Hacker News new | past | comments | ask | show | jobs | submit login
Tor Browser 9.5 (torproject.org)
275 points by ASVVVAD 34 days ago | hide | past | favorite | 101 comments

I downloaded the Tor Browser a decade ago, maybe even longer, in an effort to be privacy conscious. I used it here and there but I never made the switch to using Tor by default. Some time later I remember reading the US government was tracking people, or had a list of everyone, who had simply downloaded Tor. I also vaguely remember reading about how using Tor could potentially expose you to legal risks because of the way the information hops between user computers. I don't really know much about networking or the nitty gritty of how Tor works so I uninstalled it.

I don't know if any of that was true and even if it was I'm sure a lot has changed with how Tor handles privacy and directs traffic. Are there any good resources for average Joe internet users to read about how the browser works so I can better understand the risks/rewards?

I mean there are a lot of resources but they are at a very high level. I don't think much has changed.

The basic idea is that with Tor, you make HTTPS connections to the "tor relay", a network of volunteers who route your traffic around the world to make it hard to track. You can use Tor in two ways: you can join the relay network and route traffic for others, or you can just use the browser and make queries. If you do decide to join the relay network you have an additional decision about whether you will be an "exit node", one that does the final request to the destination website and thus appears to be the initiator of the request. This is an option because it can be difficult on home internet setups: if someone uses your exit node to post a lot of stupid crap to Reddit and Reddit tries to IP-ban them, then you are suddenly IP-banned from Reddit at home, because you ran the exit node.

If you are just a user then the only thing you need to know is that there is a price for your privacy, which is that routing your traffic all the way around the world takes a little more time than sending it straight to you, and this has two effects -- a latency jump which exists basically no matter how big the network gets, and a slowdown in your bandwidth which depends on how big the network is relative to the number of people trying to browse with it.

> if someone uses your exit node to post a lot of stupid crap to Reddit ...

I think there’s a lot more to worry about than reddit shitposts eg straight up criminal activity apparently coming from your router, and in way you’d have difficulty proving was tor and not you or your family.

How is malicious interference by exit nodes prevented for plaint-text HTTP requests?

A subset of relay operators & other volunteers monitor the network for bad actors and report them to Tor Project who will then direct directory authority operators to blacklist those relays.

One of those volunteers is nusenu: https://medium.com/@nusenu/the-growing-problem-of-malicious-...

It can't be prevented on a technological level. However there are attempts to detect bad nodes and ban them. Since the exit node doesn't know "who" is accessing the website it can't just temper with your content. So it would be detected asymptomatically.

I would have to say "it's not".. anything non-encrypted you risk being manipulated by a node of the TOR network. I bet there are people who act as relays just to try to sniff out any good non-HTTPS traffic.. although, I suppose generally anyone using TOR is mostly aware of this so there's probably not that much to gain.

Complete side note.. but this just reminds me of back when I was in college in the late 90s, and our entire apartment buildings traffic was a hub (not a switch).. so I had a packet sniffer running for fun on linux and could see everything from everyones internet since every single packet was rounting to every machine on the network, and lots of stuff had no encryption... nuts to think how open stuff was back in the day.

Pretty sure some switches (to this day) can be tricked into doing similar. eg send them a few specially crafted packets, and they fall back into broadcasting ~everything like a hub for some period of time.

Not from the point of view of "legal intercept" stuff, more like "switch gets confused and doesn't know how to route, so broadcasts as a workaround".

I highly recommend Computerphile's explanation of Onion Routing: https://www.youtube.com/watch?v=QRYzre4bf7I

After that, check out the video explaining how hidden services work.

If you want to see a simple implementation of an onion router, I built one in TypeScript: https://github.com/seisvelas/onion-router-ts

(be warned, I also did that as an exercise to learn more TypeScript. So it's not good TS. But improvements and issues are more than welcome from any TS gurus out there!)

Computerphile is truly a gift to us all

It’s such an unfortunate name to use though!

It fits with the other channels by Brady Harren, though he no longer produces the videos for computerphile.

Why is that?

I assume that GEBBL is either only familiar with the -phile suffix in the context of 'pedophile', or is implying that that could be the case for others.

I think your repo is private, I get a 404

Indeed it was! I just made it public, thanks for saying something :)

If you're thinking about risks, it's important not to conflate 3 scenarios: (1) running a Tor exit node (potentially very risky), (2) running a Tor relay node, and (3) just using the Tor browser as a user (should probably be fine for most users - depends on what you use it for of course, and Tor by itself is of course not sufficient to solve all privacy issues - you can still be deanonymized if you're not careful).

Do you have any more information on how one could be deanonymized using Tor? I am aware of the browser fingerprinting and Tor themselves has a decent article about it but are there other methods that malicious parties could use?


To use an obvious example, if you log into an account you've previously logged into directly from your home computer.

More broadly, any privacy tech can be undone by poor 'operational security'. For example Ross Ulbricht - 'Dread Pirate Roberts' of Silk road - posted on StackOverflow under his own name to ask "How can I connect to a Tor hidden service using curl in php?" [1]

[1] https://arstechnica.com/information-technology/2013/10/silk-...

Well a big one would be putting personally identifiable information on websites inside or outside the tor network.

You could use Brave browser, it includes a Tor client which is accessed through the "new private window with Tor" menu item. I assume downloads of Brave might not be tracked by the US government, but then again, everything is tracked, it's just a matter of what behavior is likely to be flagged by an agency's algorithms.

It's true. Same applies with Tails. If your employer is one of the few with intelligence community shadow relationships,they will likely be alerted as well.

You will also be targeted for browser exploitation without a warrant. Tails in an isolated environment is probably the best way of using Tor.

The Tor Browser is scrutinized heavily. I know that is kind of a fallacious argument, but they have a routine presence at DefCon and they are really committed to protecting people around the world. At DefCon last year, the Tor project talked about the biggest security concern as countries who monitor the entry points to the network, and the challenges with getting those IPs distributed confidentially and keeping them hidden. (If you don't already know, Tor does require an entry IP address list before the anonymization occurs: countries can arrest people who visit these URLs, so this is the big challenge right now.)

Someone who knows more can probably elaborate, but after hearing them present year after year, and how much global advocacy they engage in, and their transparency, I find it unlikely they have NSA spooks embedded.

I use it when I need to read something objectionable through a VPN. (Still not perfect, because I run a VPN on EC2 and the exit zone is in the US...)

Not trying to be flame-baity here, but with Trump's ranting about making ANTIFA a terror org, and with the recent legislation that allows warrant-less IP tracking, I am legitimately concerned I might end up on a watch list because I visit a website this admin finds objectionable.

> If you don't already know, Tor does require an entry IP address list before the anonymization occurs: countries can arrest people who visit these URLs, so this is the big challenge right now.

Sorry, can you explain what this means? Would my home IP address be the "entry IP address" you're referring to?

No, it's the IP of the first relay.

Tor works pretty much like this:

You -> Relay 1 -> Relay 2 -> Relay 3 -> The website

Each arrow is an encrypted connection. The content of the exchange on a single arrow is the address of the next hop and the query of the next hop. Thanks to this:

- Relay 1 only knows you're going through Relay 2

- Relay 2 doesn't know who's asking (you) but knows it passed through Relay 1 and is going through Relay 3

- Relay 3 doesn't know who's asking (you) and where you entered, but knows it's going to the website

The nodes in the middle know everything that goes through them, but don't have the big picture.

The entry IP address is the IP address of Relay 1. Your computer must know an address to connect to, and that address is distributed in listings by the Tor Project. Since this listing is public, it also makes it easier for censors to censor, or at least detect who's interested in connecting through Tor

Do you know if GDPR prevents EU countries from obtaining IP logs for Amazon zones located there? I was hoping I could spin up an EC2 VPN in Europe and feel more secure that my IP logs can't be obtained by the US gov't. I use RunBox for email in Norway, which has the strictest privacy laws, but there is no AWS zone there. Any thoughts? Thanks.

The US CLOUD Act was designed specifically to enable US gov agencies to access that information:


So, don't use EC2 or stuff hosted by other US companies for things to you want to keep private from the US gov.

Also note the US gov shares intelligence with other countries, as mentioned by a sibling post.

Maybe through the UKUSA agreement or similar. https://en.m.wikipedia.org/wiki/UKUSA_Agreement

> Do you know if GDPR prevents EU countries from obtaining IP logs for Amazon zones located there?

GDPR has specific exemptions for law enforcement and national security. Governments are allowed to get the data by claiming it's for national security. Some EU countries may have better protections than others.

To give better advice I guess people would want to know what your risk model is. Who do you think is after your data? What do you want to protect?

> risk model is

Mostly curiosity: what is the highest degree I can obscure my web use and meta data with off-the-shelf technologies?

> For the first time, Tor Browser users on desktop will be able to opt-in for using onion sites automatically whenever the website makes them available.

Good. This is, in my opinion, one of the bigger pain points of the whole Tor experience.

I don't personally think the problem is with understanding how onion addresses work (I've explained them to my mother and she understands the concept pretty easily), it's just the user-experience that has always been kind of a pain - even for people that use Tor often and understand it well.

I don't use the Tor browser for a number of reasons, so I can only hope other browsers follow suit.

At a certain philosophical / high level, I don't like the idea of the 'human-memorable names' .onion feature.

It's politicising software. Open-source software should never have an official, hard-coded opinion about any of the content findable through it.

I've seen the Firefox org increasing do similar things when reading their email newsletter. It even stopped me donating to Firefox.

A core idea of Tor is to not censor. When you give special access to some sites, it feels like the opposite of net neutrality. That is on the censorship spectrum.

I guess it's not too bad if they never block any content at the protocol or software level, but at some point, giving certain content privileged features at the software/protocol level is a two-edged sword. It means you're forced to deny supporting other content.

Indeed, once Tor starts having an official opinion about online content at the browser level, who's to stop people starting to pressure Tor to block certain content, since they're basically starting to be in that realm now? It can be a slippery slope.

I'd prefer at the very least it be toned down to a third party add-on. It's great to make onion sites easier to access, of course. But it should be in a way that doesn't involve political or legal barriers for content creators.


BTW, I highly encourage anyone with a linux box at home just sitting there 24/7 to start an obfs4 bridge relay. It's not that hard, and low on resources. #tor-relays IRC extremely helpful in getting you set up.

I've been running one for about a year and it's provided tens/hundreds of GBs of Tor Internet to people hopefully in Asia, South America, and the Middle East - protesters who really, really need some help in anonymization or gaining access to blocked content.

I use Tor Browser for most of my day to day browsing to foil all the non-governmental corporate botnet spying. Of course I’m under no illusions that it secures you against the government. But I don’t do anything naughty so I’m not worried.

Why do you think it fails as basic security against the government? Honestly curious. And what would you suggest instead. To my knowledge many dissidents and activists around the world are specifically using TOR because it supposedly does indeed provide protection against government tracking.

> Why do you think it fails as basic security against the government?

Tor connections against normal sites use 3 hops while they use 6 hops against onion sites. Controlling or potentially even analysing the traffic from 2 of the hops is enough to know where the user connects to (it might be 4 hops for the onion case but I am not sure). I am pretty sure that NSA has enough resources for their own nodes. I2P has a better architecture in general but it still does not solve the issue. I am looking into evaluating lokinet at the moment.

In general tor does not have a great track record. For example they took ages to upgrade from an 80-bit sha-1 truncated address scheme with dh1024 and aes128 into something more modern.

Okay, definitely a bit less practical, but what about using TOR with TAILS on a laptop that's dedicated to nothing else (laptops for TAILS use generally shouldn't run over top of a Windows or regular OS installation). Furthermore, using said machines or TOR alone from an IP address that isn't one's own identifiable address.

That aside, what do you concretely propose as alternatives to TOR for the seriously privacy-conscious (and those, such as activists and dissidents, who need anonymity in a life-or-death way.

> but what about using TOR with TAILS on a laptop that's dedicated to nothing else

This does not really help regarding what I mentioned.

> using said machines or TOR alone from an IP address that isn't one's own identifiable address

Slightly better I guess but in most cases you can still be identified.

> what do you concretely propose as alternatives to TOR for the seriously privacy-conscious

Honestly, no idea. I would keep using tor for the time being but we really need an alternative.

You could've just said that you have a hunch.

Are you kidding? What part of "Tor connections against normal sites use 3 hops while they use 6 hops against onion sites. Controlling or potentially even analysing the traffic from 2 of the hops is enough to know where the user connects to (it might be 4 hops for the onion case but I am not sure). I am pretty sure that NSA has enough resources for their own nodes" seems like a hunch?

Do you have something that you disagree with? If so just say it.

Rumors abound that the NSA runs a bunch of Tor exit nodes

Even if this was true, it should not change anyone’s behavior; a malicious exit node should be assumed when using Tor.

I.e. either always use HTTPS sites, or .onion sites. No HTTP unencrypted sites.

It would be unreasonable to assume that they aren't. It's a cheap, easy, and low-risk way to soak up lots of interesting traffic.

It’s literally funded and made by the NSA.

Dissidents and activists have been busted using Tor and there’s always a friendly government damage control agent ready to pop up (any forum, any time of day) to remind people that Tor couldn’t possibly be backdoored or owned, it was always some other type of thing they used in parallel construction.

Over-shilling is what clued next in. You don’t get this kind of response without a massive panopticon dispatching reputation managers. Why the heck would the NSA write NSA proof software? LOL.

EDIT: this is in reply to mapgrep and his crew:

Did I say I won't use Tor Browser? Is it really necessary to put words into my mouth to make your point? I've noticed this a lot with people who are very very lightning fast, almost unbelievably fast, to defend Tor on any forum or platform on the Internet. The speed at which it occurs, and the typical over-the-top, rude, and unnecessary attempts to make people seem to say things they 100% have not.

You should apologize. Obviously the NSA has broken Tor, they made it. Forget about current funding, where'd it originate?

And why does the Tor Project publish a list of exit nodes?

The fact that the US government, largely through Open Technology Fund, originally an arm off the State Department (via Radio Free Asia!), has arguably done more to fund core internet privacy technologies than the private sector is an indictment of the private sector, not of the U.S. government.

We should absolutely be aware of funding sources, skeptical of code written by other people, etc, but if you were to actually enforce in your life a position that you won’t use any security or privacy technology with funding ties to the USG you will quickly find yourself in quite an untenable position.

AES which is the encryption standard for asymmetric crypto and used everywhere (including by the gubment) was designed by the NSA. So what's your point?

> is the encryption standard

Some others (such as chacha20) are pretty popular too. This is the only cipher used by wireguard and one of the ciphers used by ssh and tls.

> was designed by the NSA

No it was not. It was designed by two Belgian cryptographers (the same ones that did SHA3).

> for asymmetric crypto


No offence but you seem quite clueless.

Fair enough, but my point against the tinfoil hattery still stands; Just because the gubment was involved with it's inception doesn't mean it has backdoors.

Why do you trust literally any secure comms code?

This seems very risky.

* Exit nodes might be run by malicious actors and unless you enforce always https they might snoop credentials.

* If you login to platforms like google/facebook/twitter/stock overflow it might still be possible to track you.

If you're worried that your employer is spying on you then tor can't help because they already have administrative access on your computer. I personally have a rule to never log into personal accounts from corporate devices.


well, if you open non-HTTPS links you're trusting the exit node operator not not fuck with your data and to not snoop on it. So... don't do anything important without HTTPS. Same as always. As for the corporate spying... totally agree, worst case you didn't gain nor lose

Right, this is important to understand. The use of Tor isn't just about subverting government information gathering. But it's just as important in the fight against corporate collection, maybe even more so.

I'm (personally) less concerned about government spying on me than I am about corporations. That's not to justify government overreach, but I don't like the prospects of corporations like google, facebook, twitter holding as much (or more) of my information as the government does.

Sometimes I can't log into HN with Tor. Do you have that problem?

Yes, I do, and they also shadowban Tor accounts here, which is depressing.

Really? I don't think that's true: I use Tor (well, not right now, d'oh!) and people respond to my posts.

Yes, really. It’s not that hard to check, just log off, create a new account through Tor and try to comment.

"Onion Location" and "Onion Names" are very welcomed improvements.

Not having memorable names makes it tough for people that use a non-persistent OS for Tor. I'm all for creating more accessible URLs.

On the topic of using Tor with a non-persistent OS, what I'd really like to see on that front is a federated encrypted bookmarking sync service integrated into the browser. Would be really neat if you could "sign-in" to the browser using a human-memorizable identifier to restore bookmarks and other settings.

Obviously that opens up additional attack surface for de-anonymization attacks, but I think it could be done reasonably securely given sufficient effort. (Hashing and key-stretching the login credentials, fetching bookmarks over a separate Tor circuit, storing the encrypted payload in a distributed database rather than a centralized server, etc.)

Done right, a system like that could potentially even lead to an open standard for synchronizing bookmarks, passwords, and other settings across different browsers.

Firefox Sync meets all the criteria you've described, except I don't think it has automatic Tor integration.

Firefox Sync is federated? I only ever saw an option to sync using my Firefox account. (Which is a non-starter for Tor; since my Firefox account is tied to my email address.)

I also didn't realize it was an open standard. Are there any other implementations besides the one in Firefox? I couldn't find any information on that.

I'm amazing how well youtube works when using tor. I would have assumed it would vomit captchas like the rest of Google but it doesn't.

Youtube works for you using Tor?

It's never worked for me. Just shows a page with the Noscript "this is being blocked" logo.

Maybe you turned off Noscript?

I wasn't aware of that. I don't use it a lot but I assumed the same thing and that something like https://www.invidio.us/ would be necessary to make it usable Great to know thanks!

Or just use youtube-dl (mpv for streaming).

Gives me a "You are not authorized to access this page." response :/

Edit: nvm it is working now.

Worked first time for me.

Automatic detection of onion versions of sites sounds great.

Edit: refreshed once, still worked. Refreshed again, "You are not authorized to access this page. " Refreshed a third time, worked again.

Seems to be completely random behavior. Try refreshing 2-3 times.

Hopefully they are better at making safe browsers than managing weblogs.

same for me: Gives me a "You are not authorized to access this page." response :/

but you might start to get downvoted on HN when this gets fixed

It is working now.

That will make discovery of hidden services much easier, this is great!

Indeed, this will help avoid scams too!

The Onion site autodiscovery has never worked for me when using Cloudflare's Onion routing. My sites (e.g. https://www.pastery.net/) include an alt-svc header, yet the browser never prompts me to switch to it. It does work for ProPublica, but not for my sites for which I have CF's Onion Routing enabled.

Has anyone else had this problem (or had this work)?

according to the blog post, alt-svc enables invisible onion services, which have been supported "for years". this new release enables "Onion Location", which is apparently presented in the address bar.

Oh hmm, I thought those were the same. I did think this has been supported for years, though I've never seen any indication that my browser is actually using the Onion service.

Anyone know what the HTML is for adding my onion address to my page for people visiting from the normal web entrance? I looked through the changelog for the bit about this auto-detection but didn't see it. Is it some sort of link tag thing in the <head> like,

<link rel="alternate" title="my site but on tor" href="superkuhbitj6tul.onion" />

It's HTTP headers not HTML as far as I could tell.

The article didn't say the exact name of the header but it mentions support.torproject.org uses it so looking into its headers:

    $ curl -I https://support.torproject.org/
    Onion-Location: http://4bflp2c4tnynnbes.onion/index.html

Thanks! That was easy to implement.

brave browser has a "tor private window". such a great idea, since most people dont realize a private window is only private to their own browser. anyone know how updates to tor affect brave? it seems crucial it is kept to to date

updates to the tor library gets updated in brave most likely (if they care about its security) updates to the Tor Browser shouldn't affect it mostly unless they like a feature and they want to add it.

Has anyone had any luck or done any experiments using OnionCat with Multicast? I've heard people can get 200MB/s+ doing this but potentially sacrificing some anonymity.

I'm confused about how the human-readable domain names work. Are they just hard-coding certain addresses in the browser itself?

I believe they are being done with rule sets for HTTPS Everywhere which is shipped with Tor Browser Bundle.


Anyone know how exactly this onion site naming scheme works? Will all those drug markets soon have funkt accessible domains?

The human readable urls are a nice touch. It's nice to see tor becoming more user-friendly in the most recent releases.

Indeed! This release promise more focus on usability and that's really great. human readable URLS and .onion headers can help newcomers get out to find their way and evade scams

For what it's worth, Tor has been my default browser for the past 5 years to 'surf' the net and the experience is incomparable from 3 years ago to today, so much improvement specially on news sites with the 'Toggle reader view' or Reddit, Twitter, etc.

Give it a go if your experience wasn't great a few years back.

Why should I use this rather than Brave with Tor option enabled? I'm not being rhetorical.

Tor Browser tries to make your browser fingerprint look the same as all other Tor Browser users, while Brave does have some patches to try to handle that it's still very far from what Tor Browser offers.

I understand the concept of Tor but since the government is actively watching, it doesn't really fit the usecase if I understand correctly.

From a privacy point of view, couldn't you use multiple VPNs?

> From a privacy point of view, couldn't you use multiple VPNs?

I don't see what could be gained from nesting VPNs because you're identifying yourself to the innermost VPN. Tor is designed so that exit nodes don't know who you are.

Say you did 5 vpns, you'd need all 5 companies to respond correct?

I imagine you could pick a few Anti US government VPNs and at least 1 wouldn't cooperate.

No, just the last one (the one which outputs your traffic).

Assuming it's a commercial VPN it has your billing data and doesn't matter that you connected to it via another VPN.

> I understand the concept of Tor but since the government is actively watching, it doesn't really fit the usecase if I understand correctly.

You can hide the fact that you're using Tor by using bridges with or without pluggable transports.

> From a privacy point of view, couldn't you use multiple VPNs?

No amount of chained VPNs will offer you browser fingerprinting resistance or privacy by design.

wait! the most privacy centric iOS doesn't support Tor?! but Android does! I wonder is privacy is just Apple's PR but far from truth. The speech to text translation also they need to route via their servers. The contractors listen to recordings of Siri. Its time to unmask Apple's true face.

Who cares if youre supporting Tor when the whole android platform is a mobile data collection trap. They own you on the device level.

Yeah you can root the 'droid and ditch the Goog Play Store, but you can jailbreak iOS.

Jailbreaking is harder than rooting though and apple constantly fixes the holes so maintanence cost.

Few android manufacturers even have instructions to change your rom or root the phone. Lot of them support it while apple doesn't. Android is also open source so you can push your own changes at os level and reflash it . You can't do the same for iOS. You also have control over the hardware more than you do on iOS - way easily. Overclocking isn't possible on iphones.

I am not denying Android doesn't collect data. I am just saying Apple does it too and them being hypocrite in this argument about privacy. You still missed the point on why Tor is not supported on iOS?!

My main takeaway is that Tor is introducing a new domain names suffix: .tor.onion

For information, there was a similar initiative by Namecoin with .bit.onion: https://www.namecoin.org/docs/tor-resolution/ncprop279/stemn...

Can I please do those horrible recaptchas on TOR browser already?

Didn’t they just lay off a bunch of people?

Your comment sounds accusatory; perhaps I read it incorrectly. Yes they had to let about a third of the team go. The project continues.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact