
How Tor Works - LForLambda
http://www.alexkyte.me/2016/09/how-tor-works.html
======
0xmohit
Another 3 part series:

[http://jordan-wright.com/blog/2015/02/28/how-tor-works-
part-...](http://jordan-wright.com/blog/2015/02/28/how-tor-works-part-one/)

[http://jordan-wright.com/blog/2015/05/09/how-tor-works-
part-...](http://jordan-wright.com/blog/2015/05/09/how-tor-works-part-two-
relays-vs-bridges/)

[http://jordan-wright.com/blog/2015/05/14/how-tor-works-
part-...](http://jordan-wright.com/blog/2015/05/14/how-tor-works-part-three-
the-consensus/)

~~~
jwcrux
Hey there! I'm the author of this series - happy to answer any questions.

Edit: I've also had some posts about Tor that did not fall exactly under this
series format but should be helpful: [http://jordan-
wright.com/blog/tags/tor/](http://jordan-wright.com/blog/tags/tor/)

------
joaobatalha
Cool blogpost. People that enjoyed this might also like to take a look at "The
Architecture of Open Source Applications"
[http://aosabook.org/en/index.html](http://aosabook.org/en/index.html).

Also, a few months back I annotated the original Tor whitepaper here
[http://fermatslibrary.com/s/tor-the-second-generation-
onion-...](http://fermatslibrary.com/s/tor-the-second-generation-onion-router)

~~~
vthallam
The annotations on the paper look informative, thanks for sharing!

------
known
Remember that Tor anonymizes the origin of your traffic, and it encrypts
everything inside the Tor network, but it can't encrypt your traffic between
the Tor network and its final destination. If you are communicating sensitive
information, you should use as much care as you would on the normal scary
Internet — use HTTPS or other end-to-end encryption and authentication.

[https://www.torproject.org/projects/torbrowser.html.en](https://www.torproject.org/projects/torbrowser.html.en)

------
mirimir
It would also be useful to point out limitations and vulnerabilities. Tor
browser has no protection against malware that hits the Internet directly,
bypassing Tor circuits. But Tor Project does not prominently warn users about
that on its website. While Tor Project does acknowledge Tor's vulnerability to
global adversaries, there's also no prominent warning about that. If you run
Tor in a terminal, you see "This is experimental software. Do not rely on it
for strong anonymity." But how many users will ever see that warning?

~~~
nbraud
That's FUD and untrue.

The first thing you see in Tor Browser is a tab explaining that you got
properly connected to Tor, but that Tor in itself is not a complete solution
to online privacy and suggests you follow a link to an informative document
written by the Tor Project.

------
kefka
I've also written up a comprehensive IoT infrastructure using Tor, Node-Red,
MQTT, and sensor/actuator nodes as you choose.

It's all documented here: [https://hackaday.io/project/12985-multisite-
homeofficehacker...](https://hackaday.io/project/12985-multisite-
homeofficehackerspace-automation)

------
deltaprotocol
When I see articles about security related topics I immediately expect them to
be served over HTTPS and get frustrated when they are not.

It makes me think if HN should perhaps make a stand and either display some
sort of lock icon next to secure links or make it harder for insecure links to
show in the front page. Where is the right place to discuss this?

~~~
kbart
Why do you need https for text only page? Sure, somebody could do deep packet
inspection, but they would not find anything they couldn't find going to the
domain (that won't be hidden by https anyway) directly.

EDIT: previously incorrectly stated 'url' instead of 'domain'.

~~~
deltaprotocol
I don't know what is on a page until I visit it, so to make a stand myself in
favor of a less insecure internet, I use HTTPS Everywhere in strict mode,
which blocks HTTP. I have found that mostly I can live with it, and wish for
the community (HN audience is a good part of it) to keep pushing (through a
bit of pressure perhaps) towards an HTTPS only internet.

~~~
beardog
The problem with this is that it makes it very difficult to do network/isp
level caching, this is especially problematic in areas where internet
connectivity is slow, expensive, and limited.

~~~
hueving
It would be nice if https had a signature only mode so ISPs could cache but
not meddle with the contents.

