[nobodyorother]

Does the onion service still serve the same advertisements their website and mobile app do?

If so, they're leaving their users-who-want-to-stay-relatively-anonymous open to attack via the advertisement vector. Members of that group would be considered high-value targets simply due to their anonymity desires.

I can't see the number of daily users being large enough that they'd lose significant profit by closing that attack vector. Hell, if there was a way to pay NYT enough to disable ads on all their services, I'd do it.

[system33-]

Tor Browser isolates cookies and other browser state into buckets based on URL bar domains.

[jerheinze]

... i.e. first party isolation, one can read more about it on the Tor Browser design document: https://www.torproject.org/projects/torbrowser/design/

[milofeynman]

How can I get first party isolation in regular chrome or firefox? That is exactly what I've been imagining/wanting since Firefox announced their new container prototype.

[jerheinze]

Thankfully Mozilla works with the Tor Project so that Tor Browser patches to Firefox get uplifted to mainline Firefox, you can read more about those efforts here: https://wiki.mozilla.org/Security/Tor_Uplift And the Tor Uplift tracker: https://torpat.ch/uplift

In this case the relevant preference is privacy.firstparty.isolate = true. Another worth pointing out pref is privacy.resistFingerprinting = true.

[milofeynman]

Thank you. I am excited for all the ways this is going to break the web for me, but this is exactly what I wanted. Maybe someday this will be on by default for everyone. Can you imagine?

[the8472]

In firefox: about:config -> privacy.firstparty.isolate = true

Note that containers provide similar functionality but in a less rigid manner. On the other hand first party isolation has the advantage that it also applies on navigation within a single tab while containers are fixed within a single tab. Currently neither is a superset of the other. If bug 1323873 [0] gets implemented then containers + some scripting by extensions could act as a superset of first party isolation.

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1323873

[sova]

I am curious about this as well. Tor is anonymous insofar as individual entrances and exits cannot be monitored. The advertising and other tracking pixels that would riddle something like the NYT site makes me think this is how some uncareful kingpin will fall, checking the op-eds.

[VVayneTracker]

Can't the nodes be compromised? I've eschewed using it as USG is purported to have taken over entrance and exit nodes using a combination of threats and bribery.

[Ajedi32]

In order to fully compromise your privacy, the government would need to have control of _all nodes_ in your path, not just the entrance and exit nodes. (They _might_ be able to deanonymize some users by using traffic correlation using only entrance and exit nodes, but that is by no means a straightforward process.)

Tor also gives you a way to choose a specific exit node based on the country it is in, but I have no idea how reliable that is.

It is worth noting that with hidden services no exit nodes are required, since your traffic's final destination is running its own Tor-compatible node.

[sova]

as Ajedi32 states, even knowing entrances and exits, it is SUPRHARD to figure out all the associations, but it has been done in the past for high profile sites. It is also not possible for them to monitor every entrance and exit, and it is akin to watching the entrances to a mall where everyone is dressed exactly the same, trying to identify who shops where. With one-off data, really hard. With regular or periodic data, the mystery is a lot easier to unravel.

[ryacko]

I dunno, it is done in China to monitor everything. http://www.mirror.co.uk/news/world-news/china-installs-20-mi...

[reaperducer]

Why not try it and let us know instead of simply making guesses?

[nobodyorother]

I was asking because I'm currently nowhere near a system that I'd trust for this purpose. I'll be near one later and, if you're interested, I'll update the question with my findings.

[jstanley]

There exists a system that you wouldn't trust to provide a good-enough answer to the question "Does the onion service still serve the same advertisements their website and mobile app do?" ?

What do you think an untrustworthy system is doing that would make it give a not-good-enough answer?

[nobodyorother]

That's a clever question and the answer has a few parts, mostly due to the slipperiness of "trust" as a concept: I wasn't specific enough in my description of my own threat model (which makes sense, as my aim wasn't to explain the threat model but to cultivate answers from other folks). In short, I currently only have access to systems that are too costly to replace, if the site is under active attack. That's not to say that HN's comment section isn't also a risk, but it seems less of one.

I considered these actors before deciding to ask the question instead of immediately connecting directly: available computer systems, internet pipes, the NYT website, and the bevy of third party ad-services hosted through the website.

[asciimo]

Hey, Tom. I'll be right over with my laptop that I don't care about. You still on Green St.?

[nobodyorother]

Nope, I got promoted to Wall St., 5th floor! Just leave it unattended in the Blue Room, by the donuts, and I'll pick it up in a few.

[unethical_ban]

I'm reading this from a bank workstation. Let me install Tor and see how long I can test NYTimes readability before I'm escorted out the door.

[ceejayoz]

If you're using Tor surely you should be disabling third-party and non-onion assets and JavaScript?

[nobodyorother]

Not all entry points do the most paranoid thing, and not options are even available on all entry points.

The Tor Browser Bundle (desktop) has different defaults than Orfox (phone), and I think both will connect to non-onion URLs when connecting to an onion site. Same for JS, ad-block, etc.

[nobodyorother]

As of last weekend, NYT-over-onion serves ads like their other entry points do.

[swiley]

curl -H ""

There are zero good web browsers with socks5 support. (which is needed for tor)