For users wanting to prevent their ISP from sniffing around then tor works as intended. Against advertisers it also work decently as a self cleaning browsers that constantly change its IP address.
For developers and sysadmins that want to get an outside look at their own services or investigate third party websites (like fraudulent lookalike) it work pretty effective with some caveats.
It also works mostly fine against national and ISP firewalls that is intended to censor citizens and lead people away from places which the state has declared unsuited for its population.
Against police force it seem to mostly work as a free tool that get used by criminals as something better than nothing, but with some larger caveats and the police have cases from time to time where they have identified criminals (from either good investigations or parallel constructions depending on who you ask). The tor browsers has also not been immune to malware.
Against national-level intelligence agency, "citizen scores", and whistleblowers employed within such agencies, the protection granted by tor may be very far from 100%. It is not recommended by anyone to depend on tor against that threat model.
>> It is not recommended by anyone to depend on tor against that threat model.
That depends as much on the use case as the threat. Traffic analysis attacks require traffic. Short burst communication via tor (chat/email/bot control commands etc) are not traced as easily as large file downloads or random web browsing. Attacks on the client (malware) are also very hardware dependant. A target using the same Tor client on the same hardware regularly is a softer target than someone connecting randomly via a variety of devices.
The NSA (Or FSB/FBI/CIA et al) are not SHIELD. They operate in the realworld with realworld physics/math. If they did have reliable and simple backdoors into Tor we would have heard about them by now.
How you figure we would heard about it? I mean the only reason we know they can break RSA 50% of the time was because of Snownden and that was like 10 years ago or so.
I mean these people are really good at keeping things secret, I remember reading books written in the late 80's that still said the first use of computers was calculating artillery tables, not codebreaking.
> I mean the only reason we know they can break RSA 50% of the time was because of Snownden and that was like 10 years ago or so.
Edward Snowden's revelations were about seven years ago, and did not include anything about the NSA breaking RSA encryption or signatures 50% of the time or any other amount. Who knows where you got that from, but not Edward Snowden.
> I remember reading books written in the late 80's that still said the first use of computers was calculating artillery tables, not codebreaking.
That would be because it was true. The purpose of the Difference Engine and of early mechanical calculating machines that were actually built at the time was construction of tables.
Colossus (which was used for breaking Lorenz) is an early electronic computer, but certainly not the first such computer and it isn't a stored program computer (to change what Colossus does it's necessary to physically disassemble it) so it's not actually part of the lineage of stored program computers we use today.
The Ultra Secret was published in 1974 - after that point the fact that Colossus existed and everything else about war work at Bletchley was not a secret. So Ultra was kept secret for just over thirty years.
> Against national-level intelligence agency, "citizen scores", and whistleblowers employed within such agencies, the protection granted by tor may be very far from 100%. It is not recommended by anyone to depend on tor against that threat model.
Are there any alternatives then, that do work against this threat model? It seems like a lot of the real need for such a tool is for journalists and activists who do need protection against national-level threat actors.
I think you misunderstand. For such adversaries, Tor is good enough for what it does, but not sufficient. You probably want something like TAILS as part of a whole package of serious real-world OpSec.
>It also works mostly fine against national and ISP firewalls that is intended to censor citizens and lead people away from places which the state has declared unsuited for its population.
Can't most countries just block all Tor traffic? Russia does this as far as I know. If you're the kind of state that would have a national firewall, why would you let your citizens use Tor at all?
Sort of. There are transports that make Tor traffic look identical to generic HTTPS traffic etc. So you can filter based on endpoints, but that's hard to do for unlisted bridges and the like. In terms of exits, most countries prefer not to block them.
It seems that a lot of such blocking are done with a lower kind of effort by those who are tasked to implement it. An example is the UK porn and piracy filters,but also a bunch of east state countries with the "whoops, you entered a bad place" firewalls.
I would speculate that the purpose of those are not to be a perfect blocks but rather a methods to mold and redirect citizens towards what the state want.
I think it remains the best in class for private browsing. They have to make difficult trade-offs that achieve acceptable levels of performance while not leaking metadata like a sieve. They do also have a good track record of handling security vulnerabilities.
For the average user, the greatest threat is actually everything outside the Tor browser. For example, downloading certain files using Tor, then opening it in another application that leaks your address to other parties (e.g. certain video players). The chance of this happening might be a lot higher on a Windows system. Another big mistake is funneling unsanitized traffic through a Tor SOCKS proxy, because many applications leak their addresses.
It's also worth mentioning that Tor still allows plain HTTP between the exit node and the destination website, so an ordinary user may not realize that they might be sending plaintext data.
For people who may be targeted by governments, those scenarios are vastly more complicated and depend on how much of a prize you are. Tor's strength relies in numbers and on the uncooperative nature between certain countries. There will certainly be more traffic analysis based attacks.
There are some ways to mitigate some of the threats that you mention. Using Qubes or Whonix could prevent network access to other programs. The unencrypted requests can be blocked by turning on the EASE option in the HTTPS-Everywhere preferences. Tor doesn't have any way to protect against global adversaries performing timing analysis or attacks though.
It is though. Add HTTPSEverywhere to the toolbar using customize, and you will get the option to enable "Encrypt All Sites Eligible". Working as of Tor Browser 10.0 (ESR 78.3)
Version: 2020.8.13
Rulesets version for EFF (Full): 2020.9.14
Rulesets version for SecureDropTorOnion: 2020.7.30
It depends on how you use Tor. For browsing you will essentially remain anonymous forever unless you do something that can connect you between sessions, like logging into some user account. This excludes side-channel attacks and an adverse which controls a large number of nodes, or is able to listen to a lot of the global network traffic.
It's different for people who operates hidden services. They are always online, and it is easy to tie one session to another, because the session will always be tied to the service they are running. This means that over time, you will be able to identify the service even with control over a small subset of services. You can read more about the different ways this can be done here: https://www.hackerfactor.com/blog/index.php?/archives/896-To...
A huge caveat regarding the comment that said general browsing is ok
Browsing with JavaScript disabled (not just for some sites via the use of No-Script etc) is considered generally safe if browsing hidden services (ignoring traffic correlation attacks, adversary knocking nodes off line to increase the chances that your Tor circuit will use a guard and a relay node that they own and other tricks).
Browsing the clear web however is a rather different matter. Because exit nodes are a mixture of honeypots, servers run by kind hearted volunteers, servers run by three letter agencies and corporately sponsored servers, “Exit traffic” to the web should be considered at a 'roll the dice' level of probability.
Consider the example of person XYZ who is under an active investigation or there is a need for parallel construction. At (timestamp), Person XYZ activated a new Tor connection. This sort of info can be gotten from logs obtained from either your ISP or from any data centre or any point the connection that exited your building and connected to the guard node. Ok, so what, right? Agreed. However when correlated with Person XYZ also logged in to (or Googled ‘bad stuff keyword’, went to visit a site and was using a DNS server that logs queries, logged in to social media, sent an email, connected to IRC etc, etc) at (timestamp) then the ‘so what’ rapidly risks becoming rather more than a face-palm level of problem.
Let’s take a look at a real life example of someone that emailed a fake bomb threat at a US University https://nakedsecurity.sophos.com/2013/12/20/use-of-tor-point... Spoiler alert, the fact that it made the news sort of tells you already that it didn’t end well for him.
Bear in mind that as soon as you turn off JavaScript then you begin to stand out from the crowd (the Tor FAQ has a whole section on browser fingerprinting)
It seems to me that most de-anonymizing attacks used human operating errors, physical attacks like snatching a laptop with an open tor browser window from a user, or side-channel attacks based on malware like Finfisher.
Running it from Tails seems pretty secure...but, in the end, who does that consistently?
Also, it just doesn't seem very likely that the US DoD would fund a network which defeats their own surveillance efforts.
Being "anonymous" online is more a question of being anonymous from who's perspective. Fooling a sysadmin is easy. Fooling an ISP is hard. Fooling an NSA contractor is probably near impossible. I think you can achieve reasonable plausible deniability with enough inconvenience, though. Get rid of your smartphone, compartmentalize your activity, never enable JS, use public wifi, spoof your MAC, make a tinfoil hat, etc.
For developers and sysadmins that want to get an outside look at their own services or investigate third party websites (like fraudulent lookalike) it work pretty effective with some caveats.
It also works mostly fine against national and ISP firewalls that is intended to censor citizens and lead people away from places which the state has declared unsuited for its population.
Against police force it seem to mostly work as a free tool that get used by criminals as something better than nothing, but with some larger caveats and the police have cases from time to time where they have identified criminals (from either good investigations or parallel constructions depending on who you ask). The tor browsers has also not been immune to malware.
Against national-level intelligence agency, "citizen scores", and whistleblowers employed within such agencies, the protection granted by tor may be very far from 100%. It is not recommended by anyone to depend on tor against that threat model.