this post was submitted on 29 Jul 2023
361 points (100.0% liked)

Technology

37758 readers
649 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Eggyhead@kbin.social 58 points 1 year ago* (last edited 1 year ago) (8 children)

It's really worth reading the article.

Tor can be used for any internet browsing you usually do. The key difference with Tor is that the network hides your IP address and other system information for full anonymity.

The company behind a VPN can still access your information, sell it or pass it along to law enforcement. With Tor, there’s no link between you and your traffic, according to Jed Crandall, an associate professor at Arizona State University.

I don't know if it's even possible, but it would be cool if I could use the fediverse over TOR just for the sake of supporting TOR. Not sure if there would have to be specific .onion instances, if normal instances could just be mirrored with a .onion address, or if a .onion instance would even be able to federated in the first place. I just don't know how it works.

Other use cases may include keeping the identities of sensitive populations like undocumented immigrants anonymous, trying to unionize a workplace without the company shutting it down, victims of domestic violence looking for resources without their abuser finding out or, as Crandall said, wanting to make embarrassing Google searches without related targeted ads following you around forever.

I'm certain an all-out legislative war would be waged against TOR if it were to become popularized for most of those reasons, under the more convenient guise of "criminals and children!"

[–] davehtaylor@beehaw.org 44 points 1 year ago (2 children)

Tor can be used for any internet browsing you usually do. The key difference with Tor is that the network hides your IP address and other system information for full anonymity

Also, this isn't true. MANY sites and services block access from Tor, including major ones that people use everyday.

[–] freeman@lemmy.pub 16 points 1 year ago (1 children)

Also. Those running an exit node can and do sniff traffic.

It’s bad practice to login to stuff that’s important (like banking) over tor. Or login to anything over for you have logged into over the clear.

Also, nation states can track you using a variety of techniques from fingerprinting to straight up working together to associate connection streams. A large number of tor nodes are run by alphabet agencies. Hell the protocol was developed by the us navy.

[–] diyrebel@lemmy.dbzer0.com 1 points 1 year ago* (last edited 1 year ago) (1 children)

Also. Those running an exit node can and do sniff traffic.

Sure, but if you stop there with that statement you’re just FUD-scaring people from using the service that does more for their privacy than conventional direct clearnet usage. Every connection that matters uses TLS so the exit node honeypot only sees where the traffic is going, not what’s in the traffic and not where it comes from. IOW, the exit node knows much less than your ISP.

It’s bad practice to login to stuff that’s important (like banking) over tor.

It’s the other way around. You should insist on using Tor for banking. It’s a bad practice to let your ISP track where you do all your banking.

Also, nation states can track you using a variety of techniques from fingerprinting to straight up working together to associate connection streams.

And your thesis is what, that we should make snooping easier for them by not practicing sensible self-defense?

A large number of tor nodes are run by alphabet agencies.

Let them work for it - and let them give the Tor network more bandwidth in the process.

[–] freeman@lemmy.pub 1 points 1 year ago* (last edited 1 year ago) (1 children)

Every connection that matters uses TLS so the exit node honeypot only sees where the traffic is going, not what’s in the traffic and not where it comes from. IOW, the exit node knows much less than your ISP.

That’s not a magic bullet for secuirty. There are so many ways to exploit connections. Look at what happened here on lemmy with vulns leading to takeovers of instances with xss of session cookies . Or what happened to Linus Sebastian and his YouTube channel, which has one of the largest, most security conscious companies backing it.

The primary difference is your ISP is not generally actively hostile. They may want to sell metadata but they aren’t actively trying to exploit you. And all it takes is a bad auto fill page, or even a fake/spoofed one on an account without mfa or a service with xss vulns etc.

And your thesis is what, that we should make snooping easier for them by not practicing sensible self-defense?

To your own point. Everything is TLS now right? That argument swings both ways. If your ISP (or in some cases a nation state is your isp) is actively tracking you, then there are other alternatives that may be better. Mullvad would sooner be used for banking than tor. Tor is also not all that often used en masse. If my township only has a single tor user (me) that makes me less private. An ISP can easily see who is enterting tor unless you are using more obfuscation like bridges and obfsproxy. It’s the same reason why checking the do not track box in your browser is less privacy oriented. It adds entropy to your fingerprint there.

But to answer my your question my thesis is tor is not necessarily a privacy panacea. The threat model an American or European has is much different than someone from Vietnam or turkey or China, which is also much different than someone from the Nordic countries.

[–] diyrebel@lemmy.dbzer0.com 1 points 1 year ago (1 children)

That’s not a magic bullet for secuirty.

It wasn’t presented as such. Good security comes in layers (“security in depth”). TLS serves users well but it’s not the only tool in the box.

There are so many ways to exploit connections. Look at what happened here on lemmy with vulns leading to takeovers of instances with xss of session cookies.

Tor Browser includes noscript which blocks XSS.

The primary difference is your ISP is not generally actively hostile. They may want to sell metadata but they aren’t actively trying to exploit you.

Selling your metadata is exploiting you. And this exploit happens lawfully under a still-existing Trump policy, so you have zero legal protections. Contrast that with crooks stealing money from your bank account, where, if it’s a US account, you have regulation E legal protections.

If your ISP (or in some cases a nation state is your isp) is actively tracking you, then there are other alternatives that may be better.

Different tools for different threat models. If you are actually targeted by a nation state, Tor alone is insufficient but it’s still in play in conjunction with other tech. But from context, you were giving general advice to the general public telling them not to use Tor for banking, thus targeting is not in the threat model. But mass surveillance IS (i.e. that of your ISP).

But to answer my your question my thesis is tor is not necessarily a privacy panacea.

Tor is an indispensable tool to streetwise users. Of course it is a tool among other tools & techniques.

The threat model an American or European has is much different than someone from Vietnam or turkey or China, which is also much different than someone from the Nordic countries.

Those threat models all have a common denominator: mass surveillance. It is safe to assume mass surveillance is in everyone’s threat model as a baseline. Of course there are a variety of other threats in each individual threat model for which you couldn’t necessarily anticipate.

[–] freeman@lemmy.pub 1 points 1 year ago (1 children)

Good security comes in layers (“security in depth”). TLS serves users well but it’s not the only tool in the box.

Im glad we agree. Because its the entire point. You are nitpicking where it suits you and thats not really honest conversation. Tor browser isnt the only way to access tor and if you are talking about making tor more accessible using things like phones is going to be needed. There are entire swaths of the world, billions of people, where phones are basically the only gateways to the inter.

And on a device with something like CalyxOS (or built with the app structure like calyxOS android based apps) that opens up a LOT more applications to using tor, some of which arent going to be locked down or configured appropriately. Its riskier. You seem to implicitly agree as you only pointed to a single example of XSS and just ignored other examples I provided..Surely we dont need to iterate through every attack vector out there? Because the point isnt those minutia there.

The point is, again, that Tor and specifically exit nodes are more hostile than normal ISP relays. They are actively malicious and often looking to exploit anything they can. Saying selling metatdata that is unencrypted is the same level of malicious as a nation state going after you (life and death) or having your identity or bank account stolen is clearly pretty naive. Even having your banking comprimised is a giant show stopper and theres no "well i have protections" flag to waive. You still have to deal with getting your funds back and paying for stuff to live in the interim. Its a very invasive process. Comparing that to an ISP selling your DNS queries (which im not even sure happens) is literally apples and orances

Those threat models all have a common denominator: mass surveillance. It is safe to assume mass surveillance is in everyone’s threat model as a baseline.

Thats a bad assumption. MOST people arent really concerned with it in the western world. Its why the apparatus exists. And thats not a Trump thing. its existed WAY before trump. Snowden showed that and it was Obama, not trump, that went after whistleblowers harder than any predecessor before them. Its why Snowden is still in exile to this day. Further trying to make this about "party" sides is a bad idea. Its something all parties, including most countries are not only a party to, but actively collaborating against. And there are some areas where straight access TOR is illegal and can get you in trouble. ANd the mass surveillance one country does (ie: US) is much different than another (ie China) so again its not just a giant brush to paint with there. Piping all data through Tor would make you look more suspicious in some of those latter countries and could increase your risk to fingerprinting or tracking, rather than selectively using it where and only when needed.

[–] diyrebel@lemmy.dbzer0.com 1 points 1 year ago* (last edited 1 year ago) (1 children)

Im glad we agree. Because its the entire point. You are nitpicking where it suits you and thats not really honest conversation.Tor browser isnt the only way to access tor

TLS is useful very specifically in the case of banking via Tor Browser, which is the most likely configuration the normal general public would use given the advice to access their bank over Tor.

There are entire swaths of the world, billions of people, where phones are basically the only gateways to the inter.

I do not recommend using a smartphone for banking. You’re asking for a huge attack surface & it’s reckless. People will do it anyway but to suggest that people should avoid Tor for banking on the basis that you’re assuming they are using a phone is terrible advice based on a poor assumption. Use Tor Browser from a PC for banking. That is the best advice for normies.

The point is, again, that Tor and specifically exit nodes are more hostile than normal ISP relays.

And again, those hostile nodes get less info than ISPs. They have to work harder to reach the level of exposure that your ISP has both technical and legal privilege to exploit.

Saying selling metatdata that is unencrypted is the same level of malicious as a nation state going after you (life and death) or having your identity or bank account stolen is clearly pretty naive.

Wow did you ever get twisted. You forgot that I excluded targeting by nation states from the threat model as you should. If someone has that in their threat model, they will know some guy in a forum saying “don’t use Tor for banking” is not on the same page, not aligned with their scenario, and not advising them. You don’t have to worry about Snowden blindly taking advice from you.

It’s naive to assume your ISP is not collecting data on you and using it against you. It’s sensible to realize the risk of a honeypot tapping your bank account and getting away with it and regulation E protections failing is unlikely enough to be negligible.

You still have to deal with getting your funds back and paying for stuff to live in the interim.

If you’re in the US, you have ~2-3 bank accounts on avg, and 20 credit cards (US averages). Not to mention the unlikeliness of an account getting MitM compromised despite TLS in the 1st place. Cyber criminals choose the easier paths, just as 3 letter agencies do: they compromise the endpoint. Attacking the middle of a tunnel is very high effort & when it’s achieved they aren’t going to waste it on some avg joe’s small-time bank acct. At best you might have some low-tech attempts that result in no padlock on the user side. But I’ve never seen that in all my years of exclusively banking over Tor.

Thats a bad assumption.

Not in the slightest. Everyone is subject to mass surveillance & surveillance capitalism.

MOST people arent really concerned with it in the western world.

Most people don’t even have a threat model, or know what it is. But if you ask them how they would like it if their ISP told their debt collector where they bank so the debt collector can go do an unannounced legal money grab, you’ll quickly realize what would be in their threat model if they knew to build one. A lot of Corona Virus economic stimulus checks were grabbed faster than debtors even noticed the money arriving on their account.

And thats not a Trump thing. its existed WAY before trump. Snowden showed that and it was Obama, not trump, that went after whistleblowers harder than any predecessor before them.

You missed the source I gave. Obama banned the practice of ISPs selling customer data without their consent. Trump reversed that. That is wholly 100% on Trump. Biden did not overturn Trump, so if you want, you can put some of the fault on Biden.

W.r.t history, echelon predates Snowden’s revelations and it was exposed to many by Nicky Hagar in the 80s or 90s. But this all a red herring because in the case at hand (banking customers accessing their acct), it’s the particular ISP role of mass surveillance that’s relevant, which Trump enabled. Or course there is plenty of other mass surveillance going on with banking, but all that is orthogonal to whether they use Tor or not. The role of Tor merely mitigates the ISP from tracking where they bank, and prevents banks from tracking where you physically are, both of which are useful protections.

Further trying to make this about “party” sides is a bad idea. Its something all parties

You can’t “both sides” this when it’s verifiable that Obama banned the practice and Trump overturned it. While Obama’s hands are dirty on a lot of things (e.g. Patriot Act continuity), it’s specifically Trump who flipped the switch to ISP overcollection. Citation needed if you don’t accept this.

And there are some areas where straight access TOR is illegal and can get you in trouble.

The general public knows your general advice to use/not use Tor is technical advice not legal advice, and also not specific to their particular jurisdiction.

[–] freeman@lemmy.pub 2 points 1 year ago

Im gonna be honest. I stopped reading here.

There are entire swaths of the world, billions of people, where phones are basically the only gateways to the inter.

I do not recommend using a smartphone for banking. You’re asking for a huge attack surface & it’s reckless. People will do it anyway but to suggest that people should avoid Tor for banking on the basis that you’re assuming they are using a phone is terrible advice based on a poor assumption. Use Tor Browser from a PC for banking. That is the best advice for normies.

again, the article is about "normies" using tor to get it to lose its stigma.. The only way it gets de-stigmatized is for "normies" to use it. The way "normies" access things is vastly different. There are risks to that. And its not just banking. Getting your email account hacked because you used it on a malicious exit node for one reason or another is just as bad, if not worse. Tor exit nodes are wholesale more malicious than your ISP.

I dont know why you are getting hyper fixated on specific use cases that were used as broad examples. Banking isnt the point its the general use of TOR and the risk it brings. Forest for the trees my guy.

Have a good one. We're done here.

[–] Devi@beehaw.org 3 points 1 year ago (5 children)

Which ones? I use it quite a lot and never found a site that has blocked me.

[–] CanadaPlus@lemmy.sdf.org 3 points 1 year ago (1 children)

There are a few, but there's always an alternative.

[–] FirstMajesticComet@lemmy.blahaj.zone 1 points 1 year ago (1 children)

I've also found that many ones that are blocked aren't completely blocked, I can access them by using a new circuit (lots of these sites seem to really hate European Exit nodes but anything else has typically worked).

[–] CanadaPlus@lemmy.sdf.org 2 points 1 year ago (1 children)

Is that what it is? Every once in a while I have to Ctrl+Shift+L it to get into something, but I've never watched that closely. What did Europe do to these guys?

[–] FirstMajesticComet@lemmy.blahaj.zone 1 points 1 year ago (1 children)

I think it might have something to do with the fact that much of Europe has privacy laws that protect their citizens and also makes it so people running nodes there don't have to kiss up to US companies. Hence why they block those nodes or just give them a huge amount of challenges to solve in hopes to frustrate them. Same with how they put annoying privacy pop-ups on the website in European locations which re-appear every time you login or visit the site.

[–] CanadaPlus@lemmy.sdf.org 3 points 1 year ago (2 children)

Same with how they put annoying privacy pop-ups on the website in European locations which re-appear every time you login or visit the site.

I mean, those are mandated, even if they're implemented deliberately poorly.

I know they require them, it's is the way that they're implemented that I'm referring to. Like they made it deliberately frustrating. Some of them one a few websites even pop up twice or even three times and you have to click them multiple times to get them to go down.

[–] davehtaylor@beehaw.org 3 points 1 year ago (1 children)

Last I tried you couldn’t access social media, Google constantly forces you through captchas because it thinks you’re a bot, and anything on a CDN will either constantly force captchas or just doesn’t work. Financial institutions absolutely are all inaccessible.

[–] Devi@beehaw.org 1 points 1 year ago

I've checked facebook, instagram and tiktok, they're all fine.

[–] TheOakTree@beehaw.org 1 points 1 year ago (1 children)

I remember hearing that Yelp blocks Tor users, but I'm not sure if that is the case through proxies.

Also iirc Cloudflare blocks all Tor exits.

[–] abclop99@beehaw.org 3 points 1 year ago (1 children)

I've used sites with cloudflare over Tor. They always seem to require pressing a check box, but usually work.

[–] kath@kbin.social 2 points 1 year ago (1 children)

I've noticed that just as the most aggressive ad blocker blockers are news media websites, the most aggressive tor-exit-node blockers are retail sites such as lowes.com. My working hypothesis is that they view anonymous transactions (or perhaps even anonymous window shopping) as stealing. When it comes to actionable data for market research, data about actual finalized transactions where actual money changed hands is the holy grail. It's the data that has skin in the game. As for window shopping online, you know the drill, you do that, you hear about it on Fecebook. Until recently I searched retail sites with the site: filter of a search engine (the one that works on Tor, of course), but until recently, most site searches were even more enshittified than most of the two search engines. Now search engines are out and Tor is out. Perhaps offline shopping is in. BTW, just for shits and giggles, try carrying a clipboard next time you visit a brick and mortar retail establishment and see what happens, or better yet, whip out your cell phone and start photographing not merchandise but shelf tags. Information is power, my friends.

[–] tnimkh@rammy.site 1 points 1 year ago (1 children)

They're right. I dont have specific examples but a lot of wikis and some general news sites blocked me when i used it.

[–] Devi@beehaw.org 4 points 1 year ago

I mean... I asked for examples and you gave 'there are examples but I don't know any', which is not really supporting the point here.

[–] wgs@lemmy.sdf.org 28 points 1 year ago

You don't need to access a .onion instance to use Tor. You can simply perform your day-to-day web usage through Tor directly.

On your phone, you can even use Tor natively with most of your apps.

[–] CanadaPlus@lemmy.sdf.org 10 points 1 year ago* (last edited 1 year ago) (1 children)

I've literally always browsed Lemmy over Tor. I even made this account over it, which surprised me when it worked.

[–] pemmykins@beehaw.org 1 points 1 year ago (2 children)

How do the big CDNs handle Tor traffic? Do you find you get blocked, or is it just a matter of more captchas/challenges?

[–] CanadaPlus@lemmy.sdf.org 4 points 1 year ago* (last edited 1 year ago) (1 children)

CloudFlare puts up a captcha occasionally, everything else just leaves me alone.

At this point using someone else's browser with no adblock feels more difficult to navigate.

[–] pemmykins@beehaw.org 2 points 1 year ago

I see, thanks! Yeah, surfing the web without Adblock is actually horrible these days.

[–] Bjaldr@discuss.tchncs.de 2 points 1 year ago

Lots of capchas usually, I can't remember being outright blocked when I used it

[–] Mummelpuffin@beehaw.org 5 points 1 year ago

I mean, I've used it. It works. But I don't get why you would bother most of the time. It's slow as hell and while I'm generally fairly concerned about my privacy there is a point where I can't be bothered.

[–] astral_avocado@programming.dev 5 points 1 year ago (1 children)

Just download Tor browser and go to Lemmy. World

[–] Eggyhead@kbin.social 4 points 1 year ago (1 children)

What effect would using Tor browser to access a non onion site have over using a different, privacy-focused browser? Honest question. I assumed Tor browser was no different than other browsers in that aspect.

[–] ctr1@fl0w.cc 4 points 1 year ago* (last edited 1 year ago) (1 children)

The difference is that your ISP doesn't know where your packets are headed, and the destination doesn't know where your packets came from. The ISP sees you connect to the entrance node and the destination sees you connect from the exit node, and it's very difficult for anyone to trace the connection back to you (unless they own both the entrance and exit and use traffic coorelation or some other exploit/fingerprint). Regardless, both parties are generally able to tell that you are using TOR if they reference lists of known entrance/exit nodes. Also the anti-fingerprinting measures taken by TB are a bit more strict than other privacy-focused browsers

[–] Eggyhead@kbin.social 5 points 1 year ago (2 children)

Thank you for the detailed answer. I’m surprised more people aren’t talking about using tor browser, considering how privacy-minded the community tends to be.

[–] astral_avocado@programming.dev 2 points 1 year ago* (last edited 1 year ago)

It is confusing, Tor is an excellent privacy tool if used properly (don't log in to stuff), but I guess it's still a technical hurdle to most. Probably also from a lack of marketing.

I think in countries where the government is decidedly more authoritarian it's more known. On my relay right now I see a ton of russian and a smaller amount of German connections.

[–] ctr1@fl0w.cc 1 points 1 year ago

No problem! And yeah, it's good to see people talking about it over here. I think it's the best tool for online privacy OOTB (depending on your threat model), and it gets better the more people use it.

[–] cultsuperstar@lemmy.ml 5 points 1 year ago* (last edited 1 year ago)

I'm certain an all-out legislative war would be waged against TOR if it were to become popularized for most of those reasons, under the more convenient guise of "criminals and children!"

I guess we'll have to see what happens after that right wing Twitter account posted CSAM, Twitter suspended the account, then Elon said they removed the posts and reinstated the account 🤷🏽‍♂️

[–] r00ty@kbin.life 5 points 1 year ago

Well any instance owner could also get an onion link and host the instance over tor.

Of course the instance itself can't really hide. Since it needs to federate with others that are not onions. But your accesses would all show as from localhost.

[–] diyrebel@lemmy.dbzer0.com 1 points 1 year ago* (last edited 1 year ago)

I don’t know if it’s even possible, but it would be cool if I could use the fediverse over TOR just for the sake of supporting TOR.

Here are two #Mastodon onion nodes:

  • iejideks5zu2v3zuthaxu5zz6m5o2j7vmbd24wh6dnuiyl7c6rfkcryd.onion
  • 7jaxqg6lfcdtosooxhv5drpettiwnt6ytdywfgefppk2ol4dzlddblyd.onion