[onlydeadheroes]

I consider Tor to be completely compromised. Consider this:

1) Political entryism by ideologues. These people stand against merit, and these are the same people who every few weeks post a lead-balloon of a thread against it in this very forum and others.

2) Recent purge of non-aligned team members on trumped up bullshit that only offends the now-dominant political ideas

3) Large, long redesign with obvious flaws

4) Unwillingness to address the reported flaws

We are not talking about ICQ here, we are talking about Tor. If the Tor team is not concerned about this, then what are they concerned about? What else are they even doing? Why is it that in this age of total surveillance, when even Torvalds had to face the wall while they purged his team, nobody in power is bothered by Tor? Ain't that the fucking shit?

[mirimir]

I share your concerns.

But I haven't given up on it entirely.

I mean, what else do we have? VPNs, sure. And maybe I2P. But it'd be very sad if Tor were totally compromised.

[mirimir]

Upon reflection, I gotta say more.

I do share the concerns about Tor's security, and about the Tor Project's focus. However, I don't believe that it's useful to argue about the culture war soap opera. As an attentive outsider, it strikes me as largely based on hearsay and innuendo. But still, that's a valid concern, to the extent that it interferes with developing and securing Tor.

What bothers me most about the Tor Project is how it seems to focus on ~OK anonymity and security for most users, and seems to ignore vulnerabilities that impact users who are most at risk.

While Tor browser is very well hardened, relative to Firefox, there's absolutely no protection against malware (or anything else, for that matter) reaching the Internet directly, and so bypassing Tor. And that's precisely what hosed thousands of users who were infected with the FBI's malware, which phoned home, and got them busted.

I don't deny that many of them were accessing child porn. But when we're looking at Tor's security, that's arguably irrelevant. I mean, we know about this because criminal matters in the US are public. However, we have no clue how many users in authoritarian regimes have been pwned by similar malware, over what we'd call human rights issues.

And it's not hard to fix, really. All you need is firewall rules that allow only the Tor process to access the Internet. That's doable with Windows Firewall. But I've never seen anything about that on the Tor Project site.

In Linux, it's harder, because there's no way (that I know) to control network access by process. Only by user. And here's another screwup. In Debian, plain vanilla Tor runs as user debian-tor. So it's easy to allow output only by that user. But Tor browser runs the tor process as the login user, so that approach doesn't work. You can use iptables rules that allow output only to requisite relays, but that's brittle to guard failure.

Anyway, enough already.

[thinkmassive]

> there's absolutely no protection against malware (or anything else, for that matter) reaching the Internet directly, and so bypassing Tor.

This is where something like Whonix[1] is helpful. You’re right that torproject.org doesn’t mention this issue much at all with regard to Tor Browser usage. On the other hand, the warnings are fairly obvious in the TorifyHOWTO[2] section.

[1] https://www.whonix.org/

[2] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWT...

[mirimir]

Yes, I should have mentioned Whonix. It's the only sane way to use Tor.

And about the TorifyHOWTO, the dumbed-down website redesign has made that stuff even harder to find than it was before.

[Astarte]

>While Tor browser is very well hardened, relative to Firefox

Some say it is one of the most attacked browser ...

>However, we have no clue how many users in authoritarian regimes have been pwned by similar malware, over what we'd call human rights issues.

Maybe not as much as you believe. The OP is talking more about traffic correlation. The FBI's attack came from the browser, this can also aid in correlation attacks but was irrelevant in the FBI's case. In authoritarian regimes you can just attack from the network side and log each IP which tries to connect to a Tor node. Then you visit those people personally. Or like in so many authoritarian regimes you just block Tor completely. Neither a firewall or Tails or Whonix will protect you against traffic correlation attacks.

[Santosh83]

You can use unregistered obfuscating bridges when the Tor protocol is banned. Not sure how effective that is though, since I've never needed to use them.

[Astarte]

I'm not sure about their security either, see my other post below.

[Santosh83]

> And it's not hard to fix, really. All you need is firewall rules that allow only the Tor process to access the Internet. That's doable with Windows Firewall. But I've never seen anything about that on the Tor Project site.

Generally malware on the local system is nearly always game over. There's little you can do about it without wiping the system. But other than that I suppose the Tor project could give more visibility and advocacy for both Whonix and Tails, as they provide better system-wide protection than the Tor Browser can do. As you say, neither of those well known projects are mentioned anywhere easily locatable on their site.

[mirimir]

I agree that malware means game over. But firewall rules at least protect against wimpy malware.

And yes, I really don't know why they haven't embraced Whonix.

What's funny is that Tails has more visibility, and it's actually less effective against malware. Because there's no isolation between userland and the Tor client.

[GuqLyr]

> In Linux, it's harder, because there's no way (that I know) to control network access by process.

What about https://github.com/gustavo-iniguez-goya/opensnitch ?

[Mirioron]

There's also Freenet (or is that not secure anymore?)

[mirimir]

Freenet is pure P2P, and there's no option for Internet access. Also, it doesn't do onion routing like Tor or I2P do. It employs a sophisticated encryption and forwarding strategy, to obfuscate senders and recipients from innocent intermediaries. So arguably, any peer can plausibly claim that they're just an intermediary, handling end-to-end encrypted content.

However, given logging data from malicious peers, adversaries can discover peers that handle illegal content. Then they can attempt to distinguish senders and recipients from innocent intermediaries, through statistical traffic analysis. And then they can arrest and prosecute them. And defendants must then counter claims about attribution.

The default is Darknet mode, where nodes only peer with people who they know and trust. But given how people are, it's hard to prevent infiltration.

Also, with a Darknet, there's no access to the rest of Freenet. The recommended option is having one node in a Darknet also run in Opennet mode. So then they're the only one at risk. But that funnels all Darknet traffic with the rest of Freenet through them.

Anyway, Freenet is interesting. But I do not recommend using it, except on a thoroughly anonymous VPS, managed and accessed through nested VPN chains and Tor.

[onlydeadheroes]

We have our skills, and the ability to implement anything that we can imagine (with the necessary detail). They can't take that away.

[clarry]

There are not that many people capable of a secure design & implementation. But that is just the tip of the iceberg; any network promising anonymity requires a large number of nodes (and high traffic), and that number must stay significantly larger than the number of malicious nodes that try to deanonymize the network.

Adoption remains a huge challenge (and not really one you solve with technology or skill). It doesn't help that design decisions that improve security can degrade the user experience, leading to lower adoption and lower security. Sigh.

[mirimir]

Well put!

I left it as "network effect". Probably too opaque.

It's like there was a window in the early 00s, when stuff like Tor, Freenet and I2P could recruit enough nodes to be viable. Remailer networks were just too damn hard to use. I mean, they were based on PGP plus mix networks.

But now, people expect stuff to be easy.

[mirimir]

Sure.

However, I2P is the only alternative that's been implemented at any scale, to my knowledge.

Papers have been published, yes. But I'm not aware of any other anonymity networks that have even gone public.

Why that is, I'm not sure. Maybe it's just network effect.