I use Tor and I don’t care

2021/09/14

Tags: opinions privacy security open source 100daystooffload

A double post for tonight! Who would have known! But, sadly I am not writing in a generally happy mood.

Setting up Tor for this site has been a nightmare recently. I was banned off of a VPS provider because I installed the tor package to install from an apt repo using an onion domain. I got the VPS for cheap, but it’s still a massive shame I had to lose money.

Too many service providers like budget ones and even some serious providers discriminate against Tor use. Many providers that fully support the use of Tor either only do on dedicated servers, or are too expensive. Dedicated servers on their own usually cost a lot too! Even when the Tor wiki provides a list of ISPs who block certain types of Tor usage, there is still the russian roulette of seeing if they allow Onion Services. A lot of them also require ID verification which I don’t own at the moment either.

When it comes to websites, their providers or even the webmasters themselves say the ‘fuck you’ to Tor usage. I have bad history with Cloudflare when using Tor, or even a VPN. I will always refuse to use websites that make my browsing experience difficult. I use Tor and I don’t care.

It’s my Browser

I main Tor Browser as my main web browser. It may seem like a strange choice, but most of my online activity comes from websites that are in small size and me using Tor as my home browser is sufficient. Regardless of the treatment Tor gets, I will not use anything else. I am willing to sacrifice some convenience for privacy and security and even if it’s usage is suspicious I am willing to take that risk.

Browsers with a focus of privacy are pretty popular these days. Firefox has recieved a slight resurgence and most importantly Brave is a new web browser with privacy at it’s focus, however I am not in a position to make an analysis on how effective these privacy features are. That’s where my troubles come in from using browsers like this. The time you take to get used to the inconveniences of the best option is quicker than the time it takes to perfect the other browsers. Swimming through the dark underbelly of pseudo-privacy shitbrowsers is not how I want to spend my night.

In terms of professional analysis, Tor Browser is the de facto top web browser for privacy and security combined.

“But isn’t there an exploit?" - Tor is a major target for attacks and exploits, especially to Advanced Persistent Threats and government agencies. Most publicised (or leaked) attacks usually have fixes. Attacks with no true solution such as exit node attacks which government agencies try and adopt are with limited reach. See this excerpt from a 2013 leaked NSA document…

‘We will never be able to de-anonymize all Tor users all the time.’

‘With manual analysis we can de-anonymize a very small fraction of Tor users, however no success de-anonymizing a user in response to a TOPI request or on demand.’

  • NSA - ‘Tor Stinks’ (Leaked sometime in 2013 to the press).

Why current attacks are insufficient even though they are possible (and why I don’t care about them)

The most popular attack suggested by governments is one involving a malicious exit node. This attack is also done by individuals and groups to obtain information for profit. How this attack works is that the exit node volunteering to be part of the Tor network will use a network sniffer and sometimes attempt a man-in-the-middle attack. This is to take information of Tor users and sometimes modify data recieved from websites (a common example is Bitcoin addresses being replaced with their own to take funds from users).

This attack, while possible is inefficient for several reasons and is not so dangerous because:

FBI claims anonymity: Prove it.

The FBI claimed they could deanonymize Tor users in 2014, and did as such with an attack on Silk Road (source) and in 2015 for a CP website which their ‘hack’ method was told to be disclosed. They dismissed the case of the user to prevent disclosure of this hack. (source). I think these ‘attacks’ are bullshit.

Why do I think so? Many FBI cases where they publish crap like this, they mention a vulnerability that is most likely the caused vector for attack. Silk Road’s owner was identified because Ross Ulbricht had shit OPSEC, and an open source intelligence search on Silk Road, identified him as an individual of interest. Playpen had awful site design, where the IP address of the home server was identified and the server was seized. This allowed them to have full control of the server(s) the site was running on, and they changed the site to drop malware into the PCs of it’s users. The exact exploit is unknown, however these are all not vulnerabilities of Tor. They are vulnerabilities of shitty site design, and bad opsec.

They also never reveal their methods, like the Silk Road attack supposedly being done by a ‘$3000’ box that can deanonymize the users. Who wants to bet it’s just the hosting costs of a powerful server to host nodes in? Because after they wanted to reveal the exploit, the talk at Black Hat got suspiciously ‘cancelled’.

Where is the real proof? No speculations?

I will use Tor and I don’t care what the views or hypotheses are until I see proof.

Until next time.

>> Home