masking your origin IP to the remote address by
trusting one of a couple hundred volunteer exit nodes who raised their hands
and said "Trust me! You can route all of your internet traffic through me and
I promise I won't monitor or inject anything..."

I think most Tor users don't have an adequate understanding of the threat
model. It doesn't help that the Tor Project has at times upsold the anonymity
provided to a ludicrous extent[1] (to be fair, they do address the risk in
their FAQ[2]). Is it more likely that that Comcast will MITM me, or some
random exit node? I might expect Comcast to maybe inject an ad into an HTTP
connection or do some DNS redirect to shoot me an advertisement, but I don't
worry about them stealing my credit card or injecting a buffer overflow or
something. In fact, they have a profit incentive to not do so. I don't have
that guarantee with a random exit node. It might be a generous privacy
advocate, or it might be someone who has more nefarious profit incentive in
mind[3]. If you're only connecting through Tor just to avoid the NSA, then you
have to assume that both a) the NSA is targeting you to begin with, and b)
that exit node you're going through isn't controlled by the NSA (or
GCHQ/FSB/PLA/etc).

sslstrip[4] undermines the prospect of protecting yourself by connecting
solely over SSL through Tor. Even then, in my experience more than half of the
sites I visit don't support SSL to begin with. The HTTPS Everywhere plugin
that EFF provides and is included in the Tor Browser Bundle is implemented
backwards - it connects over SSL only when the site matches a whitelist[5] (I
use KB SSL Enforcer on Chrome myself).

Sorry if this came off as a rant - I just see too many articles like this that
prop up Tor as a silver bullet without discussing the risks and establishing
an adequate threat model that allows the user to make an informed decision
regarding the risks/benefits of using Tor.

[1] [http://betaboston.com/news/2014/05/07/as-domestic-abuse-
goes...](http://betaboston.com/news/2014/05/07/as-domestic-abuse-goes-digital-
shelters-turn-to-counter-surveillance-with-tor/)

[2]
[https://www.torproject.org/docs/faq.html.en#AttacksOnOnionRo...](https://www.torproject.org/docs/faq.html.en#AttacksOnOnionRouting)

[3] [http://threatpost.com/small-number-of-malicious-tor-exit-
rel...](http://threatpost.com/small-number-of-malicious-tor-exit-relays-
snooping-on-traffic)

[4]
[https://www.youtube.com/watch?v=ibF36Yyeehw](https://www.youtube.com/watch?v=ibF36Yyeehw)

[5] [https://www.eff.org/https-everywhere/faq](https://www.eff.org/https-
everywhere/faq)

~~~
belorn
Lets address your concern by talking about security and probability for each
of those issues.

Credit card thieves in Comcast vs in TOR. Given the number of employees who
has remote access to customers routers (ie support), sysadmins that has remote
server access, and personale who has physical access to switching equipment,
whats the risk that _one_ of those people has a criminal record? This will
always be non-zero, and one can never actually test it.

In TOR, this risk _can_ be tested[1]. Exit note can be probed by sending
unique credit card numbers or other profitable personal information, and then
observed by seeing what the node owner does. If they act on the information,
the node then get blocked. You can not do this with Comcast since your
identity is known to the personal of Comcast.

The NSA threat, as talked about, is reduced by using TOR. Doing statistical
analysis is in theory possible but in practice very hard. Out of all the
Snowden leaks, not a single one present this as a ongoing work happening. Non-
tor traffic analysis is however presented as business-as-usual and should be
assumed to happen at every point in the network.

Last, the HTTPS Everywhere you mention is a direct answer to the SSLstrip for
the most commonly used websites. Claiming it is implemented backwards because
it uses a blacklist is a bit unfair, since blacklist and whitelist each has
their own tradeoff in security. HTTPS Everywhere has no false positive and
protect against the common threat, but will be vulnerable against uncommon
ones. If they had gone with a HTTPS-only approach, it would have caused a
extreme amount of false-positives, and users would have turned it off. This
trade-off (security vs false positives) is commonly the distinction between
user products and server products.

KB SSL Enforcer do not protect against sslstrip and MITM[2] for new
installations. If the Tor Browser Bundle included KB SSL Enforcer, it would
worsen the security of the Bundle compared to HTTPS Everywhere, and would be
counter to the design. Rather than leaving no records of the sites you go to,
KB SSL Enforcer have to record and permanent store it.

[1] [http://www.slideshare.net/FreeLeaks/exposing-malicious-
tor-e...](http://www.slideshare.net/FreeLeaks/exposing-malicious-tor-exit-
relays)

[2]
[https://code.google.com/p/kbsslenforcer/wiki/FAQ](https://code.google.com/p/kbsslenforcer/wiki/FAQ)

~~~
csandreasen
You can test Comcast in the same way that you can test a Tor exit node - the
technique is exactly the same. The threat of a rogue network admin is similar
to that of a rogue waitress stealing credit card info - significant criminal
liability if caught. To top that, people in a position to carry out such an
attack are generally easily identifiable by their employers if there is a
criminal investigation. The same can't be said for the administrator of a Tor
node in a foreign country.

The NSA threat relies on the assumption that they are targeting you
specifically; the risk with a rogue exit node is that you are exposing
yourself to an adversary that doesn't care who their victim - i.e. most
criminals. My issue with Tor advocacy is that it's attempting to mitigate the
risk of a perceived adversary by exposing users to a much more realistic
threat. My spouse and I have both had our credit cards stolen before, but I've
never had any reason to believe that I've been targeted by the NSA.

There is a definite tradeoff with regards to the whitelist/blacklist model,
but ultimately both solutions are really just patching over inherent flaws in
SSL trust model. I wasn't clear in earlier post - my issue is not necessarily
with the HTTPS Everywhere model, but rather the perception that it gives the
user pervasive end-to-end encryption and solves the issue of rogue exit nodes.

~~~
belorn
If you test comcast in the same fashion, the rouge employee can see that you
are sending several thousands unique credit-card number to some website and
are thus behaving in a very strange and obvious manner. They can see plainly
if the request comes the investigating branch of the police.

With a tor exit-node, the operator can't identify who is sending them the
traffic. They can't distinguish a investigating police from a victim.

You can disagree and think that rouge Comcast employees are easier identified
than Tor operator. This is a trust question, and everyone is free to pick who
they trust and who they don't. The argument given in favor of Comcast just
don't sway me, and it would likely require a research paper with test data in
order to actually prove what has higher risk associated with it.

The NSA do not target people specifically. That was proven by the revelations
from Snowden, and has been quite obvious for quite a long time. NSA doesn't
care who their victim is when they are collecting the information. It is
cheaper and more effective to target everyone, and then data mine the result
after everything is in their hands.

------
lsh123
"It is also important to remember that if you log into services like Google
and Facebook over Tor, you will be sacrificing your anonymity to those
services."

It is important to note that both Google and FB can track you on 3rd party
websites through things like "Like" button. Consider disabling 3rd party
cookies completely or using plugins like Ghostery.

~~~
thejdude
I've been browsing the internet for 15 years with 3rd-party cookies disabled.

I never had ANY problems with any website - no idea if there would have been
more functionality with 3rd-party cookies enabled. But then again, how can
functionality depend on THIRD parties?

Also activated the setting for my girlfriend years ago, no complaints so far.

This feature should really be the default for any browser and any user. Too
bad Android Chrome doesn't have such a setting. Too bad for Google I'll use
something else instead.

~~~
rsynnott
Safari has always shipped blocking third party cookies by default; just about
everything works with it. I remember there used to be some nasty trickery to
make iFrame resident Facebook games work, but that was about it.

------
runn1ng
I actually tried to get Tor relay working.

It ate all my monthly bandwidth limit within an _hour_. By simple analysis I
found out it's mostly BitTorrent traffic, but I didn't dig very deep so I
might be wrong.

I would love to run a Tor relay, but I just do not have unlimited bandwidth to
do that.

~~~
maest
It would seem there is more demand than supply when it comes to Tor relays. If
there were a safe, anonymous way to pay for using Tor relays (Torcoin?), then
there would be a lot more incentives to have people run relays. That means the
speed will be bumped up and at one point there will be an equilibrium between
supply and demand. The system might also provide preferential treatment to
users who are willing to pay more.

Discuss.

------
frozenport
In addition to not being a criminal you might be a government agent working in
a hostile country.

~~~
Istof
also, you might _not_ be a government agent working in a hostile country (in
addition to not being a criminal)

------
nanoscopic
It is possible to de-anonymise any Tor user if they have JS enabled and you
have passive listeners at their ISP. See
[http://webcache.googleusercontent.com/search?q=cache:kVKMeKx...](http://webcache.googleusercontent.com/search?q=cache:kVKMeKxd2UEJ:www.regimedeath.com/+&cd=1&hl=en&ct=clnk&gl=us)

The described attack on Tor may not be well known, but at the very least I
told the FBI how to do it myself, so they certainly know about it.

~~~
maerF0x0
IIRC Tails helps you by encouraging you to turn off the JS to avoid the
exploit.

------
pmorici
"4\. No One in the US Has Been Prosecuted For Running a Tor Relay"

That's a bit of a misleading statement. I'll agree that there haven't been any
people prosecuted because they ran a TOR relay directly but there has been at
least one case where they prosecuted or at least harassed a guy on child
pornography charges because he was running a TOR exit node and saw the
activity coming from his IP. Perhaps that wasn't in the US but still.

~~~
hackerboos
Note it says 'in the US' because they have been prosecuted successfully in
Austria.

[https://rdns.im/court-official-statement-part-1](https://rdns.im/court-
official-statement-part-1)

------
higherpurpose
I agree Tor isn't as slow as many think. It's just slightly slower. My biggest
problem with Tor, though, is having to enable Javascript even for common
tasks, like logging in to Reddit, which hopefully they aren't doing on
purpose, considering Reddit is known for a site where you can use pseudonyms
as much as you want.

~~~
SquareWheel
Have you tried [https://ssl.reddit.com/login](https://ssl.reddit.com/login)?

------
zargon
One usually sees a list like this presented as debunking myths. The myths are
given bold headings that state the opposite of what the author wants to say.
This format is so much clearer because they state the position they are taking
instead of the opposite of their position.

------
mschuster91
Tails is _not_ fool-proof when it comes to determining the IP address of a Tor
user. A live CD would not have helped any FreedomHosting victim.

The only way to do secure TOR is to use a distinct machine (NOT a VM!) as a
gateway.

~~~
dublinben
>A live CD would not have helped any FreedomHosting victim.

Yes it would have. That attack relied on both a Windows-specific
vulnerability, and accessing the internet without Tor. Neither would have
happened to a user of Tails.

------
zoobear
Last I checked google was able to discern my real ip even while behind tor...
I used tor for scraping google but now that no longer works

------
woniesong
Would there be consequences in using Tor on HN?

~~~
throwaway2048
established accounts are allowed to use tor on HN. If you make an account over
tor, its posts will be killed for two weeks, then it will be a normal account.

------
cowbell
How did the feds locate freedom hosting?

How did the feds take down silk road?

The "tor stinks" slide was over a year old when these events occurred. A lot
can change in a year.

~~~
stephen_g
Didn't the feds take down Silk Road because the owner paid a cop posing as a
hitman to kill someone?

Also, there is a problem where hidden services can be enumerated by scanning
IPs. With IPv4, it is practical for a well connected entity to scan the entire
internet and search for hidden services, making it possible to match to IPs.
This is only an issue for people running hidden services, not Tor users.

~~~
quasque
Hidden services can't be located in that manner unless the owner has badly
misconfigured the service so it's reachable by IP address. A typical
configuration would have the service listening on 127.0.0.1 or a private (RFC
1918) network address only, and have Tor connect to that.

------
rsync
Tor is _currently_ funded by the US government.

Any list of things you should know about tor should include that.

~~~
jonnybgood
I guess we should also should include that with every Linux kernel release
too. The US government has funded a lot of publicly available security
technology that you may not even be aware of, even through the NSA (SELinux).

It is a _good thing_ the US government supports these things.

------
sirdogealot
>They have been able to compromise certain Tor users in specific situations.
Historically this has been done by finding an exploit for the Tor Browser
Bundle or by exploiting a user that has misconfigured Tor.

I'm not touching TOR until I figure out how they managed to capture Ross
Ulbricht.

I highly doubt that he had his TOR misconfigured.

~~~
cLeEOGPw
He exposed his email address containing his name as a contact email for
silkroad business, so he pretty much gave himself in. With that kind of
"attention to details", I wouldn't be surprised if he even had misconfigured
TOR.

~~~
hendersoon
Not exactly. He exposed his email address as a contact for bitcoin related
development, then used the same username some time later as one of the first
people to _discuss_ silk road. It's a tenuous connection at best, but this
seemingly minor opsec lapse gave the investigators a hint to follow.

------
paletoy
This isn't accurate. It doesn't mention that the u.s government can in very
high likelihood de-anonimize users , sometimes even without cooperation from
foreign governments , and sometimes even ISP's can do that.

~~~
stephen_g
A passive observer that is as big as NSA/GCHQ etc. can correlate traffic to
de-anonomise some traffic, some very small amount of the time. It is extremely
unlikely that a single ISP would _ever_ have enough information to do that
though.

~~~
tedks
Even the NSA has to deal with the base rate fallacy. You can't just magically
"correlate" traffic.

~~~
RachelF
It is hard, perhaps, but a good attack for the NSA would be to run many of the
exit nodes.

The intelligence gathered this way would be very valuable, as the traffic on
the TOR network is has a much higher intelligence value. This is because it is
used by those trying to hide something, something which the NSA may like to
know.

~~~
majke
Have you considered contributing to organizations that make sure no single
entity controls too many exits:

[https://lists.torproject.org/pipermail/tor-
relays/2013-Septe...](https://lists.torproject.org/pipermail/tor-
relays/2013-September/002824.html)

[https://www.torservers.net/](https://www.torservers.net/)

~~~
e12e
If I wanted to support the NSA, I'm sure I'd do volunteer work for those
organizations -- and if I ran an intelligence agency, I'm sure I'd recruit
assets off university campuses across the globe. Just saying.

