Tor Developer Busts Myths, Announces New Features

[Batu69]

 

The Tor Project gets a bad rap as being a playground for the guilty. That’s why Tor Project co-founder Roger Dingledine took the stage last week at DEF CON to bust popular myths and announce upcoming features related to the anonymity network that averages 2 million users a day.

 

Dingledine’s biggest beef when it comes to Tor misinformation is the network’s alleged association with the “dark web.”

 

“Most people use Tor to safely reach ordinary websites. A tiny fraction of Tor traffic makes up what overhyped journalists call the ‘dark web,'” he said. “Yes, there are bad people in the world. And some of them use Tor. But at this point with the millions of people using Tor every day, the average user is the average internet user.”

 

He estimated that only 3 percent of Tor users use the service to connect to hidden websites and services. He argued criminals don’t need or want Tor.

“Bad guys can easily build a temporary tool that can be used for a week that only 10 people use and they’ll never tell anyone about it. That’s the terrorist or the bad guy problem. They have so many more options beyond Tor.”

 

Dingledine said there are misconceptions about funding of the Tor Project by the U.S. government in some way compromises Tor’s core mission.

“If you only learn about Tor through some in the media, they have been spreading inaccurate memes such as ‘the Navy wrote Tor so how can I trust it?'” he said. “The very short answer to that is, I wrote Tor – not the Navy.”

 

He said 80 percent of the funding for the Tor Project comes from government agencies such as the U.S. State Department, the National Science Foundation and the Open Technology Fund. “Our funding comes from a diversified number of groups within the U.S. government. That’s not as (diversified) as I’d like to be,” he said. About 15 percent of funding comes from outside donations.

 

Additional government conspiracy theories include the myth that the National Security Agency runs half the relays used in the Tor network. A Tor relay is also called a router or a node. There are 8,000 relays spread strategically around the world. They receive traffic on the network and pass it along to other relays, making it difficult for a third-party to know what website or service a Tor user is accessing.

 

“Indeed some intelligence agencies have run relays every so often. But, I know two-thirds of the people who run the relays personally. They simply aren’t,” he said of government snoops.

 

It doesn’t make any sense for the NSA to run relays, he maintains. “They are already watching AT&T, Deutsche Telekom and the cables underneath the oceans. They are already invested in surveilling the internet, so it makes no sense,” Dingledine said.

 

Fifteen years ago, Dingledine said, Tor received a well-deserved bad rap for being slow. Today that’s changed.

“My last talk at DEF CON was eight years ago and the topic was on why Tor is slow and what we are going to do about it,” he said. “Since then we have moved up to 100 gigabits of traffic and two or three times that in terms of capacity.” He said Tor is no longer slow – not by a longshot.

 

The last myth is, if you use Tor, the NSA is watching you. “Imagine if a friend came to you and said, ‘I heard if I use HTTPS the NSA is watching me so I’m not going to use encryption anymore. And from now on I’m going to be safe,” he said. “That’s crazy talk.”

 

What’s New: “Next Generation Tor Services”

During his DEF CON talk, Dingledine reviewed a bevy of new innovations and third-party improvements that users will see in the months and years ahead. There is a project with Privacy Enhancing Technologies Symposium community to improve Tor traffic analysis resistance. Part of those efforts include “Vanguard” which is a design that will (if it works out) make it a lot harder for people to locate (“de-anonymize”) onion services, he said.

 

“Tor clients and onion services already protect against many attacks by sticking to a single relay (called a Guard) for the first hop in all the paths, to limit the number of places that get to see their connection into the Tor network.

 

It looks like we can do even better for onion services by sticking to the same second hop and third hop too. But getting the design right is complicated, because there are many subtle ways to mess it up, so it will be a while yet until we build and deploy it,” wrote Dingledine in an email interview with Threatpost.

 

That said, the next generation of Tor includes a host of updates and fixes that are already rolling out. “We have a working version right now, but we haven’t put out a release yet that has this new code in it. We’re still cleaning it up and looking over it for potential bugs. We’re about to finish the Tor 0.3.1 branch — we put out another alpha version of it on Tuesday,” he said. A tentatively schedule for Tor 0.3.2 is December.

 

Topping the list of new features is switching from the old cryptosystem which includes the first 80 bits of the SHA-1 of the 1024-bit RSA key to a new system that uses the much stronger elliptic curve cryptography (ECC) keys, such as Ed25519 signature scheme.

 

“Switching from the old cryptosystem, which is not actually known to be a problem quite yet, but is probably going to look increasingly weak in the coming years, so now’s a great time to update it,” he said.

 

Other next-gen efforts include focusing on making it hard to set up relays in advance that target a particular onion service. This is accomplished via better hidden service directory (HSDir) design. Within Tor, HSDir functions similar to DNS serves, allowing a Tor client to ask one of the HSDirs to “resolve” the name of an onion site into information that can be used to reach it — its public key, plus how to rendezvous with that onion service over the Tor network.

 

Dingledine said, currently the HSDir relays are too predictable. “The six daily HSDirs for a given onion address are predictable into the future,” he said. The solution is to make the HSDir mapping include a communal random value that everybody agrees about, but that nobody can predict, according to Dingledine. “The directory authorities pick this value each day as part for their consensus voting process,” he said.

 

“Now it should be hard for jerks to run relays and discover otherwise unpublished onion addresses,” he added.

 

Lastly, Dingledine said Tor has designed and implemented a number of different deployment models (e.g. “Single Onion Services” and “OnionBalance”) that let you trade off location privacy for performance and scalability. “For example, Facebook and Debian use these features to provide faster, more scalable onion services,” he said.

 

“If you are not trying to hide the location of the onion service, and want users to be able to benefit from all the other Tor security features, than it makes a lot of sense to do this,” he said.

 

“Somehow we need to get to a place in the world where Tor is normalized enough to where people think that’s it’s totally crazy to say, ‘I’m not going to protect my metadata, because if I protect it then they will be watching me.'”

 

Article source

[stylemessiah]

Pffft, this guy is struggling to stay relevent...its well known that the FBI and NSA have p0wned Tor for quite a while, the FBI in fact started the running of relays itself, long before the NSA got on board. If you think youre somehow untraceable on Tor youre a damn fool, and deserve what you get if youre up to no good...

 

Dont believe this idiot...Tor is compromised, deal with it

[Togijak]

6 hours ago, stylemessiah said:

Dont believe this idiot...Tor is compromised, deal with it

 

 

[steven36]

 

[Togijak]

Is The Tor Browser Fully Anonymous? (The Myth and Reality)

[steven36]

20 hours ago, Togijak said:

Is The Tor Browser Fully Anonymous? (The Myth and Reality)

That concept  is flawed because if you ever used any known prism actors site like Gmail with you're real ip they already have a record of who you are .And gmail is not a vpn or Tor friendly site if you use ether they will lock you're emails up because they already have you're real ip 

 

Also  it dont provide no real answer too the exit node problem  and the answer is use security in layers  if you use tor browser only do it behind a  non logging vpn encase they happen too  be sniffing at the time.   And never use tor too sign into anywhere you used you're real ip on before. No wonder so many  people get caught they go by guides like these that only focus on the problem with no real answers . That site is a good site too read news about people getting busted all the time too see why tor alone  is just not good enough.

 

Quote

 

It can surely be a great way to increase your anonymity, especially if you trust your VPN provider more than your ISP. Actually it's like replacing your ISP with somebody else. And considering common data retention laws that apply to most of ISPs but not to VPN providers (for example, some of them operate offshore), the winner is obvious. You have also generally much more choices when it comes to VPN providers compared to ISPs. For maximum anonymity, you should buy your VPN service with mixed Bitcoins or via pre-paid/gift cards etc, or get a free one (e.g. securityKISS or riseup.net).

 

I suggest you read this article explaining it in more detail.

 

When choosing a VPN, one nice feature to look for is Multihop routing. It means that the public IP you get is different than the IP of gateway you're connecting to. This makes traffic analysis attacks somewhat difficult even if we assume that the attacker is monitoring every single Internet tube.

 

Of course, this all stands only if you trust the VPN provider that he does not store any logs about your usage. While it can be hard for you to trust some unknown for-profit company to keep their word, you can for sure trust your ISP that he is keeping the logs :-) Finally, business is business and if some VPN provider gives out some customers' data that he was not even supposed to have in the first place, he'll probably loose the business ending up like HideMyAss.

 

 

Quote

 

This is a matter of who are you trusting more? Your ISP or your VPN provider? Since you have a lot more choices with VPN providers than ISPs, it is logical to prefer the VPN provider over ISP. This is in a case where the schematic of your network looks something like the following:

User---VPN---Node 1 (Guard)--- Node 2 (middle node)--- Node 3 (exit node)--- destination site

 

There is one addtional outcome to this setup. Tor will not be able to determine where you are connecting from, even for reserch purposes. This may or may not give you some additional piece of mind that your data can not be used even in an anonymous way for reserch purpose.

 

The second option is to use the following topology:

User---Node 1 (Guard)---Node 2 (middle node)---Node 3 (exit node)---VPN---destination site

In this case The exit node can not snoop on you, but instead VPN can snoop on you. Now the question is who do you trust more? The VPN or exit node. You need to make a judgement here for yourself. There is one additional advantage to this setup: You may access the web sites that block Tor exit node. There is also one downside to this setup: The VPN IP address is not changing every 10 minutes or so.

 

The third option is to use the following topology:

User---VPN---Node 1 (Guard)--- Node 2 (middle node)---Node 3 (exit Node)---VPN---destination site

This look like a best of both worlds.

First, you have replaced the ISP with the VPN provider of your choice.

Second, you prevented Tor to figure out where you are connecting from.

Third, The destination Web sites that block Tor exit node do not block you.

Forth, Your data is completely encrypted all the way to the destination site and from destination site to you.

Fifth, You have increased the the number of nodes from 3 to 5 node and eliminated any possible exit node snooping.

Now there are some precautions you should take for this topology to work as intended.

 

1. Both your VPNs should be free of charge so that there is no money trail.

2. Your VPNs should be located outside your jurisdiction, advesaries jurisdiction and outside the adversaries jurisdiction of influence.

3. Tails with this setup will provide the best result because it is an amnesic system.

4. Do change the VPNs from time to time. for example every month or quarter.

5. If you find VPN provides with Multi-hop routing, that much the better.

There is still one downside to this setup. The destination sites will see a constant IP address (VPN IP address) until you change the VPN provider or if you are using multi-hop routing VPN provider.

 

https://tor.stackexchange.com/questions/1945/tor-via-vpn-good-extra-level-of-security-or-unnecessary