Tor Browser 8.5(blog.torproject.org) |
Tor Browser 8.5(blog.torproject.org) |
If nobody uses TOR, then TOR users immediately becomes suspicious and nothing prevents the real world investigation from uncovering them.
Additionally, tor isn't something that every Internet user should be using. I say this because when they get 10 ReCaptchas in a row, then try to log into their bank and have their credit card automatically frozen, then wonder why google search isn't working, then give up and just use Facebook all day anyway, they will definitely not be appreciating the 'anonymity' that we gave them.
Regarding decision making, Mozilla integrating Tor into Firefox does not mean that the Tor Project has to give up its autonomy.
The reason to have a regular browser is that you want those features, and the low latency of a direct connection.
I'd happily use Tor, but the last time I used it (which was ~5 years ago), it was terribly slow for regular browsing (not streaming, or anything considered bandwidth heavy).
* It permanently tracks the lagging ESR Firefox.
* It puts its users on Tor, which "anonymizes" them but also flags their traffic as interesting.
* It collapses all those users down to a single set of browser releases, making it cost-effective to target exploits to.
Use Firefox if you really like Firefox, but use the most recent version you can possibly get. Mozilla's is not the best-hardened browser.
Use Tor if you really believe in Tor. But use it explicitly, not as part of a browser bundle. Your choice of browser has a significant impact on your operational security; don't let a bunch of volunteers at Tor make that decision for you.
I am on Win10 and it will not allow me to install it in Program Files. If I install it in Desktop, it will keep flagging tor.exe as a virus.
After marking 4 times that the Windows Virus and Threat Protection should restore the exe, i was able to start the browser.
Then the windows antivir went full dystopian mode, and flagged it again. Now it is asking me to reboot the computer to delete tor.exe from the device.
The speed is much better nowadays. Unless your unlucky and you circuit has a slow node in it (which the protocol try to avoid if i remember correctly), you should have a decent web browsing experience. Sure, it will be slower than your "normal" connection, but usually not by that much.
Although, if you plan on downloading large files via Tor, you will hit a bandwidth cap fairly quickly. You can look in detail here: https://metrics.torproject.org/torperf.html
Available bandwidth quadruple since 2014: https://metrics.torproject.org/bandwidth-flags.html?start=20...
I typically stay away from Tor when it comes to online banking or finance in general (logging into Amazon with Tor can raise some red flags for example).
In terms of speed, I have noticed personally that Tor has gotten a lot faster. Sometimes you get a slow circuit and have to spawn a new identity / rebuild a new circuit to get a faster one, sort of like 'circuit roulette'.
The rest of my surfing is for fairly innocuous subject matter and using Tor for it would be overkill. Again, Tor would be handy for privately researching general health issues, sexual health issues, mental health issues, etc
Tor is also handy for recon[0] in general too. For me privacy is how you present yourself to the world, and doing recon[0] in a certain community, or (anonymously) 'lurking' in a community is useful before you re-register an account and start posting as the 'real you'.
But maybe you mean if someone using it as the main browsing tool for privacy reasons? This I doubt, since it's indeed slow. I also don't think that Tor is meant to be used as your main browser really.
Tor is also ipv4 so it is a convenient way to get a ipv4 web view inside a ipv6 enabled network, without having to deal with browser plugins or adjust the interface on the machine.
I hope you're conflating two issues here.
You surely aren't recommending users who "believe in Tor" install Tor directly and attempt to manually proxy their favorite browser traffic over it?
Not to say I disagree with your points against using TBB.
Of course, this does compromise anonymity a bit in some respects, since there are probably few people who run chromium on Tor and because it's not as resistant to fingerprinting as the regular Tor browser. That's acceptable to me, as I only use that browser on Tor, and use another browser for things that could potentially leak my real identity.
Debian ships Mozilla's ESR releases by default. I'm sure many shops that prefer stability over latest features also deploy ESR. Judging by how often it gets updated it seems to me Mozilla is pretty diligent at backporting fixes.
My wholly-not-representative-for-the-wider-web statistics say approx. 22% of Firefox UAs are ESR release.
Can anyone advise their opinion on which one would be best to run in a VM? I'm prepared to accept the security compromise of running in a VM, but I do want the ability to store passwords in the browser and save small files in the VM.
Edit: Just signed up for this account over Tor for shits and giggles. Literally my first post and it's dead immediately.
I get that Tor has spammers but I did have to do the captcha to create an account so this seems heavy handed. Seems like there's no way to legitimately post to hn over Tor.
For those that don't know, the Brave browser has Tor tabs, which route through Tor. It also has the standard private tabs. Tor support currently exists only on the desktop Brave browser.
Here is the announcement: https://brave.com/tor-tabs-beta
Brave has been supporting Tor, and running Tor relays to improve the network.
Brave is newer at the game. They have had Tor tabs less than a year. They can do fingerprinting protection and no-script, but it's still a full featured web browser, with a lot of risks. The fingerprinting protection isn't as good as the Tor Browser, and unless they changed something, Javascript wasn't disabled by default in Tor tabs.
The Tor Browser has been around for a while and is meant to be a secure web browser from top to bottom. It has had a lot of development looking to find and fix possible leaks and to ensure security. That is its primary focus, and it is pretty good at it.
If you want to use Tor casually, maybe access an onion site, or just get a big boost in your level of privacy, the Tor tabs in Brave are a nice option. They are really easy to use and give great privacy. It is good for casual Tor use.
If you want (or need) serious privacy, the Tor Browser is a better choice. That is its purpose. It is developed to be hardened for protecting the user and it will provide better protection.
https://brave.com/tor-tabs-beta
To OP - check out the issues, there's a reason it's still in beta: https://github.com/search?utf8=&q=is%3Aopen+is%3Aissue+org%3...
Literally anything is better than Brave, well, maybe not IE.
(There's also the fact that Tor Browser routes everything over Tor, but apparently Brave can do this too now?)
Do bad people do bad things using Tor? Yes. Do political dissidents in oppressive regimes use Tor? Yes.
However the vast majority of people are just ordinary citizens using Tor to access the internet -- the cross-section of Tor users is the same as the cross-section of ordinary internet users.
How do you know? It shouldn't be possible to collect this sort of data.
I transparently use the darknet continuously every day. Multiple home servers owned by me and my colleagues make up a VPN we share with friends and family.
Amongst the trusted recursive resolvers we use there's the DoT v3 onion from Cloudflare. A proxy redirects our traffic for Facebook and DuckDuckGo over the respective onions, same for Debian updates. A next generation firewall inspects our traffic and use Tor for some websites that are censored or geoblocked.
Tor became such a pleasant (and fast, unlike it used to be) experience that it can be used for general anon surfing.
This could then include stored data, VPNs or other company/govt/organisational data that is not accessible via normal web traffic.
Once you get past the controversy TOR hidden services are more like the 1990s web than what you describe.
Deep web: stuff not indexed by search engines. Private forums, non-public social media accounts, Telegram rooms, Discord servers etc. are technically "deep web".
Dark web: a subset of deep web that requires specific software or configuration to access. Slightly more precise, but still includes every possible use case for IPFS, Dat, ".onion" etc. Note that this is nowhere close to what people usually mean when they use the term "dark web". They're referring to the subset of a subset of deep web that's used for criminal activities.
The problem is that there is one (academic) definition of "deep web", but many incompatible definitions of "dark web", invented by the media basically for whatever they want it to be.
I would probably use my StrongSwan IPSEC VPN setup to home now that I have one.
Tor Browser (despite its many faults) has lots of patches that are applied in order to stop these sorts of leaks. If it takes the people who develop Tor to continually patch Firefox in order to make it actually anonymous, I would argue you have a worse chance of making it work properly.
Especially given that Chromium does make startup queries to Google-owned servers. (Not sure about runtime.) Probably for perfectly reasonable usability and/or security reasons.
But I agree that Chromium manually proxied through Tor probably looks vastly superior to TBB when you do a benefit analysis. :)
Edit: added smiley to make what I'm saying slightly more obvious.
On top of that Brave has seemingly no interest in asking for consent for this practice, while also going as far as to use people's names and photos to solicit donations to them, without those people even being aware that Brave is accepting money for them[2].
Now I believe the ad-replacement feature is opt-in, but I'm not willing to install Brave and go through the opt-in flow to determine if it goes through the proper steps in explaining that the Brave Ad money may never reach its intended recipient.
[0] https://cryptobriefing.com/what-is-basic-attention-token-int... "Brave integrated BAT into its browser to block ads at the site level, and instead serve them through the browser itself." [1] https://basicattentiontoken.org/ [2] https://twitter.com/tomscott/status/1076160882873380870
Roger Dingledine mentions this in quite a few of his talks, I'm fairly sure it's an accurate statement.
[1]: https://www.facebook.com/notes/facebook-over-tor/1-million-p...
The way it works is that the client and server pick a "rendezvous node" (the server generates 6 HSDir entries, each with 3 random nodes every day, and the client picks a random HSDir entry and a random one of those node to use). Then, they communicate through the rendezvous node which doesn't know who the client or server are (because both are connected through Tor circuits and neither reveals the .onion URL that was looked up in the HSDir).
The way the statistics work is that some Tor relays opt-in to sharing statistics about how many HSDir lookups happened through them, and then those figures are extrapolated to figure out how many .onion service accesses happen. The relay doesn't know which service is being looked up, and the rendezvous node doesn't know which service is being talked to.
It looks like whonix is what you are looking for, from wikipedia:
> Unlike Tails, Whonix is not "amnesic"; both the Gateway and the Workstation retain their past state across reboots
Not because I do anything illegal (I don't even take acid), but in this dystopian world where every action on the internet is recorded, the last thing I want is to end up on lists purely because of my curiosity.
If I would do anything I could get into trouble for (which I won't), I would definitely research more about how to use Tor safely.
I'm not saying that you shouldn't use tor, just that as far as I understand, the whole request, including path and method, is encrypted over tls/ssl after your browser establishes a tcp connection to the server.
Edit: apparently the url is not visible, but the domain (more like IP, which can be easily resolved to domain).
Same thing still applies, perhaps not with reddit subreddits, but with specific domains/websites.
DNS traffic is funneled through a different Tor circuit than the web traffic. You'd need to apply the bad DNS to all users, which would almost certainly in your exit node being dropped from the network.
I'm also not sure how this would be handled with HSTS preload lists -- HSTS preload applies to all subdomains so you'd need to come up with a completely different domain (and protections against homograph attacks mean that avenue is restricted). It'd probably be simpler to just set up an actual website with LetsEncrypt than to bother with stripping the TLS in this manner.
With HTTPS using TLS 1.2 or earlier the site sends its certificate in plaintext too, so even if you just remember the IP address, it will tell anybody snooping "Hi, this is reddit.com".
In TLS 1.3 the site's certificate is encrypted. However the SNI, which is used to make virtual hosting work, is not encrypted. So your ISP can see where you said you were going, but not whether they proved they were the real deal.
DPRIVE such as DNS over HTTPS cures the first thing, you use an encrypted transport to do DNS queries against somebody trustworthy who won't rat you out.
eSNI (encrypted SNI) is intended to one day cure the other problem.
Even with both these, seeing that you visited a very popular system like Facebook or Reddit is always going to be easy. So Tor remains important.