JMJones0424 Posted February 18, 2009 Report Posted February 18, 2009 This is a simple question with a difficult answer. How effective is TOR, or the onion routing network, in maintaining anonymity? Barring huge resources dedicated to traffic analysis, is TOR a reliable means of anonymity? Thanks for your help. Quote
alexander Posted February 18, 2009 Report Posted February 18, 2009 that depends on what you mean by anonymity? but in short, it's not bad, in order to trace transactions on tor, someone would have to spy on 1/2-1/4 the network to have a good enough chance to detect the route, and in all reality it's not that easy... But it depends on what you are hiding from, and what you are hiding exactly... Why do i ask about anonymity, well, it can certainly obfuscate your connection ip in some cases? If it's malicious in nature, and someone really cares, depending on where you go and what you do, it is very hard to trace through tor, but trust me, there are people and, uuh, agencies, that have some neat ways. To remind you, tor was developed for and by the Navy for another layer of obfuscation of agents reporting back in, another layer, not the sole means, and that is for a reason... So is it bullet proof? As the guy who extensively developed tor (Paul Syverson) told me, in theory onion routing networks are more secure then they are in practice, there are many things that can go wrong in the implementation... hence the warnings. # Tor only protects Internet applications that are configured to send their traffic through Tor — it doesn't magically anonymize all your traffic just because you install it. We recommend you use Firefox with the Torbutton extension.# Browser plugins such as Java, Flash, ActiveX, RealPlayer, Quicktime, Adobe's PDF plugin, and others can be manipulated into revealing your IP address. You should probably uninstall your plugins (go to "about:plugins" to see what is installed), or investigate QuickJava or FlashBlock if you really need them. Consider removing extensions that look up more information about the websites you type in (like Google toolbar), as they may bypass Tor and/or broadcast sensitive information. Some people prefer using two browsers (one for Tor, one for unsafe browsing). Torbutton provides many features to protect your anonymity. It can be safely used instead of many plugins, such as FoxyProxy or NoScript.# Beware of cookies: if you ever browse without Tor and Privoxy and a site gives you a cookie, that cookie could identify you even when you start using Tor again. You should clear your cookies frequently. CookieCuller can help protect any cookies you do not want to lose.# Tor anonymizes the origin of your traffic, and it encrypts everything inside the Tor network, but it can't encrypt your traffic between the Tor network and its final destination. If you are communicating sensitive information, you should use as much care as you would on the normal scary Internet — use HTTPS or other end-to-end encryption and authentication.# While Tor blocks attackers on your local network from discovering or influencing your destination, it opens new risks: malicious or misconfigured Tor exit nodes can send you the wrong page, or even send you embedded Java applets disguised as domains you trust. in applications like email as well as some others, tor is also not a good means of "anonymising" the communication, because of the nature of the protocol and it's implementation... Quote
JMJones0424 Posted February 18, 2009 Author Report Posted February 18, 2009 I realize the limits of TOR as you have laid out. With those in mind, is there a more effective alternative for someone who just doesn't wish to be noticed, not necessarily someone who would garner the full wrath of "agencies"? What would Phil Zimmerman recommend? Quote
alexander Posted February 18, 2009 Report Posted February 18, 2009 more effective? it depends on what it is you are doing. Tor works great for someone who is trying to not be noticed, but it's not a tool that does not get you not noticed, its a tool that hides your connection's true identity, it's the actions that get noticed, not the connection, the connection only connects a face to the actions. So, if you are not trying to be noticed, you can do something as simple as using a public proxy, or a public box with a shell account, it's a hell of a lot faster then going through tor. Other then that, use tor, use encryption, and dont get yourself noticed, that will provide a good level of anonymity.... Quote
JMJones0424 Posted February 18, 2009 Author Report Posted February 18, 2009 Thanks, I believe you have answered my question in as much as TOR can be effective in defeating traffic analysis. Obviously, for more security, other measures are involved as well. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.