Some other problems:
* Possibly Sybil attacks get worse or harder to detect, because attackers can convincing simulate being a bunch of regular users with a browser
* Possibly mitigating malicious nodes gets harder, because people can create lots of super-ephemeral nodes that fail to forward traffic, but there's no way to notice this in time to protect other users
* Users could be very angry about relaying exit traffic without expecting it, especially if they got in legal trouble as a result (when EFF ran a campaign to encourage people to run Tor nodes, we discouraged people from running exit nodes in their homes)
I personally do not think that Mozilla is doing enough to protect its users and is partially to blame for where we are.
They seem to be piling more and more features on that users don't want.
That's one thing I really like about Brave. There's an option for a private Tor session.
Using the Tor network is one part of internet anonymity, serving to conceal where you are. But using the Tor network does no good if the application helpfully adds
to every HTTP request, and browsers tend to do a lot of things like that which we have to play whack-a-mole with.
What we implement in Brave is somewhere between (a) naively just setting a SOCKS proxy, like you can do in vanilla Firefox or Chromium, and (b) mimicking everything about the Tor Browser and following the Tor Browser Design Document to the letter (https://2019.www.torproject.org/projects/torbrowser/design/).
So, while you are right that there's more to Tor and that we're not the Tor Browser (and that's why we are careful to say 'private windows with Tor' and not 'Tor windows', per agreement with the Tor Project about branding), there's also more to what Brave does than just setting a SOCKS proxy like in Firefox or Chromium and leaving it at that.
It has a great UX already and with VPN0 announced a month or so back, Brave is really pushing the envelope and do seem to have the right mindset.
Also, thanks a lot for responding.
Considering they don't even have a built-in PGP implementation in Firefox, which would make so much sense, I honestly can't imagine what you described. Tor is a relatively complex technology that requires knowledgeable use on user's part. (I.e. you're not supposed to resize windows, the browsers can't do certain things, it gets chewed up by Cloudflare and so on.)
Here's a similar experience I had: for a while I would open any news link shared on Hacker News in Incognito mode, but at this point it gets blocked so often there's not much point.
This is quite wrong
Anything wrong with that idea?
Many clearnet sites would be extra-confused by seeing requests that are partially Tor and partially non-Tor (with subresources being requested from different locations). But the behavior isn't necessarily invalid in any way, so maybe sites should get used to it. :-)
I think the performance hit would be pretty considerable if you think about the optimization that some sites, browsers, and CDNs have been doing. If you imagine users who choose browsers (or sites) based on perceived speed, they might not react that well to deliberately slowing down connections for privacy.
(I think your idea is interesting.)
Other software doesn't normally take these precautions, and so you would often end up leaking a ton of identifying information when applications that didn't expect it were proxied by Tor.
You save bandwidth and contribute to normalization.
+ Very secure if done properly
+ Fully controllable/customizable
- Takes a considerable amount of time and energy to create & keep updated
- Unique combinations of addons exacerbate fingerprinting concerns
2.) Encourage anyone who cares about privacy to use Tor, with the aim of normalizing (de-terrorist-izing?) Tor traffic (think HTTP->HTTPS transition, HTTPS traffic was suspicious 15 years ago)
+ Most maintainable/viable long term solution
+ Standard configuration cripples some fingerprinting
+ Easy for anyone to set up and keep updated
- Concern regarding US intelligence controlling a large number of exit nodes and/or currently have the capability to de-anonymization Tor users
- Hard to get people to switch browsers
- Very hard to get people to switch to a slower browser
- Will take a while
Here is the relevant section from the Times article on the IRS agent that figured it out:
Mr. Alford’s preferred tool was Google. He used the advanced search option to look for material posted within specific date ranges. That brought him, during the last weekend of May 2013, to a chat room posting made just before Silk Road had gone online, in early 2011, by someone with the screen name “altoid.”
“Has anyone seen Silk Road yet?” altoid asked. “It’s kind of like an anonymous Amazon.com.”
The early date of the posting suggested that altoid might have inside knowledge about Silk Road.
During the first weekend of June 2013, Mr. Alford went through everything altoid had written, the online equivalent of sifting through trash cans near the scene of a crime. Mr. Alford eventually turned up a message that altoid had apparently deleted — but that had been preserved in the response of another user.
In that post, altoid asked for some programming help and gave his email address: email@example.com.
All that really remains is that one or more governments have secretly broken essentially all crypto. Which is possible, I guess, but unrelated to their developing the Internet. There's a non-zero chance there are shenanigans going on with some root cert servers for SSL encryption, which require trust for their related identity-assurance schemes to work properly, but again, that's not related to government development of the Internet.
I don't think this means there are back doors. I did find it amusing Jacob Applebaum hung around in Berlin pretending to be in exile because of American repression while being paid a $100,000 salary by the State Department, funneled indirectly through the military industrial complex.
Source: https://pando.com/2014/07/16/tor-spooks/ (I think Pando's core facts are correct but some of their conclusions are overblown)
Edit: mixed up CIA and State Dept
The Internet is operated by Internet service providers, not DARPA. The U.S. government role in directly operating the Internet ended in 1995 with the shutdown of NSFNet. The ISPs buy hardware from private companies that implement the public Internet protocols.
That doesn't mean that there aren't backdoors of various kinds in Internet infrastructure, but whatever backdoors exist aren't likely to exist by virtue of DARPA's role in funding the original research.
If you don't want to be banned, you're welcome to email firstname.lastname@example.org and give us reason to believe that you won't do that in the future. That means: (1) not using HN primarily for promotion, but participating sincerely in the community; (2) not using multiple accounts to promote your site; (3) not systematically deleting promotional articles after you've posted them; (4) being up-front about your association with your site instead of obscuring it.
It's entirely P2P, so no 3rd party hosting of your files, no trusting someone's crypto/update schemes, or having to set up your own servers (although you still can easily add it to a VPS if you want offsite). There's also a nice mobile app:
You can also securely share directories with another person who uses Syncthing, I've found autosync directories are easier than using something like Airdrop for sharing photos with family.
Has a 5GB free tier, higher tiers cheaper than dropbox.
Based in Canada if that matters.
Or Syncthing as others have pointed out.
I'm still thinking which is best. They're slightly different use cases. But generally, I'd only really trust it if there's open source, otherwise there's lock-in.
pCloud's software is solid. I battle tested a number of other cloud services before selecting them. Their implementation is excellent - with virtually every other provider I found missing features or easily discovered bugs when putting them through the ringer in terms of testing.
DDG uses bing under the hood. StartPage proxies requests to Google. I've just personally found the latter to give better consistent results, particularly with my searches for technical/programming issues.