
In defense of Tor routers - simas
http://arstechnica.com/security/2015/04/op-ed-in-defense-of-tor-routers
======
dikaiosune
I, for one, have completely resigned myself to the idea that my employer,
government and neighbors know all of the most shameful elements of my Internet
usage. I haven't yet seen an approach to the privacy problem that delivers
acceptably anonymous results for acceptably low effort, while simultaneously
leaving my connection speed and latency relatively intact.

My experience with Tor was limited and was several years ago, but it felt like
I'd returned to a 28k modem...except the entire Internet had begun to serve
content on the implicit assumption that I at least had a few megabits of pipe.
Do these routers actually offer a solid cornerstone of the kind of solution
I've been waiting for?

~~~
dewey
It's really not that slow any more, it's actually quite usable for regular
browsing and if you catch a slow route a reconnect usually fixes that.

------
gweinberg
I'm a babe in the woods, but I had no idea that I was broadcasting my list of
installed system fonts and browser plugins.

But it seems to me that this kind of fingerprinting would be pretty easy to
defeat if people new it was happening and wanted to defeat it. Something like
panoticlick could give advic on fonts and plugins to add to lose yourself in
the herd.

~~~
plausibility
That's the point of Chameleon[1]. I've got it installed, and the issue is a
lot of websites assume "oh, they don't have $plugin (e.g., Flash) installed",
and don't fallback to something reasonable. So there are edge cases where
you'd have to disable it. Otherwise, it's pretty effective.

[1]
[https://github.com/ghostwords/chameleon](https://github.com/ghostwords/chameleon)

------
smutticus
Both the original and this retort forget to consider that different users have
different needs. Security is never going to be a 'one size fits all' kind of
arrangement. Different users will find differing levels of utility in Tor
routers.

------
gorhill
> we’ve been vocal about the need for people to use privacy add-ons with their
> web browsers

This contradicts what I have read on the Tor Project site:

"Site-specific or filter-based addons such as AdBlock Plus, Request Policy,
Ghostery, Priv3, and Sharemenot are to be avoided."[1]

[1]
[https://www.torproject.org/projects/torbrowser/design/#philo...](https://www.torproject.org/projects/torbrowser/design/#philosophy)

~~~
pstrateman
Filter-based addons leak at a minimum 1 bit of identifying information -- that
the addon is installed.

With something like RequestPolicy the specific policy in place likely uniquely
identifies the user.

Maintaining anonymity with a modern web browser is virtually impossible.

Maintaining pseudonymity substantially less so, but you're probably identified
as "user running tails version x"

~~~
MichaelGG
Why/how do browsers allow sites to query the list of installed addons? That
seems like it should very much be opt-in behaviour, that an addon would need
to explicitly inject functionality to be discovered.

~~~
noondip
It's not that the list of addons is known, but rather infered from the number
and types of blocked elements.

------
tempestn
Perhaps I'm missing something, but isn't the primary argument against Tor
routers simply that it's a really bad idea to send _all_ your traffic through
Tor? You certainly don't want to be sending logins, banking data, etc.,
through some unknown exit node. I mean, presumably you can configure the
router to only use the network for some traffic, but then what do you gain
over using the Tor Browser bundle?

~~~
ikeboy
If banking isn't using https, get a new bank.

