- cross-posted to:
- cybersecurity
- cross-posted to:
- cybersecurity
What are you going to use instead?
Tor is the best tool you just need to know how to use it
The TOR network itself is safe - at least assuming the TLAs don’t control at least half of the nodes, which is far from impossible. But let’s assume…
The weak point comes from the browser: that’s how the fuzz deanonymizes users. The only safe browser to use on TOR is the TOR browser, and that’s the problem: it disables so many unsafe functionalities that it’s essentially unusable on a lot of websites. So people use regular browsers over TOR, the browser leaks identifying data and that’s how they get caught.
My understanding is that Tor Browser works fine, there’s just some dumb website owners that block Tor traffic by IP address.
Do you think it’s better to use a VPN if you aren’t using TOR Browser?
All VPNs do is change who has your browsing data: your ISP or the VPN operator. You may or may not trust either of them not to keep records, in either case you have no way of verifying this.
ISPs definitely keep records. At least some VPNs claim that they don’t, and that their networks are set up in such a way that they can’t. Some organizations claim to validate the claims of the VPNs, but it’s unclear if they’re trustworthy.
So your choice is to use something that definitely keeps logs, or to use a company that at least says that they don’t/can’t.
The VPN company themselves may not keep logs. However, they might be a little black box somewhere in the data center…
Yes, and there’s also the fact that some VPNs such as Mullvad let you be anonymous so even if Mullvad were keeping logs, if you pay privately they have no way of knowing whose logs they are (unless the content itself of your internet history reveals your identity). Meanwhile your ISP definitely knows who you are, and absolutely will collaborate with the police if asked to.
I mean, you could set up your own VPN on a VPS and ensure it doesn’t keep logs. You could also get a VPS in a different legal jurisdiction from where you’re at.
If I understand correctly, stream isolation will route different connections through different circuits. If you’re doing two different things of a sensitive nature, open different browsers and applications, use random user-induced delays in your actions/responses and PGP-encrypt everything. And listen to what the TOR project says about the mitigations. I have some reading to do myself I guess
PGP? That’s for email and isn’t great
whonix docs is very good to learn about this stuff
Heh, whonix docs for privacy have become the arch wiki for Linux
This attack has been known for years now. And tor is simply not able to defend against it without a complete redesign.
The potential for timing attacks has been known since the beginning of Tor. In other words, more than a decade. But that doesn’t mean you can’t defend against it. One way to defend against it is by having more nodes. Another way is to write clients that take into account the potential for timing attacks. Both of these were specifically mentioned in the article.
Based on what was in the article and what’s in the history books, I’m not sure how to interpret your comment in a constructive way. Is there anything more specific you meant, that isn’t contradicted by what’s in the article?
Yes, sorry i worded it incorrectly you can try to make it harder but timing attacks are still possible.
Nope, just a summary that this is just old news. There is nothing new in the article.
Redesign being I2P
I2p has issues that can more easily lead to deanonymization attacks. It says it on the FAQ
Nope, I2P is still vulnerable to timing attacks. https://en.m.wikipedia.org/wiki/Garlic_routing
You linked an article that doesn’t say anything to back up your claim. Why do you say i2p is vulnerable to timing attacks?
Garlic routing[1] is a variant of onion routing that encrypts multiple messages together to make it more difficult[2] for attackers to perform traffic analysis and to increase the speed of data transfer.[3]
First sentence. Check up the linked article as source.
Ok, technically still vulnerable in the sense that if you transfer a huge file in excess of other parts of the bundle, it might be identifiable by a bad actor, but that’s really misleading, since i2p has a lot of built in logic that makes that scenario pretty unlikely.
Not only huge files. At the end of the article the author goes on about changing the load or manipulating the timing of the traffic.
For both you need to be part of the network and (to some degree) the traffic you want to trace needs to go through a node you are controlling if i understand it correctly. With increasing size it becomes more difficult.
I would also like to see prove for your claim.
Garlic routing[1] is a variant of onion routing that encrypts multiple messages together to make it more difficult[2] for attackers to perform traffic analysis and to increase the speed of data transfer.[3]
First sentence. Check up the linked article as source.
What else you going to use?
I wish more people would try out I2P as a result. AFAIK, garlic routing makes this kind of attack impossible.
We use it but it doesn’t have the same protections or reliability as Tor
I’ve tried to use it, but have not managed to get it to work. Which is a bummer.
I should probably try again now that I have a new computer. My old computer was so old that a lot of stuff wasn’t working correctly.
Remember that you need to let the server run for a bit, so it can establish , the routes.
I have a service constantly running on my server. When I want to browse, I tunnel the ports to my laptop.
Insane 2lown Posse?
AFAIK it only makes it harder not impossible.
At least they can’t utili’e the applied tactic to host their own node.