
Thoughts on Tor appliances - mbrubeck
https://frederik-braun.com/thoughts-on-tor-appliances.html
======
csandreasen
Routing all of your traffic through Tor indiscriminately is a really, really
bad idea - and not solely for the reason described in the article. When you
use Tor, you're accepting the risk that the exit node could be sniffing and/or
manipulating your traffic as a tradeoff in order to hide your IP address from
the remote server and anyone in between. For that reason, if you really need
to use Tor then you need to be aware of every connection you make - everything
should be over SSL with pinned or otherwise verified certificates.

I'd recommend against even enabling Tor globally for a single machine, unless
that was a dedicated box that's only used for anonymous browsing. You don't
want to get tripped up by that browser window you accidentally left minimized
with some Javascript periodically reloading content, or perhaps some auto-
update program running in the background that you didn't realize was leaking
some unique identifier.

Routing all of your network's traffic through Tor is just begging for bad
things to happen, nevermind the fact that it essentially negates any anonymity
that Tor afforded you to begin with. If you absolutely must use Tor for
something, the safest way to do so is to connect to Tor, make whatever
connections you need to make (and _only_ those connections), then immediately
get off.

~~~
thirsteh
Indeed: Client fingerprinting--when you're doing nothing unusual as well as
when you're doing something "secret"\--is just as deadly with Tor enabled,
even if your true IP address isn't visible.

------
joezydeco
Just an FYI on Anonabox, it might not be what people thought it was:

[https://www.reddit.com/r/privacy/comments/2j9caq/anonabox_to...](https://www.reddit.com/r/privacy/comments/2j9caq/anonabox_tor_router_box_is_false_representation/)

~~~
JTon
Wow. That was awesome. Highly recommended read. Reddit OP goes into an
impressive amount of detail showing it's nothing but a scam. I hope those who
donated via kickstarter get their money back.

~~~
opendais
Its not technically a scam, in the legal sense of the word. So, unless they
cancel they won't get their money back.

~~~
ObviousScience
It may be in violation of the Kickstarter ToS, though.

Also, it's likely fraud, in the legal sense of the word, because they're
materially misrepresenting the product in order to get consumers to pay for
something they otherwise might not.

------
deepblueocean
I actually think the WIRED piece [1] to which OP refers does a good job of
addressing this point. In particular, the WIRED article mentions PORTAL, a
competing device called the SafePlug (which we did some research on to show
that it does this job rather poorly), and something I'd never previously heard
of called OnionPi.

Also, the article states very clearly states: "If you use the same browser for
your anonymous and normal Internet activities, for instance, websites can use
“browser fingerprinting” techniques like cookies to identify you.", which is
basically the point of this post.

The WIRED piece even goes further, offering the same solution as is offered in
this piece: "[an expert] suggests that even when routing traffic over Tor with
Anonabox, users should use the Tor Browser, a hardened browser that avoids
those fingerprinting techniques."

So while I understand the gripe that a transparent Torifying proxy doesn't
necessarily do what you think it should, I would also praise WIRED for doing a
pretty good job of handling these difficult and subtle issues in their article
about the Anonabox.

[1] [http://www.wired.com/2014/10/tiny-box-can-anonymize-
everythi...](http://www.wired.com/2014/10/tiny-box-can-anonymize-everything-
online)

------
rdl
We've thought about this with PORTAL/Masquerade (should be available on Amazon
Prime shipping by December for $25, with free downloads for a few COTS $20-30
routers -- sorry, was very busy with CloudFlare stuff for the past 4.5 months,
and Grugq was working on an awesome phone project which launched at HITB KUL
which I dearly want to buy one of).

It's not strictly "run Tor for everything", it's more like "inexpensive,
fairly intelligent firewall for $0-25.) I'll post more info later; finishing
up a talk for Black Hat EU in 4h43m.

Not a fan of anonabox, personally -- I think it's scammy to sell hardware from
a Chinese OEM on kickstarter, and to run ~unmodified OpenWRT + Tor on it, but
more seriously, it's a problem because it doesn't provide meaningful security
OR anonymity to users.

Someone's going to buy one of these, take it to Syria, expect it to provide
what a reasonable person would expect it provides, and end up, if lucky, in
jail -- more likely, dead.

(We're pricing everything at cost, plus maybe $1-2 for fuzz factor; I'll
donate anything left over to Tor Project, OpenWRT devs, or some other
reasonable open source project we use.)

~~~
noyesno
Can you share a bit more details on the PORTAL/Masquerade?

~~~
rdl
Www.portalmasq.com

Presentations at hope, DefCon, hitb, and next toorcon

------
taksintik
Tor is so useless for regular browsing. Nearly every site flags your IP as
source of spam making the user experience poor at best. I can see how tor is
useful in some instances but for 90% of web activities it's more trouble than
its worth.

------
troyinjapan
Does getting Anonabox help me stop paying for a VPN? For example, I use
PrivateInternetAccess now.

~~~
JacobAldridge
That depends on what you use a VPN for. Tor will overlap, kind of, with some
use cases (more anonymised exit points) but the two are not interchangeable. I
believe from previous HN discussions (and am happy to be corrected by those
more knowledgeable than I) that using both is probably your best bet for
covering all use cases.

------
general_failure
Wow, 500k for a project which wanted only 7500!

Clearly shows there is need for such a product.

~~~
joezydeco
We'd all be better off giving 500K to the OpenWRT developers at this point.

------
sbierwagen
Repeating a comment I made 3 days ago:
([https://news.ycombinator.com/item?id=8449909](https://news.ycombinator.com/item?id=8449909))

    
    
      Note that Tor is still being actively funded by US law enforcement 
      (http://pando.com/2014/07/16/tor-spooks/) and that Tor's security 
      has been repeatedly broken by US law enforcement in order to take 
      down sites illegal under US law. (http://www.wired.com/2014/09/fbi-
      silk-road-hacking-question/)
      
      It is debatable if Tor provides any more security than just using 
      someone else's open wifi point. Great for evading bans on online 
      forums, worthless against the DEA.

~~~
tatterdemalion
This comment is really off base (and so is the pando story it's based on).

First, TOR is being funded by the DoD, which is not a US law enforcement
agency. The US government conflates the military and police enough for
everyone without its critics doing so as well.

Second, yes, TOR is funded by the DoD because having a network that enables US
agents to anonymize themselves from entities other than the US government is
in the interest of the US government. And yes, the US government is also
trying to deanonymize TOR traffic because TOR users being knowable by the US
government is /also/ in the interest of the US government.

None of this is surprising or strange or fishy at all. And none of it is
evidence that the TOR developers have made any compromises on anonymity. The
US government may be able to deanonymize TOR traffic; that's bad, but I have
ever confidence that the TOR developers are trying to do something about it.

~~~
pinkyand
> I have ever confidence that the TOR developers are trying to do something
> about it.

The basic architecture of TOR is limited theoretically with regards to some
types of attacks it can handle.TOR developers probably cannot do anything
about that.

And in some sense , supporting TOR is taking funding and attention from better
anonimity technologies , that might be able to do the job , with enough
development. That's another reason why the US government is investing in TOR.

~~~
privong
> The basic architecture of TOR is limited theoretically with regards to some
> types of attacks it can handle.

Would you mind providing some links on this topic? This is the first I have
heard of this particular assertion and I would be interested to read more.

~~~
ObviousScience
The original Tor proposal has a pretty good summary of the threats they do and
don't deal with, and other sections cover the project goals and how they
address these threats.

> A global passive adversary is the most commonly assumed threat when
> analyzing theoretical anonymity designs. But like all practical low-latency
> systems, Tor does not protect against such a strong adversary. Instead, we
> assume an adversary who can observe some fraction of network traffic; who
> can generate, modify, delete, or delay traffic; who can operate onion
> routers of his own; and who can compromise some fraction of the onion
> routers.

> In low-latency anonymity systems that use layered encryption, the
> adversary's typical goal is to observe both the initiator and the responder.
> By observing both ends, passive attackers can confirm a suspicion that Alice
> is talking to Bob if the timing and volume patterns of the traffic on the
> connection are distinct enough; active attackers can induce timing
> signatures on the traffic to force distinct patterns. Rather than focusing
> on these traffic confirmation attacks, we aim to prevent traffic analysis
> attacks, where the adversary uses traffic patterns to learn which points in
> the network he should attack.

> Our adversary might try to link an initiator Alice with her communication
> partners, or try to build a profile of Alice's behavior. He might mount
> passive attacks by observing the network edges and correlating traffic
> entering and leaving the network — by relationships in packet timing,
> volume, or externally visible user-selected options. The adversary can also
> mount active attacks by compromising routers or keys; by replaying traffic;
> by selectively denying service to trustworthy routers to move users to
> compromised routers, or denying service to users to see if traffic elsewhere
> in the network stops; or by introducing patterns into traffic that can later
> be detected. The adversary might subvert the directory servers to give users
> differing views of network state. Additionally, he can try to decrease the
> network's reliability by attacking nodes or by performing antisocial
> activities from reliable nodes and trying to get them taken down — making
> the network unreliable flushes users to other less anonymous systems, where
> they may be easier to attack. We summarize in Section 7 how well the Tor
> design defends against each of these attacks.

From the Tor proposal: [https://svn.torproject.org/svn/projects/design-
paper/tor-des...](https://svn.torproject.org/svn/projects/design-paper/tor-
design.html#subsec:threat-model)

