[giga_chad]

TOR has been an invaluable tool for me for its ability to circumvent state censorship in an undetectable way.

At some point in my career I was involved in some journalistic reporting in Saudi Arabia; had I used a regular VPN, it could have been easily detected, and in best case defeated, worst case put me in serious legal trouble, which in Saudi Arabia can easily end in corporal punishment and/or death. TOR allowed me to circumvent all that and keep reporting on government official and police force corruption in a safe way, in a country that frankly could use a lot more of this type of journalism.

Thank you, TOR project!

[wolverine876]

I don't know the parent or their situation, but if you need similar security I would be very cautious about taking the parent literally. Sorry if I sound like a jerk; it sounds like the parent has taken great risks for the public good, but I don't want people to be hurt:

I'm almost certain that Tor use is easily detected; that is what I've always (100%) read from security experts and it makes sense to me: Traffic patterns, packet fingerprints (encryption implementations, size, etc.), and of course all the traffic is going to and from a Tor node, a list of which is available to every Tor user.

The attacker may not be able to read the contents or metadata, but they will know you are using Tor. Tor users are a very small population; it's a red flag.

The same is true for websites, etc. that you visit: They can easily see that your traffic is coming from a Tor exit node. Also, exit nodes are of course as vulnerable to attack as any other server, and they provide access to the ip addresses you connect with and, when https isn't used or properly implemented, to the contents of the communication.

Tor is not a panacea. Also, don't conflate Tor with Tor Browser, which I've read is possibly the worst security choice among browsers - a huge target without the resources to secure itself.

[walrus01]

The parent poster who thinks they're saved from Saudi arabian domestic intelligence agencies by using tor is probably overly confident about how much tor is doing for them. The saudis absolutely have lots of money to pay for good quality DPI boxes from China. Using tor by itself stands out.

Since it doesn't look like saudi arabia is blocking traffic to/from major cloud hosting providers (obviously, they'd break most of the internet), this person could simply run a remote desktop session as something like VNC-over-https-by-TLS1.3 (apache guacamole or similar, lots of things).

Or use any of a number of US-based companies that will sell you a cloud-hosted remote desktop system you can use via an HTML5 client inside chrome, firefox, edge or safari, again, over TLS1.3

If the saudis are breaking TLS1.3 in an up to date browser in a client workstation that doesn't have some kind of APT/rootkit on it (also a high risk), we have other problems.

And then keep the saudi workstation as basically a thin client only.

It would look indistinguishable from any ordinary company persistent TLS session used between a workstation PC and some business application hosted in the "cloud".

All of the above doesn't help much if subject to rubber hose cryptanalysis.

[heavyset_go]

> If the saudis are breaking TLS1.3 in an up to date browser in a client workstation that doesn't have some kind of APT/rootkit on it (also a high risk), we have other problems.

They wouldn't need to break TLS 1.3 if they have access to root certificates, they could use them to perform MitM attacks.

[Ginden]

> They wouldn't need to break TLS 1.3 if they have access to root certificates, they could use them to perform MitM attacks.

It's trivially easy and almost undetectable for any nation-state to perform targeted MitM against HTTPS. It wouldn't be legally possible in most of jurisdictions, but Saudi Arabia isn't exactly "rule of law" country.

Uzbekistan tried, because they wanted zero-risk mass surveillance.

[walrus01]

For a while Uzbekistan was trying to get retail computer stores to install a root CA on all computers sold, for convenient mitm purposes.

[heavyset_go]

I wouldn't be surprised if the Saudis have access to the root signing certificates themselves. They wouldn't have to put new certificates in computers' trust stores, as computers would ship from manufacturers already trusting certificates that were signed with those root signing certificates.

[throwaway243]

Aren't obfs4 Tor bridges undetectable as of now?

[schoen]

As marshray said below, Tor doesn't generally try to hide the fact that you're using Tor, only what you're doing with it. This is complicated by the very active research on obfuscating methods for accessing Tor, but those methods are mostly trying to prevent automated large-scale detection in real time, in order to evade blocking by national firewalls. They aren't necessarily trying to prevent more manual or after-the-fact forensics that might confirm that a particular person was using Tor.

To be clear, the threat models of the obfuscating transports can vary, so what I've described is just a trend in emphasis, not necessarily a suggestion that nobody ever cares about obfuscation-in-retrospect. But the history of that work is around censorship circumvention, which is often a slightly different goal (with slightly different priorities) than confidentiality.

For example, I've heard people who work on obfuscation talk about how it would be good if something required an expensive calculation in order to distinguish from other traffic types. They care about this because a national firewall may not have sufficient capacity to do this in real time.

Depending a lot on your threat model, Tor might still be a benefit even if people do know you are using it, supposing that they don't know for what.

[chii]

> people do know you are using it, supposing that they don't know for what.

And then they can use the rubber hose method to find out. Knowing that you have traffic you want to hide is almost as good as knowing the traffic

[schoen]

That depends hugely on the environment and context. This is clearly true in some settings and clearly untrue in others.

[pfundstein]

I'm not sure if you're aware but Tor has a specific mode for OP's situation, where it disguises traffic by using standard TLS on standard ports which looks no different to any other HTTPS traffic for example, among other things.

[marshray]

> which looks no different to any other HTTPS traffic

Last I heard Tor split all data up into 512 byte chunks. So the statistical distribution of packet sizes could still give you away.

In general, Tor does not hide the fact that you are using Tor.

[Gigachad]

I think the end solution is not to have TOR replicate normal randomish usage, but to have normal usage from everything go through a tor like process so that everyone looks the same.

[dotancohen]

That would require active participation of major entities who distribute HTTP clients, such as Mozilla, Apple, or the Chromium team. I cannot imagine them participating.

[wolverine876]

What mode is that?

Also, the traffic still goes to a Tor node.

Finally, the Tor Project works very hard, but they are outgunned. Security is significantly a matter of resources. Tor's small team has a hard time competing with well-funded state security actors (who can also buy exploits).

[ivann]

Obfsproxy.

You can also use bridges, which are unlisted Tor nodes.

https://support.torproject.org/censorship/censorship-7/

[smoldesu]

FWIW, Tor is maintained by the US Navy as a means of secure communication. If it's outgunned, it becomes a national security risk.

[schoen]

I think this is an exaggeration. The Tor technology was originally invented by researchers with the U.S. Naval Research Laboratory, who suggested that the system might be useful to Navy personnel among others. While Paul Syverson, one of those researchers, has remained involved with Tor since inventing it, no one from the Navy has ever publicly stated how or to what extent Tor is used by the military operationally.

Military researchers invent a lot of cool stuff, much of which theoretically could be useful to the military in some way, but you shouldn't take the military research pedigree as proof that something is necessarily useful for a particular application or threat model today, any more than being invented by people from a famous university means that a technology is good or is the best choice for some application.

A better case for the kind of considerations you mention might be found in infosec guidance that government agencies offer to other government agencies and contractors. For example, NSA has recommended that government agencies use AES to protect sensitive data, which doesn't mean that they think it's perfect (or would necessarily tell us if they knew of problems with it), but presumably puts some kind of cap on how bad it can be. I'm not aware of any government infosec authority that has publicly recommended that people inside the government use Tor.

[toomanybeersies]

The US Navy uses SIPRNet [1] for secure communication.

[1] https://en.wikipedia.org/wiki/SIPRNet

[schoen]

Very different concept from Tor -- this is about passing sensitive information between dedicated government facilities, not about hiding some of the details of your activity on the public Internet.

The argument for Tor's benefit for military personnel (which may or may not have panned out in practice) was all about protecting some of their activity on networks controlled or at least monitored by their adversaries. That's almost the opposite of SIPRNet.

[jchw]

Tor on it’s own is definitely not a panacea. However, interested parties should look into Qubes OS. If detection is a huge concern, there is always the potential you could bridge your sensitive traffic in a less obvious manner. I believe you can configure this with a Qubes Whonix setup by selecting the “Tor is dangerous or censored in my area” option. It’s pretty powerful. I haven’t personally tried this as I don’t actually use Qubes except to play around with its neat VM setup.

[herbst]

FYI in ops security model they likely used bridges, which are not on a public list as the other nodes.

That said, I am no specialist however, I am pretty sure pattern matching does not really work reliably.

The most common attack to de-anonymize tor users in the recent years is getting control of their server and than match incoming traffic with outgoing traffic from their country and basically catch them logged in. However as you can tell this needs international cooperation and a bit of work.

[pfundstein]

Tor has long been billed as a tool for journalists to fly under the radar and avoid persecution, but it's great to hear these case studies from the horse's mouth. Thanks to you and other journalists who risk life and limb to report on and within these abusive regimes.

[kingcharles]

Is a VPN illegal in Saudi Arabia? My girlfriend is Qatari and everyone there uses VPNs to access Pornhub etc. She says that while the state censors the Internet it does not criminalize the use of VPNs. It's a confusing issue.

(I also undertstand that even if something isn't technically illegal it can bring the heat of LEOs upon you)

[shp0ngle]

Tor is much more easily detected than VPN.

Or. Well. It is same easily detected, but you can reasonably say you have VPN "just to watch US netflix" or something like that.

You cannot say that about Tor.

[bouncycastle]

How is that possible? The fact that you are using Tor is detectable by ISPs just like it is detectable that you are using VPNs. Also, it's sometimes possible to de-anonymize your Tor traffic, and state-level actors would be capable to do so if they wanted.

https://www.thesecmaster.com/4-types-of-attacks-on-the-tor-n...

[cosentiyes]

TOR bridges aren't publicly listed and support various obfuscation methods: https://tb-manual.torproject.org/bridges/

[bouncycastle]

Look at the language of that page. All the statements are without certainty, eg it's not "an adversary cannot identify them" but "an adversary cannot identify them easily."

[cosentiyes]

Yes, the tor project is very transparent that anonymity is not guaranteed. Bridges and obfuscation tools are simply one possible answer to the "how is [connecting to tor without ISP detection] possible?" question.

The linked article tries to imply that Ross Ulbricht's arrest was somehow the result of deanonymized tor traffic, but in reality many (most?) large DNM [1,2] and malware/hacking arrests seem to be the result of poor opsec [3].

[1] https://www.ivpn.net/privacy-guides/online-privacy-through-o...

[2] https://en.wikipedia.org/wiki/AlphaBay#Seizure_and_shutdown

[3] https://krebsonsecurity.com/category/breadcrumbs/

[bouncycastle]

Obfuscation is a cat-and-mouse game and with enough resources, it's always possible to detect. While Tor is OK for privacy from your ISP or the big-tech firms, certainly not for what the OP described. I think recommending Tor as the definite solution for these types of people is irresponsible.

[bawolff]

If you ever see security software that promises absolutes, you should view it like an investment opportunity that allegedly only goes up and can't possibly go down (i.e. you're about to lose all your money)

[IceWreck]

I think its the opposite. Regular VPN protocols, if obfuscated properly can blend in with https traffic.

Tor is almost always detectable. You can see someone is using Tor, but not what theyre doing with it.

[pphysch]

> At some point in my career I was involved in some journalistic reporting in Saudi Arabia

Was it a career in the IC?

[ssalka]

Thank you for your efforts, giga_chad