Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CONTENT-CHANGE] Remove/Edit recommendations of Tor #19

Open
sourcefrog opened this issue Mar 23, 2020 · 19 comments
Open

[CONTENT-CHANGE] Remove/Edit recommendations of Tor #19

sourcefrog opened this issue Mar 23, 2020 · 19 comments
Assignees
Labels
enhancement New feature or request

Comments

@sourcefrog
Copy link

Justification

Tor has complex security tradeoffs, and isn't a good recommendation for everyone.

On the up side, it hides your traffic from your wifi operator or ISP. On the downside, traffic eventually exits through an exit node who is completely unknown and unaccountable to you, and this exit node can both inspect and modify the traffic.

So as a baseline, Tor is a good choice for people who would rather roll the dice in trusting anyone in the world than trust their local network. That might be the case for criminals, political dissidents or people suffering domestic abuse, but it doesn't seem like the right tradeoff for the majority of users, who have a not-actively-hostile commercial ISP.

You say, and I would agree, that you should be careful in connecting to public wifi, because it may conduct active or passive attacks. But very similar problems apply to using Tor, with perhaps less obvious benefit.

As well as the performance impact, one should also consider:

  • a possible false sense of security if information leaks through DNS or other programs
  • Tor-supporting browsers might lag behind the upstream Firefox or Chromium in fixing security bugs
  • whether using a browser with Tor built in or a separate proxy, you have a larger trusted software base
@sourcefrog sourcefrog added the enhancement New feature or request label Mar 23, 2020
@Lissy93
Copy link
Owner

Lissy93 commented Mar 23, 2020

This is all very true

The thing I've found hardest about maintaining this list is documenting all trade-offs, and addressing users of different levels in a single list- what is good for an advanced user probably isn't appropriate for someone just getting started, and visa-versa.

I don't mean to give anyone a false sense of security- with Tor being a good example. It's sometimes hard to get across the point that just using the software won't make someone instantly anonymous and secure. Sometimes it could actually degrade security if not used correctly. And that each item has trade-offs: bugs, undiscovered vulnerabilities, questionable origins etc

I've now added a note about this, here. And for Tor specifically I made a small update: 7218abd to address the issue. Thanks for raising this 🙌

@Lissy93
Copy link
Owner

Lissy93 commented Mar 23, 2020

But for the other software on the list, it probably doesn't go far enough - there could be a whole list of issues and warnings related to almost every item in the list, and although I've documented the most serious of those (like PGP, VPN etc in the #word-of-warning sections), there is a lot missing. I'm not sure if it would be viable right now to include all the drawbacks of all the software, since most issues either overlap, or are being discovered and fixed all the time. I would hope that people have a threat model, or at least do bit of research, before heavily relying on anything

@sourcefrog
Copy link
Author

Yes, I see what you mean about the trade-offs.

You took the time to write this so you can decide what the policy is. In my view it would be more helpful to structure it as:

  1. Here is good advice for everybody: don't reuse passwords, apply updates promptly, encrypt your devices, turn on 2fa, use Gmail with enhanced protection. This list ought to be pretty short and not suggest doing anything, like Tor, that's likely to make things worse or introduce new risks or be too complicated to sustain.

  2. Advice for people who are more technical or expect to be at higher risk.

  3. Advice for people who expect to be targeted by governments and who're willing to make difficult trade-offs. Maybe Tor etc is here.

@Lissy93
Copy link
Owner

Lissy93 commented Mar 26, 2020

Yeah- that makes sense, and was what I was trying to do with the middle column here, do you think it isn't clear enough?
I couldn't think of any better words than Recommended, Optional and Advanced - which when I look at it again, maybe doesn't really make sense.

So you think if I ranked it as Everybody, Technical and Advanced that'd be clearer?

@Lissy93
Copy link
Owner

Lissy93 commented Mar 27, 2020

I wish there was a bit more flexibility with Markdown, I would add Tags to each item with Level, License, Language and IsMaintained. That would make things so much clearer to the reader. Am thinking of ditching this and creating a website instead, so that I can highlight important info in a much clearer way.

@0x192
Copy link
Contributor

0x192 commented Mar 30, 2020

I wish there was a bit more flexibility with Markdown, [...]. That would make things so much clearer to the reader. Am thinking of ditching this and creating a website instead, so that I can highlight important info in a much clearer way.

This is exactly what I was thinking when editing the list.

Personally I'd go with the Hugo open-source framework to build a very lightweight static website. Plus, it's really easy to deploy the site on Github pages with Hugo.

So you think if I ranked it as Everybody, Technical and Advanced that'd be clearer?

Only using Everybody and Advanced seems clearer too me.

@atomGit
Copy link

atomGit commented Dec 17, 2020

late to the party, but i have a couple comments here...

[Tor] doesn't seem like the right tradeoff for the majority of users, who have a not-actively-hostile commercial ISP.

i would passionately argue that point - most people DO have hostile ISP's that spy, inject data into the stream and/or are more than happy to comply with requests by law enforcement

i agree that Tor is likely not a great choice for most people (i wrote about that here if interested), but i personally think one should absolutely be using either a VPN and/or Tor and protecting themselves against ISP threats which are very real

You say, and I would agree, that you should be careful in connecting to public wifi, because it may conduct active or passive attacks.

this is mitigated with a VPN so far as i'm aware

But very similar problems apply to using Tor, with perhaps less obvious benefit.

how so?

a possible false sense of security if information leaks through DNS or other programs

a real problem indeed - on the VPN side, any decent VPN will offer DNS as well - with Tor, i'm not sure there are any normal DNS lookups, are there?

Tor-supporting browsers might lag behind the upstream Firefox or Chromium in fixing security bugs

i would posit that the only browser one should use with the Tor network is the one built by Tor which is a Firefox fork that is pretty well hardened and, though i'm not positive, i would certainly expect that any security bugs found are probably patched immediately

@sourcefrog
Copy link
Author

Hey @atomGit

I think your blog post is more balanced than this checklist was in March. I go a bit further in seeing more risks, and fewer benefits, in VPNs, for most users. I think https://gist.github.com/joepie91/5a9909939e6ce7d09e29 is a pretty good argument against them.

For the sake of simplicity let's talk about users in first world mostly-free countries, which seems to be the primary audience of this English language FAQ. The situation is so different in China or North Korea, where the government does very aggressive filtering on both the network and endpoint.

First of all, we have to set a baseline that users are running everything important over TLS from a modern implementation, and preferably secure DNS, otherwise none of these approaches have much safety.

late to the party, but i have a couple comments here...

[Tor] doesn't seem like the right tradeoff for the majority of users, who have a not-actively-hostile commercial ISP.

i would passionately argue that point - most people DO have hostile ISP's that spy, inject data into the stream and/or are more than happy to comply with requests by law enforcement

I have seen some stories about ISPs manipulating http or DNS, but I am not aware of data showing this is happening to most people. The highest-profile pattern I know of is turning DNS NXDOMAIN into a redirect to an ad "Redirecting DNS for Ads and Profit", Weaver, but this is pretty trivially avoided by using DNS-over-HTTPS which security-sensitive users will want to do anyhow.

I'm not aware of any ISPs successfully injecting into, or blocking, HTTPS traffic, on a wide scale.

ISPs will comply with requests from law enforcement. Whether they are "more than happy" is hard to tell - some assert they will comply only as much as is required, and push back on over-broad requests. VPN providers will also need to comply with law enforcement requests and they cannot opt out. Possibly you can arbitrage or raise the bar by using a VPN headquartered in a different, or more privacy-respecting, country.

Users also need to make a personal assessment whether law enforcement action is in their top risks, and if it is, whether network traffic is a likely vector. There are some for whom this is true but the majority of people are not the subject of an investigation, and are much more likely to suffer from untargeted cybercrime.

I think it's very difficult for end users to ascertain with confidence whether X VPN provider is more or less likely to protect their privacy than Y ISP. Some ISPs have behaved badly and some VPNs have behaved badly.

ISPs primarily sell network connectivity, which is what I want to buy. Although they may be tempted to extract marginal profit by playing tricks, they also have large capital bases, are local companies subject to regulation, and have reputations to worry about. VPNs are capital-light, often in niche jurisdictions, and much of their pitch is snake oil.

i agree that Tor is likely not a great choice for most people (i wrote about that here if interested), but i personally think one should absolutely be using either a VPN and/or Tor and protecting themselves against ISP threats which are very real

The majority of hits there are about copyright infringement notices due to torrenting. For the specific case of users that want to torrent pirated content, a VPN might be an improvement. (Although it also gives an obvious place to attack.)

You say, and I would agree, that you should be careful in connecting to public wifi, because it may conduct active or passive attacks.

this is mitigated with a VPN so far as i'm aware

Yep, that's a reasonable use for it. I would primarily trust in my application TLS implementation. If I wanted additional protection I would run my own VPN, or use noe from a very credible company.

But very similar problems apply to using Tor, with perhaps less obvious benefit.

how so?

The similarity is that you can:

  1. Trust a random coffee shop's network provider not to record or alter your data (and hope the AP is not spoofed), or
  2. Trust a random Tor exit node not to record or alter your data.

Seems like a toss up to me.

a possible false sense of security if information leaks through DNS or other programs

a real problem indeed - on the VPN side, any decent VPN will offer DNS as well - with Tor, i'm not sure there are any normal DNS lookups, are there?

In theory all DNS can be sent over the VPN too. In practice it may be easy for lookups to leak if the user has turned the VPN off, or before the VPN is established. If the user strictly only ever uses the VPN and the computer is configured never to send un-encapsulated traffic, maybe it's OK. What happens when you encounter a captive portal or need to debug network problems?

If I was serious about this, then perhaps I'd have a separate Linux router strictly enforcing the VPN policy and dropping all other traffic, and a separate client connected only to that router and only used for whatever is the VPN's purpose. I wonder how many people will get that right.

It seems to demand a lot of opsec from the user and leakage is highly unlikely to be noticed by the user but noticed by a serious attacker. This sort of slip up contributed to the incarceration of Ross Ulbricht.

For any prophylactic measure that requires a careful user you have to think about the theoretical protection versus the actual protection when used by a typical user with all the normal distractions in life and human falibility.

Tor-supporting browsers might lag behind the upstream Firefox or Chromium in fixing security bugs

i would posit that the only browser one should use with the Tor network is the one built by Tor which is a Firefox fork that is pretty well hardened and, though i'm not positive, i would certainly expect that any security bugs found are probably patched immediately

Yeah, actually, this does not seem to be a problem. It seems like the Tor Browser releases are nearly simultaneous with Firefox ESR releases. Good for them.

So to sum up:

@sourcefrog
Copy link
Author

Just to stay on topic with the actual checklist:

@atomGit
Copy link

atomGit commented Dec 22, 2020

i think we'd agree that digital trust is a pipe dream, so whether it's a vpn, tor, etc., nothing can be trusted

that said...

I go a bit further in seeing more risks, and fewer benefits, in VPNs, for most users. I think https://gist.github.com/joepie91/5a9909939e6ce7d09e29 is a pretty good argument against them.

swap 'vpn' for 'tor' in that article and at least several of the arguments are still applicable, also the article isn't entirely against vpn's...

So when should I use a VPN?
There are roughly two usecases where you might want to use a VPN:

  1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.

a vpn is going to provide far better transparency (ease of use) for users than tor

I'm not aware of any ISPs successfully injecting into, or blocking, HTTPS traffic, on a wide scale.

comcast caught injecting at DuckDuckGo
isp caught injecting at DuckDuckGo
at&t caught injecting at DuckDuckGo

ISPs will comply with requests from law enforcement. Whether they are "more than happy" is hard to tell - some assert they will comply only as much as is required, and push back on over-broad requests. VPN providers will also need to comply with law enforcement requests and they cannot opt out.

assuming the vpn doesn't log, there is massive difference between the 2 - sure they can cooperate, but there should be little or nothing to share whereas any and all isp's are legally required to log a great deal of network data

also a vpn is bound by its privacy policy which, for any decent vpn, is gonna be a hell of a lot stronger than any mainstream isp

granted, a vpn is a roll of the dice, but so is everything else and unless the privacy issues are overwhelmingly one-sided, i think a vpn makes sense for the majority given the average threat model (i.e. not an investigative journalist, whistleblower, etc.)

@Lissy93
Copy link
Owner

Lissy93 commented Dec 22, 2020

With Tor, malicious exit nodes are very limited in the damage they can do when the user is visiting any HTTPS site.

A couple of years ago, this was a big problem, as it was easily possible to do this - as Dan Egerstad did, when he setup a malicious exit node, and successfully sniffed mail server credentials, allowing him to intercept 1000's of private emails between foreign embassy officials.

If a user is only browsing, and not entering any information- or only enters pre-encrypted data, then malicious exit nodes become much less of an issue. And of course this issue disappears while using .onion sites, because they don't require you to leave the Tor network.

But I agree that the risk of bad exit nodes, especially when visiting improperly secured websites should still be mentioned, I will add a note about this in the checklist

@sourcefrog
Copy link
Author

i think we'd agree that digital trust is a pipe dream, so whether it's a vpn, tor, etc., nothing can be trusted

We do. It's all a question of tradeoffs and managing the risks, and it inherently depends on the user's threat model and capabilities.

that said...

I go a bit further in seeing more risks, and fewer benefits, in VPNs, for most users. I think https://gist.github.com/joepie91/5a9909939e6ce7d09e29 is a pretty good argument against them.

swap 'vpn' for 'tor' in that article and at least several of the arguments are still applicable,

I agree.

also the article isn't entirely against vpn's...

Neither am I. I just think for many users, in many situations, they are not a good use of time or money. (Specifically: person in an at least mostly-free country, not doing any crimes, on a reputable ISP.)

So when should I use a VPN?
There are roughly two usecases where you might want to use a VPN:

  1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.

a vpn is going to provide far better transparency (ease of use) for users than tor

probably agree

I'm not aware of any ISPs successfully injecting into, or blocking, HTTPS traffic, on a wide scale.

comcast caught injecting at DuckDuckGo
isp caught injecting at DuckDuckGo
at&t caught injecting at DuckDuckGo

None of these seem to be about injection into HTTPS.

Although there is a good report by Citizen Lab about those countries forcing downgrades to HTTP and then injecting crypto mining malware. I think this is probably too overt to happen in the west because ISPs, unlike Tor nodes, can be held accountable.

ISPs will comply with requests from law enforcement. Whether they are "more than happy" is hard to tell - some assert they will comply only as much as is required, and push back on over-broad requests. VPN providers will also need to comply with law enforcement requests and they cannot opt out.

assuming the vpn doesn't log, there is massive difference between the 2 - sure they can cooperate, but there should be little or nothing to share whereas any and all isp's are legally required to log a great deal of network data

I think the real heart of the matter here is that you can use an offshore VPN, whereas you must use a local ISP. It brings a different set of tradeoffs: they may not be easily reachable by your local law enforcement, but they are also not subject to your home country's privacy regulator. You're basically taking their word that they don't and can't log anything.

@sourcefrog
Copy link
Author

With Tor, malicious exit nodes are very limited in the damage they can do when the user is visiting any HTTPS site.

I personally would still worry about a malicious network even if I think all my traffic is HTTPS:

  • Is there any unencrypted leakage? (Maybe if a Tor browser is the only endpoint software, the risk is reduced.)
  • Are there new HTTPS vulnerabilities, like CRIME in the past?
  • Are there new TLS-and-below endpoint vulnerabilities, like HEARTBLEED in the past?
  • Is my traffic vulnerable to downgrade attacks?

I acknowledge there are scenarios where it's a good tradeoff, I just don't think they apply to most users most of the time. The alternative case is that the server sees their IP, and the ISP sees their traffic patterns and remote IPs (but not even domain names any more).

If a user is only browsing, and not entering any information- or only enters pre-encrypted data, then malicious exit nodes become much less of an issue.

I'm not sure there's a reliable distinction of passively read-only access on the web today. If the attacker can break the stream, they can inject new javascript, collect credentials, etc.

@matkoniecz
Copy link
Contributor

Yeah- that makes sense, and was what I was trying to do with the middle column here, do you think it isn't clear enough?
I couldn't think of any better words than Recommended, Optional and Advanced

"Advanced" is not clear at all to me, especially for cases like mine where I am advanced user without need for extreme security. I would definitely not route all my traffic through Tor - sadly, many things would break making this tradeoff not viable to me. And as far as my time is worth allocating there are more effective tasks to handle leaking data.

Maybe

  • "For everyone" (or more opinionated "Mandatory")
  • Optional
  • Optional, has serious tradeoffs (with word "tradeoffs" linking to place documenting it)
    ?

matkoniecz added a commit to matkoniecz/personal-security-checklist that referenced this issue Nov 1, 2021
- fix typos
- change "optimal security" to "increased security", in many cases it would not be optimal given how many things will break on Tor
- link issues discussing tradeoffs

In general I would make it more clear that it is not always worth doing. Maybe "Advanced" should be "Advanced, has serious tradeoffs" with word tradeoffs linking separate page documenting issues mentioned in Lissy93#19?
@sourcefrog
Copy link
Author

Thanks for linking to the issue in #64, @matkoniecz.

The new text still has

For increased security, route all your internet traffic through the Tor network.

which, personally, I don't think is a robust general recommendation.

And as far as my time is worth allocating there are more effective tasks to handle leaking data.

Right, I think good security recommendations ought to think about complexity as well. Adding more things takes up the user's time, makes the system more complex and harder to understand, and increases the risk that one of the components itself becomes vulnerable.

So you think if I ranked it as Everybody, Technical and Advanced that'd be clearer?

Maybe rather than categorizing them as "more security" or whatever the FAQ could talk about user archetypes in a partial order something like this:

  • I just generally want to be safe on the internet
  • ... and I want to keep one aspect of my online life separate from another
  • ... and I dislike ad-targeting profiles being built about me
  • I like playing with and learning about security technology, even if it makes things more complicated than is really advisable
  • I expect my ISP/college/employer/family may be sniffing my internet traffic and I'm doing things they wouldn't like
  • I am doing things that could attract adverse local law-enforcement attention
  • ... including subpoenas of service providers or other parties I deal with
  • ... and possibly physical seizure and search of my home and devices
  • ... including people I talk to online testifying or collecting evidence against me, or manipulating me
  • I expect to be targeted by foreign intelligence agencies
  • ... by domestic intelligence agencies or national law enforcement agencies
  • ... and I may be of special interest justifying individual attention and targeted exploitation

@Lissy93 Lissy93 pinned this issue Apr 11, 2022
@atomGit
Copy link

atomGit commented Jul 14, 2022

@Lissy93 said...

With Tor, malicious exit nodes are very limited in the damage they can do when the user is visiting any HTTPS site.

then why do they exist, especially since most traffic is SSL'd now? could be exploration, or...

the security of Tor assumes encryption is secure and i have very little faith in that assumption

if it's the ISP or the corporation that is the enemy, encryption may be/is fine, but if it's the intelligence apparatus, there's no way of knowing and given that they have access to computing power orders of magnitude in excess of anything in the public sector, it seems to me it is only logical to assume that encryption is useless in that regard - matter of fact, those are the exact words ("encryption is useless") told to me buy a guy i sold a PC to who claimed to have once worked for the U.S. gov (or as a contractor) and who had a crypto clearance - we talked about some sensitive subjects and i suggested we continue using encrypted mail when he fired back with those words

furthermore, Tor funding by DoD is a huge turn-off

DoD funding of Tor • MuckRock - look at the time span of these requests

Yasha Levine | Privacy Spooks: Tor was (and is) funded by the US government
https://yashalevine.com/articles/tor-spooks

US government increases funding for Tor, giving $1.8m in 2013 | Encryption | The Guardian
https://www.theguardian.com/technology/2014/jul/29/us-government-funding-tor-18m-onion-router

lastly, an entire Tor network can apparently be run on a single machine by a bad actor (your ISP) using something like the Shadow Network Simulator

in the end nothing can be trusted, not Tor nor a VPN, so take the above for what it's worth and don't stop speaking out due to fear of being surveilled

Lissy93 added a commit that referenced this issue Jul 14, 2022
@Lissy93
Copy link
Owner

Lissy93 commented Jul 14, 2022

@Lissy93 said...

With Tor, malicious exit nodes are very limited in the damage they can do when the user is visiting any HTTPS site.

Looking at this one year later, and with fresh eyes- I think I was wrong when I said this.
Even with HTTPS, you can still be at risk. Either through SSL-stripping, drowngrading your request from https:// to http://, or an attacker using their own self-signed certificate. Although both should be visible to an experienced user, it's definitely not enough of a defence.

I will update the Tor section accordingly.
But I believe Tor does still have it's place for some users / some situations, so at present will not be removing it

@Lissy93
Copy link
Owner

Lissy93 commented Jul 14, 2022

On a side note, and just my own thoughts...
in the past year or so, I've personally found Tor much less usable for general stuff. Almost all clear-net sites you visit will make you do at least one CAPTCHA, any account you create on a non-onion site will likely be shut down, and half of websites just don't work at all.

And for .onion sites, there's still very few of them that are actually useful. Not many sites have a .onion version, and those which do are frequently still making requests to clearnet CDNs. Many of the links found in the hidden wikis are not trustworthy, it's too easy to land on a fake mirror. There's also a ton of degenerate content often, but I guess that one is to be expected.

@mort666
Copy link

mort666 commented Nov 29, 2023

Hi,

I thought this may be useful as extra insight into Tor for those making an educated decision, having been around a while myself back in the 1990s when Tor first surfaced as a tool, and like any tool, understanding how it works means you don't end up losing a finger...

Anyway, it is worth noting that yeah, DoD Fund of Tor links articles really only give a small part of the picture, it is worth having a look at the 'Archived' version of the original 'Onion Router' site if you've never seen it before, many will not have... You can find it at 'https://www.onion-router.net/', the 'History' and 'Sponsors' pages are good for clearing up everything, much better than gloss the Tor Project have on their site tbh. Like the Internet itself (so many people forget that) DARPA alongside the ONR (Office of Naval Research) started the project, the first 3 generations (by first 3, I mean gen 0, 1 and 2) of Tor were developed by the ONR, NRL (US Naval Research Labs) and DARPA. It is only relatively recently changes in Tor have moved away from what the those groups built in the early 2000s after it was given in essence to the public domain in the 2004.

If memory serves, part of the initial requirement for this btw, came from US Naval Intelligence prior to the end of the cold war for it to be used by Spooks to stay hidden from the Soviets, it always makes me smile when I think about it now with so much of the 'hidden crap on Tor' these days is now run by the Russians....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

7 participants
@mort666 @sourcefrog @matkoniecz @atomGit @Lissy93 @0x192 and others