A double post for tonight! Who would have known! But, sadly I am not writing in a generally happy mood.
Setting up Tor for this site has been a nightmare recently. I was banned off of a VPS provider because I installed the tor package to install from an apt repo using an onion domain. I got the VPS for cheap, but it’s still a massive shame I had to lose money.
Too many service providers like budget ones and even some serious providers discriminate against Tor use. Many providers that fully support the use of Tor either only do on dedicated servers, or are too expensive. Dedicated servers on their own usually cost a lot too! Even when the Tor wiki provides a list of ISPs who block certain types of Tor usage, there is still the russian roulette of seeing if they allow Onion Services. A lot of them also require ID verification which I don’t own at the moment either.
When it comes to websites, their providers or even the webmasters themselves say the ‘fuck you’ to Tor usage. I have bad history with Cloudflare when using Tor, or even a VPN. I will always refuse to use websites that make my browsing experience difficult. I use Tor and I don’t care.
It’s my Browser
I main Tor Browser as my main web browser. It may seem like a strange choice, but most of my online activity comes from websites that are in small size and me using Tor as my home browser is sufficient. Regardless of the treatment Tor gets, I will not use anything else. I am willing to sacrifice some convenience for privacy and security and even if it’s usage is suspicious I am willing to take that risk.
Browsers with a focus of privacy are pretty popular these days. Firefox has recieved a slight resurgence and most importantly Brave is a new web browser with privacy at it’s focus, however I am not in a position to make an analysis on how effective these privacy features are. That’s where my troubles come in from using browsers like this. The time you take to get used to the inconveniences of the best option is quicker than the time it takes to perfect the other browsers. Swimming through the dark underbelly of pseudo-privacy shitbrowsers is not how I want to spend my night.
In terms of professional analysis, Tor Browser is the de facto top web browser for privacy and security combined.
- Tor is strict. Every Tor Browser fingerprint is designed to be the same, every time, every place, every PC. As long as you update your browser, you will be one the same with every other user.
- Tor is not just a fork. Tor Browser may use Firefox as it’s base, but it’s impact cannot be questioned. The features of Tor Browser have even gone upstream to the forked browser. Mozilla pays close attention to Tor.
- The Tor network is a big part of the Tor Browser, it can also be a make or break with users. For now the Tor Browser is also usable without the Tor network (however I still advise using a VPN anyways, and I use the Tor network).
- Tor Browser has been around for a long time and configured firefox is difficult to maintain due to the constant changes in the browser. Librefox had this problem. LibreWolf is pretty good but platform support and speed in updates has it’s limits. Tor does not try to be Firefox 2.
“But isn’t there an exploit?” - Tor is a major target for attacks and exploits, especially to Advanced Persistent Threats and government agencies. Most publicised (or leaked) attacks usually have fixes. Attacks with no true solution such as exit node attacks which government agencies try and adopt are with limited reach. See this excerpt from a 2013 leaked NSA document…
‘We will never be able to de-anonymize all Tor users all the time.’
‘With manual analysis we can de-anonymize a very small fraction of Tor users, however no success de-anonymizing a user in response to a TOPI request or on demand.’
- NSA - ‘Tor Stinks’ (Leaked sometime in 2013 to the press).
Why current attacks are insufficient even though they are possible (and why I don’t care about them)
The most popular attack suggested by governments is one involving a malicious exit node. This attack is also done by individuals and groups to obtain information for profit. How this attack works is that the exit node volunteering to be part of the Tor network will use a network sniffer and sometimes attempt a man-in-the-middle attack. This is to take information of Tor users and sometimes modify data recieved from websites (a common example is Bitcoin addresses being replaced with their own to take funds from users).
This attack, while possible is inefficient for several reasons and is not so dangerous because:
- The MITM would involve forcing a downgrade of HTTPS connections to HTTP to be useful. Blocking all HTTP traffic would make this attack completely worthless.
- Even if the attack did not downgrade to HTTP and changed the certificates, this can be detected automatically by the browser.
- Some attacks used to identify users with just the exit node only have the information of the domains that they visit. One of the reasons is due to exit nodes being responsible for DNS resolution and DNS requests aren’t encrypted. A user using a common website would be extremely difficult to trace, and for onion services, impossible.
- Governments also suggest an attack like this, but using signals intelligence to retrieve information of users before they connect to Tor also. This can mostly be mitigated by using a VPN service beforehand, or using a bridge like Snowflake.
- On all 4 cases, using an onion service also is not affected by the issues unless the website itself is malicious. This is because onion services go through the same routing onion routing processes as users.
FBI claims anonymity: Prove it.
The FBI claimed they could deanonymize Tor users in 2014, and did as such with an attack on Silk Road (source) and in 2015 for a CP website which their ‘hack’ method was told to be disclosed. They dismissed the case of the user to prevent disclosure of this hack. (source). I think these ‘attacks’ are bullshit.
Why do I think so? Many FBI cases where they publish crap like this, they mention a vulnerability that is most likely the caused vector for attack. Silk Road’s owner was identified because Ross Ulbricht had shit OPSEC, and an open source intelligence search on Silk Road, identified him as an individual of interest. Playpen had awful site design, where the IP address of the home server was identified and the server was seized. This allowed them to have full control of the server(s) the site was running on, and they changed the site to drop malware into the PCs of it’s users. The exact exploit is unknown, however these are all not vulnerabilities of Tor. They are vulnerabilities of shitty site design, and bad opsec.
They also never reveal their methods, like the Silk Road attack supposedly being done by a ‘$3000’ box that can deanonymize the users. Who wants to bet it’s just the hosting costs of a powerful server to host nodes in? Because after they wanted to reveal the exploit, the talk at Black Hat got suspiciously ‘cancelled’.
Where is the real proof? No speculations?
I will use Tor and I don’t care what the views or hypotheses are until I see proof.
Until next time.