|
[[TOC]]
|
|
|
|
|
|
|
|
== Understanding and Using Tor - An Introduction for the Lay(wo)man ==
|
|
|
|
|
|
|
|
|
|
## Understanding and Using Tor - An Introduction for the Lay(wo)man
|
|
|
|
|
|
=== How does Tor make me anonymous? ===
|
|
|
|
|
|
### How does Tor make me anonymous?
|
|
Tor makes you anonymous by routing your traffic through a series of computers before it arrives at its destination. These computers are part of the tor network and pass your request among themselves in such
|
|
Tor makes you anonymous by routing your traffic through a series of computers before it arrives at its destination. These computers are part of the tor network and pass your request among themselves in such
|
|
a way that the computer at the end of the series doesn't know anything about the computer at the start of the series. This means that the website you are sending traffic to doesn't know who you are. This 'series of computers' is known as a 'circuit' through the tor network. Think of it as a cable running from your computer to the website you are viewing. The website can see the cable emerging from the tor network but can't see where it entered the tor network.
|
|
a way that the computer at the end of the series doesn't know anything about the computer at the start of the series. This means that the website you are sending traffic to doesn't know who you are. This 'series of computers' is known as a 'circuit' through the tor network. Think of it as a cable running from your computer to the website you are viewing. The website can see the cable emerging from the tor network but can't see where it entered the tor network.
|
|
|
|
|
|
=== So who chooses the computers on the circuit? ===
|
|
### So who chooses the computers on the circuit?
|
|
The computers on the circuit are chosen randomly by the tor application sitting on your computer.
|
|
The computers on the circuit are chosen randomly by the tor application sitting on your computer.
|
|
|
|
|
|
=== How long should the circuit be, how many computers should be on it? ===
|
|
### How long should the circuit be, how many computers should be on it?
|
|
The circuit usually consists of 3 computers on the Tor network: the entry guard, the relay node, and the exit node.
|
|
The circuit usually consists of 3 computers on the Tor network: the entry guard, the relay node, and the exit node.
|
|
|
|
|
|
=== Does each computer on the circuit know who you are? ===
|
|
### Does each computer on the circuit know who you are?
|
|
No. Only the entry guard knows who you are. You only connect directly (over the
|
|
No. Only the entry guard knows who you are. You only connect directly (over the
|
|
'real' internet) to the entry guard.
|
|
'real' internet) to the entry guard.
|
|
|
|
|
|
=== So how does my Tor client build the circuit by only talking to the entry guard? ===
|
|
### So how does my Tor client build the circuit by only talking to the entry guard?
|
|
To begin with, your Tor client creates a connection with the entry guard and
|
|
To begin with, your Tor client creates a connection with the entry guard and
|
|
tells it that it wants to create a circuit. It then tells the entry guard who
|
|
tells it that it wants to create a circuit. It then tells the entry guard who
|
|
the next computer in the circuit should be, i.e. who should be the relay node.
|
|
the next computer in the circuit should be, i.e. who should be the relay node.
|
... | @@ -26,7 +26,7 @@ whatever you send it. When your Tor client starts sending |
... | @@ -26,7 +26,7 @@ whatever you send it. When your Tor client starts sending |
|
stuff to the relay node, it looks like junk to the entry guard. The entry guard
|
|
stuff to the relay node, it looks like junk to the entry guard. The entry guard
|
|
can't read it and it doesn't need to, it just needs to pass it on.
|
|
can't read it and it doesn't need to, it just needs to pass it on.
|
|
|
|
|
|
=== So the entry guard is just passing stuff blindly on to the relay node? ===
|
|
### So the entry guard is just passing stuff blindly on to the relay node?
|
|
Yes. From the entry guard's point of view it's just big blobs of ones and zeroes with
|
|
Yes. From the entry guard's point of view it's just big blobs of ones and zeroes with
|
|
an instruction 'pass on to relay node' on the front of each one.
|
|
an instruction 'pass on to relay node' on the front of each one.
|
|
At this point, the blobs your Tor client is sending to the relay node are in fact an instruction to
|
|
At this point, the blobs your Tor client is sending to the relay node are in fact an instruction to
|
... | @@ -38,7 +38,7 @@ case, the stuff your Tor client is sending to the exit node is the stuff you |
... | @@ -38,7 +38,7 @@ case, the stuff your Tor client is sending to the exit node is the stuff you |
|
want to send to the website you're connecting to. Voila - you're communicating
|
|
want to send to the website you're connecting to. Voila - you're communicating
|
|
anonymously with the website.
|
|
anonymously with the website.
|
|
|
|
|
|
=== I'm still digesting that. Have you got a patronizing analogy? ===
|
|
### I'm still digesting that. Have you got a patronizing analogy?
|
|
Of course. Think of a parcel with three layers of wrapping. The entry guard unwraps
|
|
Of course. Think of a parcel with three layers of wrapping. The entry guard unwraps
|
|
the first layer and finds that the layer underneath has the relay node's address on it,
|
|
the first layer and finds that the layer underneath has the relay node's address on it,
|
|
so it passes it on to the relay node. The relay node unwraps its layer and finds that
|
|
so it passes it on to the relay node. The relay node unwraps its layer and finds that
|
... | @@ -47,14 +47,14 @@ on to the exit node. The exit node unwraps its layer and finds the goodies insid |
... | @@ -47,14 +47,14 @@ on to the exit node. The exit node unwraps its layer and finds the goodies insid |
|
name of the website you want to connect to and the message you want to transmit to it. This
|
|
name of the website you want to connect to and the message you want to transmit to it. This
|
|
layering is why it's called 'onion routing'.
|
|
layering is why it's called 'onion routing'.
|
|
|
|
|
|
=== So what's stopping the entry guard from unwrapping all of the layers himself? Why can't the entry guard read what you're sending to the relay node or the exit node? ===
|
|
### So what's stopping the entry guard from unwrapping all of the layers himself? Why can't the entry guard read what you're sending to the relay node or the exit node?
|
|
Because each layer can only be unwrapped by the node whose name is on the wrapping. This is
|
|
Because each layer can only be unwrapped by the node whose name is on the wrapping. This is
|
|
enforced by encrypting the wrapper in such a way that only the addressee can decrypt it.
|
|
enforced by encrypting the wrapper in such a way that only the addressee can decrypt it.
|
|
The same is true all along the circuit: the relay node can't read what you're
|
|
The same is true all along the circuit: the relay node can't read what you're
|
|
sending to the exit node because it can only be decrypted with a key that the
|
|
sending to the exit node because it can only be decrypted with a key that the
|
|
exit node alone knows, the same goes for the entry guard and the relay node.
|
|
exit node alone knows, the same goes for the entry guard and the relay node.
|
|
|
|
|
|
=== How does that work? ===
|
|
### How does that work?
|
|
The key used to set up the encryption with each node is a public key owned and
|
|
The key used to set up the encryption with each node is a public key owned and
|
|
generated by that node. This public key, which is distributed to all and sundry,
|
|
generated by that node. This public key, which is distributed to all and sundry,
|
|
has a counterpart called a private key which the node keeps for itself.If you
|
|
has a counterpart called a private key which the node keeps for itself.If you
|
... | @@ -64,29 +64,29 @@ circuit that only one of the nodes on the circuit can decrypt. This encryption |
... | @@ -64,29 +64,29 @@ circuit that only one of the nodes on the circuit can decrypt. This encryption |
|
is sometimes referred to as RSA encryption, assymetrical encryption or
|
|
is sometimes referred to as RSA encryption, assymetrical encryption or
|
|
public/private key encryption.
|
|
public/private key encryption.
|
|
|
|
|
|
=== OK let's go back to who knows who on the circuit. The relay node knows who the entry guard is, right? ===
|
|
### OK let's go back to who knows who on the circuit. The relay node knows who the entry guard is, right?
|
|
Yes.
|
|
Yes.
|
|
|
|
|
|
=== And the exit node knows who the relay node is, right? ===
|
|
### And the exit node knows who the relay node is, right?
|
|
Yes.
|
|
Yes.
|
|
|
|
|
|
=== So does the entry guard know who the exit node is (and vice versa)? ===
|
|
### So does the entry guard know who the exit node is (and vice versa)?
|
|
No. Because it couldn't read the instruction you sent to the relay node telling
|
|
No. Because it couldn't read the instruction you sent to the relay node telling
|
|
it who the exit node should be. The exit node and the entry node on a circuit
|
|
it who the exit node should be. The exit node and the entry node on a circuit
|
|
cannot tell who is on the other end of the circuit. The computer at one end of
|
|
cannot tell who is on the other end of the circuit. The computer at one end of
|
|
the cable does not know who, what or where the computer at the other end of the
|
|
the cable does not know who, what or where the computer at the other end of the
|
|
cable is.
|
|
cable is.
|
|
|
|
|
|
=== Right. So who knows who I am, the person at the start of the cable, the Tor client? ===
|
|
### Right. So who knows who I am, the person at the start of the cable, the Tor client?
|
|
Only the entry guard. The relay node only knows that it is talking to another
|
|
Only the entry guard. The relay node only knows that it is talking to another
|
|
server, possibly an entry guard. It doesn't know who is talking to the entry
|
|
server, possibly an entry guard. It doesn't know who is talking to the entry
|
|
guard on the other side.
|
|
guard on the other side.
|
|
|
|
|
|
=== How can that be? Couldn't the entry guard just tell the relay node who the tor client is? ===
|
|
### How can that be? Couldn't the entry guard just tell the relay node who the tor client is?
|
|
If they are both specially-modified malicious tor nodes collaborating with each
|
|
If they are both specially-modified malicious tor nodes collaborating with each
|
|
other, yes.
|
|
other, yes.
|
|
|
|
|
|
=== So what's to prevent them? ===
|
|
### So what's to prevent them?
|
|
What makes this hard to do is: (i) they would have to agree and know a way of
|
|
What makes this hard to do is: (i) they would have to agree and know a way of
|
|
exchanging this information without breaking their ability to interact with
|
|
exchanging this information without breaking their ability to interact with
|
|
other 'normal' Tor servers, (ii) since the Tor client is randomly choosing the
|
|
other 'normal' Tor servers, (ii) since the Tor client is randomly choosing the
|
... | @@ -94,7 +94,7 @@ members of the circuit there would have to be enough collaborating nodes out |
... | @@ -94,7 +94,7 @@ members of the circuit there would have to be enough collaborating nodes out |
|
there so that they would stand a reasonable chance of two malicious nodes
|
|
there so that they would stand a reasonable chance of two malicious nodes
|
|
getting selected enough times to be effective.
|
|
getting selected enough times to be effective.
|
|
|
|
|
|
=== Doesn't seem beyond the bounds of possibility. ===
|
|
### Doesn't seem beyond the bounds of possibility.
|
|
It's not and it would be a problem if the circuit contained just two nodes both
|
|
It's not and it would be a problem if the circuit contained just two nodes both
|
|
of which were collaborating with each other, since both would know who the tor
|
|
of which were collaborating with each other, since both would know who the tor
|
|
client is and the second node would know where the traffic is going. This is why
|
|
client is and the second node would know where the traffic is going. This is why
|
... | @@ -104,24 +104,24 @@ network. Three-hop circuits help guard against this attack because even if the |
... | @@ -104,24 +104,24 @@ network. Three-hop circuits help guard against this attack because even if the |
|
entry node and the relay node know who the tor client is they still don't know
|
|
entry node and the relay node know who the tor client is they still don't know
|
|
where the traffic is going, unless they also own the exit node.
|
|
where the traffic is going, unless they also own the exit node.
|
|
|
|
|
|
=== So what it boils down to is: if the same person owns all the nodes on your circuit you're screwed? ===
|
|
### So what it boils down to is: if the same person owns all the nodes on your circuit you're screwed?
|
|
Yes. And if they owned all the nodes on your circuit they wouldn't even need a
|
|
Yes. And if they owned all the nodes on your circuit they wouldn't even need a
|
|
specially-modified version of Tor to figure out who you are.
|
|
specially-modified version of Tor to figure out who you are.
|
|
|
|
|
|
=== Oh, how come? ===
|
|
### Oh, how come?
|
|
|
|
|
|
{{{
|
|
```
|
|
client:a <---> tornode1:9001
|
|
client:a <---> tornode1:9001
|
|
tornode1:b <---> tornode2:9001
|
|
tornode1:b <---> tornode2:9001
|
|
tornode2:c <---> tornode3:9001
|
|
tornode2:c <---> tornode3:9001
|
|
tornode3:d <---> host:e
|
|
tornode3:d <---> host:e
|
|
}}}
|
|
```
|
|
|
|
|
|
where a, b, c, and d are randomly chosen TCP ports and e is the TCP
|
|
where a, b, c, and d are randomly chosen TCP ports and e is the TCP
|
|
port used by host for contacting a service (such as 443 for HTTPS).
|
|
port used by host for contacting a service (such as 443 for HTTPS).
|
|
If all of the Tor nodes were paying attention, then
|
|
If all of the Tor nodes were paying attention, then
|
|
|
|
|
|
{{{
|
|
```
|
|
tornode1 knows that its connections involving client:a and tornode1:b are
|
|
tornode1 knows that its connections involving client:a and tornode1:b are
|
|
part of the same circuit
|
|
part of the same circuit
|
|
|
|
|
... | @@ -130,7 +130,7 @@ part of the same circuit |
... | @@ -130,7 +130,7 @@ part of the same circuit |
|
|
|
|
|
tornode3 knows that its connections involving tornode2:c and host:e are
|
|
tornode3 knows that its connections involving tornode2:c and host:e are
|
|
part of the same circuit
|
|
part of the same circuit
|
|
}}}
|
|
```
|
|
|
|
|
|
Knowing all of these facts, these nodes could deduce that client:a and
|
|
Knowing all of these facts, these nodes could deduce that client:a and
|
|
host:e are actually communicating with one another. This is not a
|
|
host:e are actually communicating with one another. This is not a
|
... | @@ -143,61 +143,61 @@ timing information. They just need TCP port pairs and accurate times |
... | @@ -143,61 +143,61 @@ timing information. They just need TCP port pairs and accurate times |
|
when TCP connections were established.
|
|
when TCP connections were established.
|
|
|
|
|
|
|
|
|
|
=== OK, I'm a bit worried now. Reassure me. What reduces the chances of my tor client choosing a circuit that contains computers all owned by the same person or organisation? ===
|
|
### OK, I'm a bit worried now. Reassure me. What reduces the chances of my tor client choosing a circuit that contains computers all owned by the same person or organisation?
|
|
Tor does a number of things to help prevent this sort of thing taking place and
|
|
Tor does a number of things to help prevent this sort of thing taking place and
|
|
reduce the impact when it does:
|
|
reduce the impact when it does:
|
|
{{{
|
|
```
|
|
i. New circuits are created at frequent intervals.
|
|
i. New circuits are created at frequent intervals.
|
|
ii. Computers within the same IP ranges are avoided on the same circuit
|
|
ii. Computers within the same IP ranges are avoided on the same circuit
|
|
}}}
|
|
```
|
|
The risk you're worried about actually has a catchy name: a 'Sybil Attack'. Wikipedia defines it as
|
|
The risk you're worried about actually has a catchy name: a 'Sybil Attack'. Wikipedia defines it as
|
|
"one in which an attacker subverts the reputation system of a peer-to-peer network
|
|
"one in which an attacker subverts the reputation system of a peer-to-peer network
|
|
by creating a large number of pseudonymous entities, using them to gain a disproportionately large influence."
|
|
by creating a large number of pseudonymous entities, using them to gain a disproportionately large influence."
|
|
|
|
|
|
=== OK so once you've set up a circuit (you can spare me the 'cable' metaphor from now on) you start sending your traffic along it? ===
|
|
### OK so once you've set up a circuit (you can spare me the 'cable' metaphor from now on) you start sending your traffic along it?
|
|
Correct.
|
|
Correct.
|
|
|
|
|
|
=== And what's to prevent all the computers on the circuit from reading your traffic and figuring out what website you're browsing? ===
|
|
### And what's to prevent all the computers on the circuit from reading your traffic and figuring out what website you're browsing?
|
|
The same thing as before. Your Tor client sends your traffic along the circuit
|
|
The same thing as before. Your Tor client sends your traffic along the circuit
|
|
encrypted with a key that only the exit node knows. To the entry guard and relay
|
|
encrypted with a key that only the exit node knows. To the entry guard and relay
|
|
node it's just indecipherable junk, and that includes the ultimate destination
|
|
node it's just indecipherable junk, and that includes the ultimate destination
|
|
of the traffic, e.g. http://www.google.com.
|
|
of the traffic, e.g. http://www.google.com.
|
|
|
|
|
|
=== But the exit node *can* read my traffic? ===
|
|
### But the exit node *can* read my traffic?
|
|
If you are browsing a site like http://www.google.com, yes.
|
|
If you are browsing a site like http://www.google.com, yes.
|
|
|
|
|
|
=== That doesn't seem very secure. ===
|
|
### That doesn't seem very secure.
|
|
It's not. If you can be identified by your traffic alone, then your exit node
|
|
It's not. If you can be identified by your traffic alone, then your exit node
|
|
can identify you. Remember that the exit node is the point at which your traffic
|
|
can identify you. Remember that the exit node is the point at which your traffic
|
|
enters the 'real' internet. From the website's point of view, it's as though
|
|
enters the 'real' internet. From the website's point of view, it's as though
|
|
someone at the exit node's computer is browsing them.
|
|
someone at the exit node's computer is browsing them.
|
|
|
|
|
|
=== So I can't browse securely with Tor? ===
|
|
### So I can't browse securely with Tor?
|
|
Of course you can. If you are browsing https://www.google.com rather than
|
|
Of course you can. If you are browsing https://www.google.com rather than
|
|
http://www.google.com, then the only thing the exit node will know is that it is
|
|
http://www.google.com, then the only thing the exit node will know is that it is
|
|
sending your traffic to https://www.google.com, it won't be able to read the
|
|
sending your traffic to https://www.google.com, it won't be able to read the
|
|
content of your traffic at all.
|
|
content of your traffic at all.
|
|
|
|
|
|
=== So the exit node will always know where my traffic is going? ===
|
|
### So the exit node will always know where my traffic is going?
|
|
Yes, always.
|
|
Yes, always.
|
|
|
|
|
|
=== But it won't know that it's my traffic? ===
|
|
### But it won't know that it's my traffic?
|
|
Exactly.
|
|
Exactly.
|
|
|
|
|
|
=== So if my traffic contains information that could identify me, I should always use a https:// website rather than a http:// one? ===
|
|
### So if my traffic contains information that could identify me, I should always use a https:// website rather than a http:// one?
|
|
Precisely. The https:// prefix on a website's name makes your browser connect to
|
|
Precisely. The https:// prefix on a website's name makes your browser connect to
|
|
the website using SSL (Secure Sockets Layer). This is a form of encryption that
|
|
the website using SSL (Secure Sockets Layer). This is a form of encryption that
|
|
ensures only the sender and receiver know the content of the traffic being
|
|
ensures only the sender and receiver know the content of the traffic being
|
|
passed between them.
|
|
passed between them.
|
|
|
|
|
|
=== Is this only available for websites? ===
|
|
### Is this only available for websites?
|
|
No. It is also available for sending and receiving mail (pop3s and stmps),
|
|
No. It is also available for sending and receiving mail (pop3s and stmps),
|
|
telnet sessions (ssh) and so on.
|
|
telnet sessions (ssh) and so on.
|
|
|
|
|
|
=== So as long as I use one of these secure protocols, I'm fine? ===
|
|
### So as long as I use one of these secure protocols, I'm fine?
|
|
"Well, up to a point Lord Copper..."
|
|
"Well, up to a point Lord Copper..."
|
|
|
|
|
|
=== Oh? ===
|
|
### Oh?
|
|
If you connect to a 'secure' website using the https:// prefix, you may receive
|
|
If you connect to a 'secure' website using the https:// prefix, you may receive
|
|
a pop-up warning. The actual content of the warning will vary depending on the
|
|
a pop-up warning. The actual content of the warning will vary depending on the
|
|
browser. It is generally something along the lines of 'The certificate used by
|
|
browser. It is generally something along the lines of 'The certificate used by
|
... | @@ -206,7 +206,7 @@ different reasons, but the most important to be aware of, especially when using |
... | @@ -206,7 +206,7 @@ different reasons, but the most important to be aware of, especially when using |
|
Tor, is that someone between you and the website could be intercepting your
|
|
Tor, is that someone between you and the website could be intercepting your
|
|
secure traffic in such a way that they can actually read it.
|
|
secure traffic in such a way that they can actually read it.
|
|
|
|
|
|
=== Why 'especially when using Tor'? ===
|
|
### Why 'especially when using Tor'?
|
|
Do you remember we said that exit nodes are the only ones who can read your
|
|
Do you remember we said that exit nodes are the only ones who can read your
|
|
traffic? If you are browsing https://google.com it will only be able to read
|
|
traffic? If you are browsing https://google.com it will only be able to read
|
|
junk. Under normal circumstances. But when you first connect to
|
|
junk. Under normal circumstances. But when you first connect to
|
... | @@ -221,70 +221,70 @@ https://google.com. The exit node will accept the traffic you send to |
... | @@ -221,70 +221,70 @@ https://google.com. The exit node will accept the traffic you send to |
|
google.com, read it, and then pass it on to the real google.com. This is known
|
|
google.com, read it, and then pass it on to the real google.com. This is known
|
|
as a 'Man in the Middle' attack (MITM for short).
|
|
as a 'Man in the Middle' attack (MITM for short).
|
|
|
|
|
|
=== But couldn't this happen on the 'normal' internet? ===
|
|
### But couldn't this happen on the 'normal' internet?
|
|
Yes it could, and does. Anyone with a computer along the route between your
|
|
Yes it could, and does. Anyone with a computer along the route between your
|
|
computer and the website you are connecting to could do this.
|
|
computer and the website you are connecting to could do this.
|
|
|
|
|
|
=== Is it easy to do on the 'normal' internet? ===
|
|
### Is it easy to do on the 'normal' internet?
|
|
On the 'normal' internet, not that easy. It would generally have to be an
|
|
On the 'normal' internet, not that easy. It would generally have to be an
|
|
insider at your ISP or any other ISP or service provider along the route your
|
|
insider at your ISP or any other ISP or service provider along the route your
|
|
traffic takes. Or someone who has gained illegal access to an ISP's resources.
|
|
traffic takes. Or someone who has gained illegal access to an ISP's resources.
|
|
|
|
|
|
=== Is it easy to do on Tor? ===
|
|
### Is it easy to do on Tor?
|
|
It as easy as setting up a Tor exit node and running a packet sniffer on your
|
|
It as easy as setting up a Tor exit node and running a packet sniffer on your
|
|
local network connection.
|
|
local network connection.
|
|
|
|
|
|
=== So it happens? ===
|
|
### So it happens?
|
|
Yes. http://www.derangedsecurity.com/time-to-reveal%e2%80%a6/
|
|
Yes. http://www.derangedsecurity.com/time-to-reveal%e2%80%a6/
|
|
|
|
|
|
=== So do I have to be more careful about the security of my traffic than normal when using tor? ===
|
|
### So do I have to be more careful about the security of my traffic than normal when using tor?
|
|
No, you should always be more careful about the security of your traffic.
|
|
No, you should always be more careful about the security of your traffic.
|
|
|
|
|
|
=== But once I'm careful with my traffic while using Tor, I will always be completely anonymous, right? ===
|
|
### But once I'm careful with my traffic while using Tor, I will always be completely anonymous, right?
|
|
It depends who you want to be anonymous from. Tor may not protect you from a snooper who has worldwide
|
|
It depends who you want to be anonymous from. Tor may not protect you from a snooper who has worldwide
|
|
reach. For example, an organisation that could somehow watch the traffic of every node on the Tor network.
|
|
reach. For example, an organisation that could somehow watch the traffic of every node on the Tor network.
|
|
|
|
|
|
=== Why's that? ===
|
|
### Why's that?
|
|
If someone can watch the traffic of every Tor server out there, they can time traffic as it enters and leaves
|
|
If someone can watch the traffic of every Tor server out there, they can time traffic as it enters and leaves
|
|
all of the servers and start figuring out where a particular piece of traffic entered and left the tor network (without breaking any encryption).
|
|
all of the servers and start figuring out where a particular piece of traffic entered and left the tor network (without breaking any encryption).
|
|
This means they have figured out where a particular circuit starts and ends in the tor network. So by extension
|
|
This means they have figured out where a particular circuit starts and ends in the tor network. So by extension
|
|
they know who was using the circuit and where the traffic on the circuit went.
|
|
they know who was using the circuit and where the traffic on the circuit went.
|
|
|
|
|
|
=== And can anyone actually do that? ===
|
|
### And can anyone actually do that?
|
|
It's possible that one or more security institutions in the "Five Eyes" surveillance states (United States, UK, Canada, New Zealand, and Australia) can get quite close to doing it. It's hard to tell the extent of their capabilities, but some of the surveillance revelations in 2013 indicated that while they are actively working to attack Tor they are not able to deanonymize users en masse. However, Tor's design does not claim to be able to prevent a sufficiently-capable global adversary from deanonymizing users so you should not assume it is able to (especially if you might be individually targeted).
|
|
It's possible that one or more security institutions in the "Five Eyes" surveillance states (United States, UK, Canada, New Zealand, and Australia) can get quite close to doing it. It's hard to tell the extent of their capabilities, but some of the surveillance revelations in 2013 indicated that while they are actively working to attack Tor they are not able to deanonymize users en masse. However, Tor's design does not claim to be able to prevent a sufficiently-capable global adversary from deanonymizing users so you should not assume it is able to (especially if you might be individually targeted).
|
|
|
|
|
|
=== So if I can't be sure of my anonymity from the likes of the NSA and GCHQ, who can I be sure of anonymity from? ===
|
|
### So if I can't be sure of my anonymity from the likes of the NSA and GCHQ, who can I be sure of anonymity from?
|
|
Anyone who does not have access to your computer. Though 'access to your computer' has a broader definition
|
|
Anyone who does not have access to your computer. Though 'access to your computer' has a broader definition
|
|
than you might think.
|
|
than you might think.
|
|
|
|
|
|
=== You mean someone who has hacked in to my computer? ===
|
|
### You mean someone who has hacked in to my computer?
|
|
Hackers, yes. But you might be surprised to learn that even websites can find subtle ways of accessing your
|
|
Hackers, yes. But you might be surprised to learn that even websites can find subtle ways of accessing your
|
|
computer, even in a minimal way, that can allow them to find out who you are.
|
|
computer, even in a minimal way, that can allow them to find out who you are.
|
|
|
|
|
|
=== Like figuring out what Operating System I'm using? ===
|
|
### Like figuring out what Operating System I'm using?
|
|
Yes, though that's pretty harmless. Websites can use Javascript to retrieve the name of the web browser,
|
|
Yes, though that's pretty harmless. Websites can use Javascript to retrieve the name of the web browser,
|
|
operating system, and even the CPU you are using on your computer.
|
|
operating system, and even the CPU you are using on your computer.
|
|
|
|
|
|
=== That doesn't sound like a big deal. ===
|
|
### That doesn't sound like a big deal.
|
|
It's not. But javascript can also be used by websites to launch java applets and flash plugins in your browser. This is
|
|
It's not. But javascript can also be used by websites to launch java applets and flash plugins in your browser. This is
|
|
pretty close to running a stand-alone program on your computer and can achieve such mischief as figuring out your
|
|
pretty close to running a stand-alone program on your computer and can achieve such mischief as figuring out your
|
|
real IP address and sending it back to the website.
|
|
real IP address and sending it back to the website.
|
|
|
|
|
|
=== Now that sounds like a big deal. What should I do? ===
|
|
### Now that sounds like a big deal. What should I do?
|
|
The scorched-earth approach is to disable the following in your browser:
|
|
The scorched-earth approach is to disable the following in your browser:
|
|
|
|
|
|
{{{
|
|
```
|
|
1. Cookies
|
|
1. Cookies
|
|
2. Javascript
|
|
2. Javascript
|
|
3. Java
|
|
3. Java
|
|
4. All plugins
|
|
4. All plugins
|
|
}}}
|
|
```
|
|
|
|
|
|
=== Cookies? What are they again? ===
|
|
### Cookies? What are they again?
|
|
They are small files on your computer that some websites create to keep track of your visits. If you visit a site
|
|
They are small files on your computer that some websites create to keep track of your visits. If you visit a site
|
|
non-anonymously, then re-visit it anonymously with the same cookie you are not very, um, anonymous.
|
|
non-anonymously, then re-visit it anonymously with the same cookie you are not very, um, anonymous.
|
|
|
|
|
|
=== I'm not sure I know how to disable all this stuff every time I want to browse anonymously. ===
|
|
### I'm not sure I know how to disable all this stuff every time I want to browse anonymously.
|
|
Fortunately TorBrowser, a modified version of FireFox, can do all this for you automatically. You can download it
|
|
Fortunately TorBrowser, a modified version of FireFox, can do all this for you automatically. You can download it
|
|
from the Tor website. It does not disable all JavaScript by default, however. To do that you must select "Forbid scripts globally" from the menu under the "S" button on its toolbar.
|
|
from the Tor website. It does not disable all JavaScript by default, however. To do that you must select "Forbid scripts globally" from the menu under the "S" button on its toolbar.
|
|
|
|
|