Comments on: How secure is the TOR network for everyday internet browsing?

By: George Notaras

George Notaras — Tue, 05 Apr 2011 09:24:59 +0000

Me trying to help with this is not good enough, because I am not the right person for this kind of job. I am not a network security expert, so I might miss lots of things about the security issues involved in using the TOR network. But, if you check the donations page on the TOR web site, you will realize that the project has enough resources to hire a professional.

By: Jim

Jim — Tue, 05 Apr 2011 04:15:59 +0000

George Notaras wrote: “Anyone would expect the TOR project to provide the TOR users with all the information they would ever need in order to stay secure while they use the TOR network.”

I think they are trying to do that. If you can help them do that better, the help would likely be appreciated. If you are so inclined, perhaps the tor-talk mailing list would be a good place to express your concerns and offer help.

By: George Notaras

George Notaras — Mon, 04 Apr 2011 21:59:23 +0000

Hi Jim. Thanks for your comment.

I, generally, agree with everything you have written. I’d only like to add the following.

Nowadays, step-by-step instructions about how to spy on other people on the same network exist everywhere on the net, including youtube. People don’t need to know much before they are able to sniff network traffic. They don’t even have to be smart to do it.

On the other hand, TOR, by design, puts a random person and a random ISP between the user and the internet service. Anyone would expect the TOR project to provide the TOR users with all the information they would ever need in order to stay secure while they use the TOR network.

By: Jim

Jim — Mon, 04 Apr 2011 12:34:17 +0000

What you state in this article is well known to the Tor Project. It is not uncommon to see such things and related matters discussed on the tor-talk mailing list. The Tor Project certainly cannot be held responsible for what 3rd parties say about the Tor Network. I don’t know about such things as what the FSF said being found “throughout the TOR project website”, but I do know that their download page specifically warns about the fact that Tor doesn’t/can’t encrypt the traffic between the exit node and the final destination and encourages use of https. They promote the HTTPS Everywhere extension for Firefox. They warn about ways that your IP address can leak and recommend using Tor Button. All of this is in the “full list of warnings” which is linked to from the banner near the top of the download pages that asks “do you want Tor to really work?”

In addition to hiding what you are doing and where you are going from your ISP, Tor is also useful for being anonymous to the website you are accessing. No anonymity is perfect and the Tor project knows this. Known attacks are sometimes discussed on tor-talk. But with the proper precautions the anonymity is relatively good. The Tor Project’s website provides links to some of the academic research that is being done on anonymity if you wish to learn more.

You are certainly correct that it would be good for Internet users to understand (in rought terms) what https is and when it is important to use it. (Some would say it is always important — hence the HTTPS Everywhere extension.) Likewise, Tor users would do well to read and understand what is in the warnings and advice the Tor project gives. But that does not detract from the usefulness of the Tor Network for certain purposes.

By: Eric Gorp

Eric Gorp — Mon, 04 Apr 2011 09:59:40 +0000

Another problem is : the user’s exit node is responsible for the traffic through is ISP, so if an anonymous user surf on pedo***** sites, it might be a problem for the user of the exit node in some country, such as France.

Tor is simply reporting responsibility of the net usage to another users, which is not quite good all all.

Regard.

By: Jean-Jacques

Jean-Jacques — Mon, 04 Apr 2011 09:55:27 +0000

**EDIT**: We usually do not allow posts that contain just links. This is an exception because of the high relevance of the linked articles.

http://www.theregister.co.uk/2007/09/10/misuse_of_tor_led_to_embassy_password_breach/

http://www.theregister.co.uk/2007/11/23/tor_abuse/

By: George Notaras

George Notaras — Mon, 04 Apr 2011 07:36:33 +0000

Hi Lefteris. Thanks for stopping by. An ssh server running at home is my favorite solution, but it requires that a computer is always on.

By: Lefteris Kosmas

Lefteris Kosmas — Sun, 03 Apr 2011 21:27:43 +0000

Well i believe that using Tor though it’s not as secure as ssh tunneling espeacialy logging using signed keys but compared to unencrypted browsing escecialy through hostile infrastructures (ie work, university, or even nation wide firewalls) i could proove it’s self as a viable alternative to unencrypted browsing.

On the other hand I also believe that having a an ssh server at home, or any other place you (and only you or people you trust) have access could proove very handy.

By: George Notaras

George Notaras — Sat, 02 Apr 2011 18:19:50 +0000

Hi Panagiotis. Thanks for your comment.

Indeed, the only problem is that. I used to have an ssh server at home accessible from the internet, so I could use it any time I liked and consume any amount of bandwidth I needed. But, admittedly, this is not always possible.

By: Panagiotis

Panagiotis — Sat, 02 Apr 2011 17:05:55 +0000

Interesting approach, especially for those who consider unknown proxies provide secure tunnels. +1 for ssh -D, the only negative is that you need access to a ssh server you know it’s secure.