[fractalcat]

I didn't realize this was ever in question - of course you can't trust Tor exit nodes not to snoop on your traffic. You can't trust your ISP or friendly local intelligence agency not to snoop on your traffic either; this is why end-to-end authentication and encryption is a useful thing. (Not meant as a criticism of Chloe's research, it's certainly valuable data).

[paulkon]

Sometimes I wish there was a very basic how-it-works presentation (maybe a kickstarter?) of the internet.

The less magical the internet seems, the easier it'll be for the public to get behind issues of internet security and privacy at the policy level.

[lucastx]

Indeed. The Tor Project has one of those:

https://people.torproject.org/~karsten/tor-brochure/tor-broc...

[raesene4]

exactly, I'd actually argue that Tor exit nodes are, on average, more likely to be untrustworthy than a standard ISP connection, as the incentives are there for people to run them to capture exactly the kind of traffic people want to remain secret, and Tor exit node + root CA certificate is a great model for government level attackers to hoover up data which is likely to be sensitive.

[belorn]

To analyze if ISP's are more likely to be malicious than Tor exit node, you need to list all the number of attacks and determine which is more likely.

An ISP employee know whom either side of an connection are and can pick and chose targets in a very selective way. As gate keepers they can also be influenced by outsiders to target specific users and attack them. They are however likely to get caught if they do noticeable attacks and risks their job if its unsanctioned, and risk the companies reputation if it is sanctioned.

A Tor operator can not see whom is doing the connection, but they are slightly less likely to get caught if they do try to attack users. They are also only going to lose the nodes ip address reputation if they are caught attacking users.

Third is the backbone networks that unlike the ISP level has great incentives for government level attackers to collect whole nations/continents amount of data. The risk that they are found out is almost zero, and if they are they can still deny it.

All in all, I would summarize in such a way that ISP's has the greater risk of active attacks by both criminal actors and government level actors, backbone networks for passive attacks by government level actors, and tor nodes for passive attacks by criminal actors. In order to protect against all three you got to use end-to-end encryption as the primary security technique and adding tor helps then against meta data attacks.

[ran290]

Heck, my cellular provider was tracking the HTTP connections of their customers by default to sell profiles to marketing companies. (You could opt out, but I believe the fine print was something along the lines of 'we won't sell your information anymore but we will still collect it for later'). Other Internet providers have offered a cheaper plan to opt-in to traffic snooping for marketing profile building/selling. Tor exit nodes and my residential ISPs are on a similar level of distrust for me.

I've since started using 'whole premises VPN' (all traffic is routed through an encrypted tunnel to a VPS) - I have more confidence in my VPS provider than I do in my residential ISPs. At least the VPS company probably won't use my connection data for marketing profiles..

[agd]

Yes, this seems to be a case of users not understanding how Tor works and malicious exit node owners taking advantage.

[amelius]

Indeed. But this also is a problem with how Tor is being advertised, and presented in the media, imho.

A false sense of security is worse than no security at all.

[andreaso]

To be fair, at least the Tor Project itself makes a rather serious effort to be upfront with its own limitations, etc.

For example, when you use the (recommended) Tor Browser Bundle the start page contains a window containing the following headsup

"Tor is NOT all you need to browse anonymously! You may need to change some of your browsing habits to ensure your identity stays safe."

As well as a link to https://www.torproject.org/download/download.html.en#warning.

That same warning is also present on the main download page: https://www.torproject.org/download/download-easy.html.en

[SomeStupidPoint]

Tor also has extensive documentation about the threat model they protect against, and the limitations of that model.

If there were one thing I could change about security discussions, it's that you can't talk about security in the abstract -- only security relative to some threat or foe.

I think a lot of the conversation would change if we could get people to start talking about security that way.