• Eggyhead@kbin.social
    link
    fedilink
    arrow-up
    59
    ·
    edit-2
    1 year ago

    It’s really worth reading the article.

    Tor can be used for any internet browsing you usually do. The key difference with Tor is that the network hides your IP address and other system information for full anonymity.

    The company behind a VPN can still access your information, sell it or pass it along to law enforcement. With Tor, there’s no link between you and your traffic, according to Jed Crandall, an associate professor at Arizona State University.

    I don’t know if it’s even possible, but it would be cool if I could use the fediverse over TOR just for the sake of supporting TOR. Not sure if there would have to be specific .onion instances, if normal instances could just be mirrored with a .onion address, or if a .onion instance would even be able to federated in the first place. I just don’t know how it works.

    Other use cases may include keeping the identities of sensitive populations like undocumented immigrants anonymous, trying to unionize a workplace without the company shutting it down, victims of domestic violence looking for resources without their abuser finding out or, as Crandall said, wanting to make embarrassing Google searches without related targeted ads following you around forever.

    I’m certain an all-out legislative war would be waged against TOR if it were to become popularized for most of those reasons, under the more convenient guise of “criminals and children!”

    • davehtaylor@beehaw.org
      link
      fedilink
      arrow-up
      44
      ·
      1 year ago

      Tor can be used for any internet browsing you usually do. The key difference with Tor is that the network hides your IP address and other system information for full anonymity

      Also, this isn’t true. MANY sites and services block access from Tor, including major ones that people use everyday.

      • Freeman@lemmy.pub
        link
        fedilink
        arrow-up
        16
        ·
        1 year ago

        Also. Those running an exit node can and do sniff traffic.

        It’s bad practice to login to stuff that’s important (like banking) over tor. Or login to anything over for you have logged into over the clear.

        Also, nation states can track you using a variety of techniques from fingerprinting to straight up working together to associate connection streams. A large number of tor nodes are run by alphabet agencies. Hell the protocol was developed by the us navy.

        • diyrebel@lemmy.dbzer0.com
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Also. Those running an exit node can and do sniff traffic.

          Sure, but if you stop there with that statement you’re just FUD-scaring people from using the service that does more for their privacy than conventional direct clearnet usage. Every connection that matters uses TLS so the exit node honeypot only sees where the traffic is going, not what’s in the traffic and not where it comes from. IOW, the exit node knows much less than your ISP.

          It’s bad practice to login to stuff that’s important (like banking) over tor.

          It’s the other way around. You should insist on using Tor for banking. It’s a bad practice to let your ISP track where you do all your banking.

          Also, nation states can track you using a variety of techniques from fingerprinting to straight up working together to associate connection streams.

          And your thesis is what, that we should make snooping easier for them by not practicing sensible self-defense?

          A large number of tor nodes are run by alphabet agencies.

          Let them work for it - and let them give the Tor network more bandwidth in the process.

          • Freeman@lemmy.pub
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            1 year ago

            Every connection that matters uses TLS so the exit node honeypot only sees where the traffic is going, not what’s in the traffic and not where it comes from. IOW, the exit node knows much less than your ISP.

            That’s not a magic bullet for secuirty. There are so many ways to exploit connections. Look at what happened here on lemmy with vulns leading to takeovers of instances with xss of session cookies . Or what happened to Linus Sebastian and his YouTube channel, which has one of the largest, most security conscious companies backing it.

            The primary difference is your ISP is not generally actively hostile. They may want to sell metadata but they aren’t actively trying to exploit you. And all it takes is a bad auto fill page, or even a fake/spoofed one on an account without mfa or a service with xss vulns etc.

            And your thesis is what, that we should make snooping easier for them by not practicing sensible self-defense?

            To your own point. Everything is TLS now right? That argument swings both ways. If your ISP (or in some cases a nation state is your isp) is actively tracking you, then there are other alternatives that may be better. Mullvad would sooner be used for banking than tor. Tor is also not all that often used en masse. If my township only has a single tor user (me) that makes me less private. An ISP can easily see who is enterting tor unless you are using more obfuscation like bridges and obfsproxy. It’s the same reason why checking the do not track box in your browser is less privacy oriented. It adds entropy to your fingerprint there.

            But to answer my your question my thesis is tor is not necessarily a privacy panacea. The threat model an American or European has is much different than someone from Vietnam or turkey or China, which is also much different than someone from the Nordic countries.

            • diyrebel@lemmy.dbzer0.com
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              That’s not a magic bullet for secuirty.

              It wasn’t presented as such. Good security comes in layers (“security in depth”). TLS serves users well but it’s not the only tool in the box.

              There are so many ways to exploit connections. Look at what happened here on lemmy with vulns leading to takeovers of instances with xss of session cookies.

              Tor Browser includes noscript which blocks XSS.

              The primary difference is your ISP is not generally actively hostile. They may want to sell metadata but they aren’t actively trying to exploit you.

              Selling your metadata is exploiting you. And this exploit happens lawfully under a still-existing Trump policy, so you have zero legal protections. Contrast that with crooks stealing money from your bank account, where, if it’s a US account, you have regulation E legal protections.

              If your ISP (or in some cases a nation state is your isp) is actively tracking you, then there are other alternatives that may be better.

              Different tools for different threat models. If you are actually targeted by a nation state, Tor alone is insufficient but it’s still in play in conjunction with other tech. But from context, you were giving general advice to the general public telling them not to use Tor for banking, thus targeting is not in the threat model. But mass surveillance IS (i.e. that of your ISP).

              But to answer my your question my thesis is tor is not necessarily a privacy panacea.

              Tor is an indispensable tool to streetwise users. Of course it is a tool among other tools & techniques.

              The threat model an American or European has is much different than someone from Vietnam or turkey or China, which is also much different than someone from the Nordic countries.

              Those threat models all have a common denominator: mass surveillance. It is safe to assume mass surveillance is in everyone’s threat model as a baseline. Of course there are a variety of other threats in each individual threat model for which you couldn’t necessarily anticipate.

              • Freeman@lemmy.pub
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                Good security comes in layers (“security in depth”). TLS serves users well but it’s not the only tool in the box.

                Im glad we agree. Because its the entire point. You are nitpicking where it suits you and thats not really honest conversation. Tor browser isnt the only way to access tor and if you are talking about making tor more accessible using things like phones is going to be needed. There are entire swaths of the world, billions of people, where phones are basically the only gateways to the inter.

                And on a device with something like CalyxOS (or built with the app structure like calyxOS android based apps) that opens up a LOT more applications to using tor, some of which arent going to be locked down or configured appropriately. Its riskier. You seem to implicitly agree as you only pointed to a single example of XSS and just ignored other examples I provided…Surely we dont need to iterate through every attack vector out there? Because the point isnt those minutia there.

                The point is, again, that Tor and specifically exit nodes are more hostile than normal ISP relays. They are actively malicious and often looking to exploit anything they can. Saying selling metatdata that is unencrypted is the same level of malicious as a nation state going after you (life and death) or having your identity or bank account stolen is clearly pretty naive. Even having your banking comprimised is a giant show stopper and theres no “well i have protections” flag to waive. You still have to deal with getting your funds back and paying for stuff to live in the interim. Its a very invasive process. Comparing that to an ISP selling your DNS queries (which im not even sure happens) is literally apples and orances

                Those threat models all have a common denominator: mass surveillance. It is safe to assume mass surveillance is in everyone’s threat model as a baseline.

                Thats a bad assumption. MOST people arent really concerned with it in the western world. Its why the apparatus exists. And thats not a Trump thing. its existed WAY before trump. Snowden showed that and it was Obama, not trump, that went after whistleblowers harder than any predecessor before them. Its why Snowden is still in exile to this day. Further trying to make this about “party” sides is a bad idea. Its something all parties, including most countries are not only a party to, but actively collaborating against. And there are some areas where straight access TOR is illegal and can get you in trouble. ANd the mass surveillance one country does (ie: US) is much different than another (ie China) so again its not just a giant brush to paint with there. Piping all data through Tor would make you look more suspicious in some of those latter countries and could increase your risk to fingerprinting or tracking, rather than selectively using it where and only when needed.

                • diyrebel@lemmy.dbzer0.com
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  edit-2
                  1 year ago

                  Im glad we agree. Because its the entire point. You are nitpicking where it suits you and thats not really honest conversation.Tor browser isnt the only way to access tor

                  TLS is useful very specifically in the case of banking via Tor Browser, which is the most likely configuration the normal general public would use given the advice to access their bank over Tor.

                  There are entire swaths of the world, billions of people, where phones are basically the only gateways to the inter.

                  I do not recommend using a smartphone for banking. You’re asking for a huge attack surface & it’s reckless. People will do it anyway but to suggest that people should avoid Tor for banking on the basis that you’re assuming they are using a phone is terrible advice based on a poor assumption. Use Tor Browser from a PC for banking. That is the best advice for normies.

                  The point is, again, that Tor and specifically exit nodes are more hostile than normal ISP relays.

                  And again, those hostile nodes get less info than ISPs. They have to work harder to reach the level of exposure that your ISP has both technical and legal privilege to exploit.

                  Saying selling metatdata that is unencrypted is the same level of malicious as a nation state going after you (life and death) or having your identity or bank account stolen is clearly pretty naive.

                  Wow did you ever get twisted. You forgot that I excluded targeting by nation states from the threat model as you should. If someone has that in their threat model, they will know some guy in a forum saying “don’t use Tor for banking” is not on the same page, not aligned with their scenario, and not advising them. You don’t have to worry about Snowden blindly taking advice from you.

                  It’s naive to assume your ISP is not collecting data on you and using it against you. It’s sensible to realize the risk of a honeypot tapping your bank account and getting away with it and regulation E protections failing is unlikely enough to be negligible.

                  You still have to deal with getting your funds back and paying for stuff to live in the interim.

                  If you’re in the US, you have ~2-3 bank accounts on avg, and 20 credit cards (US averages). Not to mention the unlikeliness of an account getting MitM compromised despite TLS in the 1st place. Cyber criminals choose the easier paths, just as 3 letter agencies do: they compromise the endpoint. Attacking the middle of a tunnel is very high effort & when it’s achieved they aren’t going to waste it on some avg joe’s small-time bank acct. At best you might have some low-tech attempts that result in no padlock on the user side. But I’ve never seen that in all my years of exclusively banking over Tor.

                  Thats a bad assumption.

                  Not in the slightest. Everyone is subject to mass surveillance & surveillance capitalism.

                  MOST people arent really concerned with it in the western world.

                  Most people don’t even have a threat model, or know what it is. But if you ask them how they would like it if their ISP told their debt collector where they bank so the debt collector can go do an unannounced legal money grab, you’ll quickly realize what would be in their threat model if they knew to build one. A lot of Corona Virus economic stimulus checks were grabbed faster than debtors even noticed the money arriving on their account.

                  And thats not a Trump thing. its existed WAY before trump. Snowden showed that and it was Obama, not trump, that went after whistleblowers harder than any predecessor before them.

                  You missed the source I gave. Obama banned the practice of ISPs selling customer data without their consent. Trump reversed that. That is wholly 100% on Trump. Biden did not overturn Trump, so if you want, you can put some of the fault on Biden.

                  W.r.t history, echelon predates Snowden’s revelations and it was exposed to many by Nicky Hagar in the 80s or 90s. But this all a red herring because in the case at hand (banking customers accessing their acct), it’s the particular ISP role of mass surveillance that’s relevant, which Trump enabled. Or course there is plenty of other mass surveillance going on with banking, but all that is orthogonal to whether they use Tor or not. The role of Tor merely mitigates the ISP from tracking where they bank, and prevents banks from tracking where you physically are, both of which are useful protections.

                  Further trying to make this about “party” sides is a bad idea. Its something all parties

                  You can’t “both sides” this when it’s verifiable that Obama banned the practice and Trump overturned it. While Obama’s hands are dirty on a lot of things (e.g. Patriot Act continuity), it’s specifically Trump who flipped the switch to ISP overcollection. Citation needed if you don’t accept this.

                  And there are some areas where straight access TOR is illegal and can get you in trouble.

                  The general public knows your general advice to use/not use Tor is technical advice not legal advice, and also not specific to their particular jurisdiction.

      • Devi@beehaw.org
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Which ones? I use it quite a lot and never found a site that has blocked me.

        • davehtaylor@beehaw.org
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          Last I tried you couldn’t access social media, Google constantly forces you through captchas because it thinks you’re a bot, and anything on a CDN will either constantly force captchas or just doesn’t work. Financial institutions absolutely are all inaccessible.

          • First Majestic Comet@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            I’ve also found that many ones that are blocked aren’t completely blocked, I can access them by using a new circuit (lots of these sites seem to really hate European Exit nodes but anything else has typically worked).

            • CanadaPlus@lemmy.sdf.org
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              Is that what it is? Every once in a while I have to Ctrl+Shift+L it to get into something, but I’ve never watched that closely. What did Europe do to these guys?

              • First Majestic Comet@lemmy.blahaj.zone
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                I think it might have something to do with the fact that much of Europe has privacy laws that protect their citizens and also makes it so people running nodes there don’t have to kiss up to US companies. Hence why they block those nodes or just give them a huge amount of challenges to solve in hopes to frustrate them. Same with how they put annoying privacy pop-ups on the website in European locations which re-appear every time you login or visit the site.

                • CanadaPlus@lemmy.sdf.org
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  1 year ago

                  Same with how they put annoying privacy pop-ups on the website in European locations which re-appear every time you login or visit the site.

                  I mean, those are mandated, even if they’re implemented deliberately poorly.

        • TheOakTree@beehaw.org
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          I remember hearing that Yelp blocks Tor users, but I’m not sure if that is the case through proxies.

          Also iirc Cloudflare blocks all Tor exits.

          • abclop99@beehaw.org
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            I’ve used sites with cloudflare over Tor. They always seem to require pressing a check box, but usually work.

            • kath@kbin.social
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              I’ve noticed that just as the most aggressive ad blocker blockers are news media websites, the most aggressive tor-exit-node blockers are retail sites such as lowes.com. My working hypothesis is that they view anonymous transactions (or perhaps even anonymous window shopping) as stealing. When it comes to actionable data for market research, data about actual finalized transactions where actual money changed hands is the holy grail. It’s the data that has skin in the game. As for window shopping online, you know the drill, you do that, you hear about it on Fecebook. Until recently I searched retail sites with the site: filter of a search engine (the one that works on Tor, of course), but until recently, most site searches were even more enshittified than most of the two search engines. Now search engines are out and Tor is out. Perhaps offline shopping is in. BTW, just for shits and giggles, try carrying a clipboard next time you visit a brick and mortar retail establishment and see what happens, or better yet, whip out your cell phone and start photographing not merchandise but shelf tags. Information is power, my friends.

              • shagie@programming.dev
                link
                fedilink
                arrow-up
                3
                ·
                1 year ago

                the most aggressive tor-exit-node blockers are retail sites such as lowes.com.

                Lowes doesn’t care about anonymous window shopping - they care about the transactions. Transactions coming from a tor exit node are more likely to be fraudulent than those from a regular shopper not trying to mask their origin.

                The cost of implementing a tor exit node blocker is much less than the costs associated with fraudulent orders (and the corresponding increase in chargebacks from those fraudulent orders and the impact that has on the usage fees from the credit card processing companies).

        • tnimkh@rammy.site
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          They’re right. I dont have specific examples but a lot of wikis and some general news sites blocked me when i used it.

          • Devi@beehaw.org
            link
            fedilink
            arrow-up
            4
            ·
            1 year ago

            I mean… I asked for examples and you gave ‘there are examples but I don’t know any’, which is not really supporting the point here.

    • z3bra@lemmy.sdf.org
      link
      fedilink
      arrow-up
      28
      ·
      1 year ago

      You don’t need to access a .onion instance to use Tor. You can simply perform your day-to-day web usage through Tor directly.

      On your phone, you can even use Tor natively with most of your apps.

    • CanadaPlus@lemmy.sdf.org
      link
      fedilink
      arrow-up
      10
      ·
      edit-2
      1 year ago

      I’ve literally always browsed Lemmy over Tor. I even made this account over it, which surprised me when it worked.

      • pemmykins@beehaw.org
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        How do the big CDNs handle Tor traffic? Do you find you get blocked, or is it just a matter of more captchas/challenges?

        • CanadaPlus@lemmy.sdf.org
          link
          fedilink
          arrow-up
          4
          ·
          edit-2
          1 year ago

          CloudFlare puts up a captcha occasionally, everything else just leaves me alone.

          At this point using someone else’s browser with no adblock feels more difficult to navigate.

    • cultsuperstar@lemmy.mlB
      link
      fedilink
      arrow-up
      5
      ·
      edit-2
      1 year ago

      I’m certain an all-out legislative war would be waged against TOR if it were to become popularized for most of those reasons, under the more convenient guise of “criminals and children!”

      I guess we’ll have to see what happens after that right wing Twitter account posted CSAM, Twitter suspended the account, then Elon said they removed the posts and reinstated the account 🤷🏽‍♂️

      • Eggyhead@kbin.social
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        What effect would using Tor browser to access a non onion site have over using a different, privacy-focused browser? Honest question. I assumed Tor browser was no different than other browsers in that aspect.

        • ctr1@fl0w.cc
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          1 year ago

          The difference is that your ISP doesn’t know where your packets are headed, and the destination doesn’t know where your packets came from. The ISP sees you connect to the entrance node and the destination sees you connect from the exit node, and it’s very difficult for anyone to trace the connection back to you (unless they own both the entrance and exit and use traffic coorelation or some other exploit/fingerprint). Regardless, both parties are generally able to tell that you are using TOR if they reference lists of known entrance/exit nodes. Also the anti-fingerprinting measures taken by TB are a bit more strict than other privacy-focused browsers

          • Eggyhead@kbin.social
            link
            fedilink
            arrow-up
            5
            ·
            1 year ago

            Thank you for the detailed answer. I’m surprised more people aren’t talking about using tor browser, considering how privacy-minded the community tends to be.

            • astral_avocado@programming.dev
              link
              fedilink
              arrow-up
              2
              ·
              edit-2
              1 year ago

              It is confusing, Tor is an excellent privacy tool if used properly (don’t log in to stuff), but I guess it’s still a technical hurdle to most. Probably also from a lack of marketing.

              I think in countries where the government is decidedly more authoritarian it’s more known. On my relay right now I see a ton of russian and a smaller amount of German connections.

            • ctr1@fl0w.cc
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              No problem! And yeah, it’s good to see people talking about it over here. I think it’s the best tool for online privacy OOTB (depending on your threat model), and it gets better the more people use it.

    • Mummelpuffin@beehaw.org
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      I mean, I’ve used it. It works. But I don’t get why you would bother most of the time. It’s slow as hell and while I’m generally fairly concerned about my privacy there is a point where I can’t be bothered.

    • r00ty@kbin.life
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      Well any instance owner could also get an onion link and host the instance over tor.

      Of course the instance itself can’t really hide. Since it needs to federate with others that are not onions. But your accesses would all show as from localhost.

    • diyrebel@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      1 year ago

      I don’t know if it’s even possible, but it would be cool if I could use the fediverse over TOR just for the sake of supporting TOR.

      Here are two #Mastodon onion nodes:

      • iejideks5zu2v3zuthaxu5zz6m5o2j7vmbd24wh6dnuiyl7c6rfkcryd.onion
      • 7jaxqg6lfcdtosooxhv5drpettiwnt6ytdywfgefppk2ol4dzlddblyd.onion
  • zephyrvs@lemmy.ml
    link
    fedilink
    arrow-up
    40
    ·
    1 year ago

    I always have Tor installed and I often use it instead of incognito browser sessions when researching stuff. It’s sometimes slow and Cloudflare made it a lot more annoying to use than ~5-10 years ago, but I’m glad it exists.

    I’m sure it’s still more useful to US interests though, or it wouldn’t be funded anymore.

    • kent_eh@lemmy.ca
      link
      fedilink
      English
      arrow-up
      13
      ·
      1 year ago

      Any time I’ve tried to use Tor in the past I gave up because it was frustratingly slow.

      • astral_avocado@programming.dev
        link
        fedilink
        arrow-up
        16
        ·
        1 year ago

        Those onion layers don’t add up to nothing… also I’ve heard it’s under constant attack. Plus not enough people running relays and exit nodes.

            • davehtaylor@beehaw.org
              link
              fedilink
              arrow-up
              4
              ·
              1 year ago

              And I absolutely believe it. If anyone can run an exit node, then there’s absolutely no way the NSA isn’t running one and sniffing all the traffic

              • ErgodicTangle@feddit.de
                link
                fedilink
                arrow-up
                2
                ·
                edit-2
                1 year ago

                If they don’t control most of the nodes in-between they can control all the exit nodes they want. If you connect though 3 Tor nodes, as soon as one of them is not controlled by them they likely can’t identify you.

                That’s not to say that they don’t control most of the nodes, and your traffic likely goes through NSA nodes exclusively

              • jarfil@beehaw.org
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                The CIA, not the NSA. Tor is a great way for agents deployed abroad to phone home with plausible deniability: “I’m sorry Mr. Chinese Officer, I got homesick and really wanted to watch some BBW porn…”

      • ErgodicTangle@feddit.de
        link
        fedilink
        arrow-up
        29
        ·
        1 year ago

        I am not sure what he’s hinting at. Just using Tor doesn’t bear any legal risks. Hosting an exit node is different, as depending on the country you might get into serious trouble if certain traffic goes through it.

        • TWeaK@lemm.ee
          link
          fedilink
          English
          arrow-up
          11
          ·
          1 year ago

          Yes exactly, and I think there have been stories recently where the exit node host has been held liable for content that’s gone through it.Which is complete bullshit, but the unfortunate reality is that the legal system doesn’t need to understand technology to regulate it.

          • jarfil@beehaw.org
            link
            fedilink
            English
            arrow-up
            4
            ·
            edit-2
            1 year ago

            It’s not bullshit. If A has proof your system launched an attack, or sent CSAM, to another system, but your only defense is “I let anyone use my system in that way”, then at the very least you’re an accomplice.

            • TWeaK@lemm.ee
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              It is bullshit, because it puts the onus of policing everything on any service provider. If a TOR exit node provider is responsible for all traffic through their node, then an ISP is responsible for all traffic through them to their users - yet it is not reasonable for ISP’s to do this. Nor should it be acceptable by law and even less so if the purpose is for law enforcement to bypass the warrant system by having private parties do the investigation for them.

              • jarfil@beehaw.org
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Well, the law enforcement ship has sailed a long time ago, it’s more of a flotilla by now. Data communication service providers (including ISPs) have some customer identification and data retention requirements in exchange for immunity from the data itself, but otherwise —reasonabke or not— there are more and more traffic policing laws that get introduced for ISPs to abide. By starting a Tor Exit node, you become a service provider, and the same laws start to apply.

                It’s no joke that we live in a surveillance state, just that some go “full surveillance” like China, while others go “slightly less in-your-face surveillance” like the US/EU.

        • J Lou@mastodon.social
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          1 year ago

          Would it be possible to allow exit nodes to blacklist specific kinds of traffic and somehow privately verify that the traffic is not one of the blacklisted kinds (zero knowledge proof perhaps sorry not a CS person)?

          • jarfil@beehaw.org
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            1 year ago

            An exit node can put in place any filters, blacklists, mitm, exploit injection, logging, and anything else it wants… on unencrypted traffic. Using HTTPS through an exit node, limits all of that to the destination of the traffic, there is no way to get a ZK proof of all the kinds of possible traffic and contents that can exist.

            • J Lou@mastodon.social
              link
              fedilink
              arrow-up
              2
              ·
              edit-2
              1 year ago

              What I meant was blacklisting certain destinations. It obviously wouldn’t prevent all malicious traffic

      • ɔiƚoxɘup@beehaw.org
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        To give you an idea, last time I used Tor, I suddenly started to get a bunch of connection attempts from the FBI. Was I doing anything illegal? Nope. Was TOR a legal liability? You betcha.

        • xvlc@feddit.de
          link
          fedilink
          English
          arrow-up
          29
          ·
          1 year ago

          Connection attempts from the FBI? Could you specify that a bit further?

          • ɔiƚoxɘup@beehaw.org
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            I was using peerblock and one of the blocklists contained known governmental IP addresses. Those blocked connections began quickly filling the logs.

            Spooked the crap outta me. It’s been a few years since I did that, so I could have that detail wrong. I know it was for sure one of the three letter acronyms, DOD, FBI, CIA, but they were definitely incoming.

            • xvlc@feddit.de
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              That does not sound plausible to me. Typically, your own computer would be behind a router that is either doing NAT or has a firewall (probably the former). Any incoming traffic would be directed to the router without any chance of reaching your computer. Whatever you saw was either outgoing traffic or incoming traffic in response to connections initiated by your own computer.

              • ɔiƚoxɘup@beehaw.org
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Consider this, the Tor software was accepting connections from government IPs.

                Regardless of whether it was active intrusion or a significant portion of the Tor network, (at that time) had a number of governmental IP ranges in it, It’s enough to dissuade my use, at least without more significant OpSec.

                I do understand your point though.

        • Eggyhead@kbin.social
          link
          fedilink
          arrow-up
          15
          ·
          edit-2
          1 year ago

          I suddenly started to get a bunch of connection attempts from the FBI.

          How can I observe connection attempts like this?

          • ɔiƚoxɘup@beehaw.org
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            I use peerblock and had some good blocklists set up. The hardest part should be finding peerblock or a more modern fork, the blocklists are mostly public. Helps keep from connecting to known bad actors.

  • lloram239@feddit.de
    link
    fedilink
    arrow-up
    25
    ·
    1 year ago

    It would help if Tor would be more useful for regular use. The few times I used it, it was for VPN-style geolocation circumvention. Tor supports it by changing ExitNodes, but the setting is hidden deep down in a config file and required a restart. Not exactly a great user experience for a setting that you might wanna flip pretty frequently.

    • Sam@lemmy.ca
      link
      fedilink
      arrow-up
      18
      ·
      edit-2
      1 year ago

      The reason is privacy, everybody has a reason to use it.

      • WorseDoughnut@kbin.social
        link
        fedilink
        arrow-up
        35
        arrow-down
        1
        ·
        1 year ago

        In theory yes, but practically speaking trying to access a lot of the modern web over TOR would be at best painfully slow and at worst almost impossible thanks to DDoS protection providers like cloudflare.

        • davehtaylor@beehaw.org
          link
          fedilink
          arrow-up
          21
          ·
          1 year ago

          This right here. A very large part of the web is inaccessible from TOR. Last I tried you couldn’t access social media, Google constantly forces you through captchas because it thinks you’re a bot, and anything on a CDN will either forces captchas or just doesn’t work. Financial institutions absolutely are all inaccessible.

          Privacy is important, but most of the places you want to go with TOR to stay private won’t let you in because malicious actors want to use it for the same reasons.

      • NaoPb@beehaw.org
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        While I agree with you, I’m wondering what the benefit is of watching youtube and posting/reading lemmy/mastodon through a tor network. Because those are the main things I do. While I do understand that in some countries and also in public wifi networks the chances of traffic being intercepted and man in the middle attacks are higher, I do not expect that to happen to my fibre connection in my western country.

        • _MusicJunkie@beehaw.org
          link
          fedilink
          arrow-up
          8
          ·
          1 year ago

          Unless you browse Geocities sites from 1998, intercepting and MITMing is simply not an issue. Everything built nowadays uses https, which fully protects you against those.

          • First Majestic Comet@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Yeah people when they discuss Neworking and VPNs I’ve noticed are either illiterate to the existence of https or are deliberately not mentioning it for the purpose of misleading people in some way (in the case of VPN sponsorships it’s to get people to buy them).

      • NaoPb@beehaw.org
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        1 year ago

        I’d rather not waste my time reading an article about a program I’m not currently using to find out if I should use it our not. I’d rather see a post that has bulletpoints with pre’s and cons. My time is limited enough as it is.

        [edit] I realise that my comment will probably come across as unfriendly so I will add some explaining to it.

        I am currently in a western country using a fibre landline and I trust my internet provider to not intercept my data or use things like a man in the middle attack. Am I right for assuming that and if so, would tor prevent that? Will tor slow down my internet? I mostly watch youtube videos and read/post on lemmy/mastodon. I am not against using tor at all, but my energy and time are limited so I don’t feel like reading a whole article just for an app I do not feel the need to use. I am currently very happy with my firefox browser and all the add-ons I use. And with all the modifications I have put into it to make it work just the way I like. Would I loose all that by switching to tor? I am prepared to change to tor but I am not in the camp of “protect privacy at all costs, even if it greatly inconveniences me”. Especially if the risks of not using tor seem quite low in my situation.

        • zeus ⁧ ⁧ ∽↯∼@lemm.ee
          link
          fedilink
          English
          arrow-up
          7
          ·
          1 year ago

          okay. perhaps instead of wasting your time writing an entire paragraph, you should read the article and you’ll find out that that entire paragraph was irrelevant

          it’s actually not an article about the pros and cons of tor. it could not be summed up in bullet points about the pros and cons of tor

          i’ll admit to being a little facetious before, but i implore you to read articles before commenting on them

          • NaoPb@beehaw.org
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            Thing is… if I have to do that for every time someone linkdrops an article, I’ll have no time left in my day.

            And it seems I was right that I have no real reason to use tor.

            • zeus ⁧ ⁧ ∽↯∼@lemm.ee
              link
              fedilink
              English
              arrow-up
              4
              ·
              edit-2
              1 year ago

              Thing is… if I have to do that for every time someone linkdrops an article, I’ll have no time left in my day.

              if you spent less time writing comments about articles you haven’t read, you might have more time. do you do this in other walks of life? wander into restaurants you’ve never eaten at and announce “i don’t think there’s really any reason to order the fish”?

              And it seems I was right that I have no real reason to use tor.

              okay, i’ll sum the article up for you. the more people that use tor, the more it protects vulnerable people. journalists writing exposés about corrupt governments, refugees trying to flee, etc. the more normal people using tor, the more they get lost in the crowd. it’s nothing to do with whether you have any reason to use tor, that’s irrelevant. by using it, you’re helping those in vulnerable positions. happy? now go write something inciteful

                • zeus ⁧ ⁧ ∽↯∼@lemm.ee
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  Are you really surprised I’m replying to you when you keep replying?

                  well yes, actually. i have time to sit down over breakfast, read a few articles, maybe reply to a few comments

                  you clearly live such a busy lifestyle you haven’t time to read an article before making an asinine comment

                  And yes, you are merely confirming my point. There is no use for me personally. I would only have to use it and endure slower internet so that others benefit. Still doesn’t change the fact that for me personally there is no advantage. You can argue all you want but that’s what it comes down to for most people.

                  well that’s a pretty fuckin stupid viewpoint in my opinion. “i’m not going to help protect the careers and possibly lives of people in authoritarian countries, because i’d have to install a programme and possibly even launch it a couple of times per month”. running folding@home did me no advantage, i still did it.

                  And if you keep replying I’ll keep replying. No need to be surprised about that.

                  don’t worry, i won’t be. i was being flippant because i thought you an idiot, but it turns out you’re willfully ignorant.

  • sznio@beehaw.org
    link
    fedilink
    arrow-up
    25
    arrow-down
    1
    ·
    1 year ago

    I heard of a guy who went to prison because he bought something from Allegro (Polish Amazon) over TOR. Someone used the same exit node for hacking, so they pinned it on him.

      • sznio@beehaw.org
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        Poland.

        He could’ve easily got it solved but he didn’t have money and the public defender just told him confessing was the best option.

        It might be a legend, it’s just a thing that supposedly happened to someone in a community I participate in.

      • ErgodicTangle@feddit.de
        link
        fedilink
        arrow-up
        14
        ·
        edit-2
        1 year ago

        “Czesc, I am Mister Anonymous. I would like to buy this Book. Please send it to Jan Pawel at this address, dziekuje.”

      • lloram239@feddit.de
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        It provides anonymity in much the same sense as going into the bank while wearing a skimask does. Every form of anonymity service always puts you in close range to be grabbed by the authorities, as while your traffic might be anonymized, the fact that you are running the service is not.

    • First Majestic Comet@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      In my experience it’s a bit slower but not by much, I usually only access text based websites over Tor though with minimal images, streaming over YouTube can be horribly slow but it’s generally worked okay for me.

    • emberwit@feddit.de
      link
      fedilink
      English
      arrow-up
      16
      ·
      edit-2
      1 year ago

      It’s a web browser. Slower than others and some pages won’t work but other than that, it does just that.

      • Mummelpuffin@beehaw.org
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        …I mean, it’s more like the web browser makes it easy to use the Tor network. The network is the slow part. Your requests are getting ping-ponged all over the world intentionally taking the long way around.

    • ctr1@fl0w.cc
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      It’s great for anything low bandwidth that isn’t tied to your identity, and helps for peace of mind, despite its issues. You do run into captcha or DDOS protection issues occasionally, but the new tor circuit for this site button sometimes works. Also it uses letterboxing to prevent resolution-based fingerprinting, which isn’t very pretty, but leaving it at its default size (or locking the size using the WM) works well and is good for privacy.

      • interolivary@beehaw.org
        link
        fedilink
        arrow-up
        9
        ·
        1 year ago

        On the other hand, there’s no way to track you. Useful for looking up medical info in a way that search engines and such can’t relate back to you. Often I’ll keep browsing in it once I’ve opened it because it’s just basically Firefox.

        This is only true if you have the most “paranoid” security level selected, and at that point anything that relies on Javascript (or any of the other features that get blocked) will break. Enabling Javascript or the other blocked Web features will make it fairly trivial to track you especially the more you browse, so at that point you might as well just be using a regular VPN.

        Tor itself isn’t the problem in this equation, it’s the browser, and they tend to leak information like a sieve

          • interolivary@beehaw.org
            link
            fedilink
            arrow-up
            5
            ·
            1 year ago

            Sure, it all depends on how paranoid you are, my point was more that saying someone is untrackable if they use Tor has a lot of caveats.

            For the average pleb it’s probably fine, if all they’re doing is just trying to dodge regular trackers and not the authorities

    • Audalin@beehaw.org
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      It’s great when you want to connect two devices behind NAT without relying on any specific third-party server or service. I ssh to my laptop from my phone with it when away from it.

      It’s also useful to circumvent censorship, though it depends on the country. Also, websites employing wide-range IP blocks, in my experience, more often than not still allow Tor.

        • Audalin@beehaw.org
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          You run a Tor Hidden Service with sshd on one device. Knowing the .onion address, the correct port and having the corresponding private key on the other device (all of that not really subject to change), you can run the Tor daemon on it (for Android, you can use Termux) and connect with ssh, using torify nc %h %p as ProxyCommand.

  • A2PKXG@feddit.de
    link
    fedilink
    arrow-up
    11
    ·
    1 year ago

    Someone correct me if I’m wrong.

    Operating nodes is expensive, offers no reward, and comes with a serious legal risk.

    This won’t stop the NSA from operating a few. I assume that a significant portion of Tor nodes is run by intelligence agencies. If they control all nodes used for a connection(i believe three are used), they can probably piece together what connections a user is having.

    • EmperorHenry@lemm.ee
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      It is expensive. And yeah, it might get you into trouble in some places.

      And yes, the glowies use it, but journalists and whistleblowers use it too.

  • Lexam@lemmy.ca
    link
    fedilink
    English
    arrow-up
    9
    ·
    1 year ago

    But that’s part of its appeal. How else do I know I’m one of the cool kids?

    • Chadus_Maximus@lemm.ee
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      1 year ago

      People treat this as a suggestion. It’s actually a warning. A warning of what will happen if we overuse TOR.

  • A2PKXG@feddit.de
    link
    fedilink
    arrow-up
    9
    ·
    1 year ago

    I’m under the impression that my use will only make it slower for people who really need it.

  • wxboss@lemmy.sdf.org
    link
    fedilink
    arrow-up
    6
    ·
    edit-2
    1 year ago

    On the desktop, I use Whonix which does utilize the Tor Network. That being said, I rarely use the Tor browser outside of it.

  • fearout@kbin.social
    link
    fedilink
    arrow-up
    5
    ·
    1 year ago

    Are there any good iOS Tor browsers? All that I’ve seen are either shit or require some insane subscription.

    • Haakon@lemmy.sdfeu.org
      link
      fedilink
      arrow-up
      16
      ·
      1 year ago

      Due to Apple’s policies, there are no good ones. The least bad one is called Onion Browser and is recommended by the Tor Project.

      • jcg@halubilo.social
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        Interesting, is this due to all browsers being required to use Safari or something? I always figured since there are VPNs on iPhone that TOR would be no problem.

        • jarfil@beehaw.org
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          You can use any browser you want with Tor, the issue is that browsers are the main source of tracking and de-anonymization, so by being forced to use Safari there is only so much that Tor can do to keep you anonymous.

      • fearout@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Both are broken as far as I know. First one hasn’t updated for years, and recent reviews for the second one claim it crashes on startup.