- some_guy ( @some_guy@lemmy.sdf.org ) 2•3 hours ago
I have considered Tor safe for illicit activities for at least half a decade. Luckily, there’s no need for me to be on there. But this is bad news for people living in places where speech is heavily regulated plus journalists and would-be whistle-blowers.
- h4lf8yte ( @h4lf8yte@lemmy.ml ) 10•10 hours ago
As I read, they used timing analysis which should be preventable by using an anonymous VPN to connect to tor and streaming something over the VPN connection at the same time. Some of them support multi-hop, like mullvad, which will further complicate the timing analysis because of the aggregated traffic.
- Possibly linux ( @possiblylinux127@lemmy.zip ) English3•12 hours ago
What are you going to use instead?
Tor is the best tool you just need to know how to use it
- ExtremeDullard ( @ExtremeDullard@lemmy.sdf.org ) 20•19 hours ago
The TOR network itself is safe - at least assuming the TLAs don’t control at least half of the nodes, which is far from impossible. But let’s assume…
The weak point comes from the browser: that’s how the fuzz deanonymizes users. The only safe browser to use on TOR is the TOR browser, and that’s the problem: it disables so many unsafe functionalities that it’s essentially unusable on a lot of websites. So people use regular browsers over TOR, the browser leaks identifying data and that’s how they get caught.
- Trainguyrom ( @Trainguyrom@reddthat.com ) English3•7 hours ago
I mean, the advice I’ve heard for one who’s threat model is “the feds are actively trying to identify me” is to have a dedicated burner computer that you do all of your illegal activities on and no other activities. Then of course on top of that avoid saving secrets onto the device and type them in manually every time (ephemeral distros like Tails are good for that)
- delirious_owl ( @delirious_owl@discuss.online ) 3•12 hours ago
My understanding is that Tor Browser works fine, there’s just some dumb website owners that block Tor traffic by IP address.
- CCRhode ( @CCRhode@lemmy.ml ) 5•10 hours ago
And … guess what … www.bleepingcomputer.com, the source of the story, is one of those.
- delirious_owl ( @delirious_owl@discuss.online ) 4•10 hours ago
Maybe email them and let them know about the misconfiguration
Let them know that tor users can’t read their article about Tor
- chappedafloat ( @chappedafloat@lemmy.wtf ) English1•16 hours ago
Do you think it’s better to use a VPN if you aren’t using TOR Browser?
- schnurrito ( @schnurrito@discuss.tchncs.de ) 8•16 hours ago
All VPNs do is change who has your browsing data: your ISP or the VPN operator. You may or may not trust either of them not to keep records, in either case you have no way of verifying this.
- HelixDab2 ( @HelixDab2@lemm.ee ) 10•15 hours ago
ISPs definitely keep records. At least some VPNs claim that they don’t, and that their networks are set up in such a way that they can’t. Some organizations claim to validate the claims of the VPNs, but it’s unclear if they’re trustworthy.
So your choice is to use something that definitely keeps logs, or to use a company that at least says that they don’t/can’t.
- Possibly linux ( @possiblylinux127@lemmy.zip ) English2•12 hours ago
The VPN company themselves may not keep logs. However, they might be a little black box somewhere in the data center…
- NauticalNoodle ( @NauticalNoodle@lemmy.ml ) 2•11 hours ago
As Proton made evident, VPNs can be legally compelled to start keeping logs on specific accounts as the result of a court order. So if you’re gonna do something incriminating, then I guess you should create a new account each time.
- communism ( @communism@lemmy.ml ) 5•14 hours ago
Yes, and there’s also the fact that some VPNs such as Mullvad let you be anonymous so even if Mullvad were keeping logs, if you pay privately they have no way of knowing whose logs they are (unless the content itself of your internet history reveals your identity). Meanwhile your ISP definitely knows who you are, and absolutely will collaborate with the police if asked to.
- electric_nan ( @electric_nan@lemmy.ml ) 3•9 hours ago
You can pay anonymously, but if you regularly connect from your home IP address, it hardly matters.
- sunzu2 ( @sunzu2@thebrainbin.org ) 1•8 hours ago
I think the point here is to deny ISP data to sell.
- electric_nan ( @electric_nan@lemmy.ml ) 1•7 hours ago
Yeah I use mullvad for mostly that reason myself.
- ShortN0te ( @ShortN0te@lemmy.ml ) 41•1 day ago
This attack has been known for years now. And tor is simply not able to defend against it without a complete redesign.
- orcrist ( @orcrist@lemm.ee ) 22•21 hours ago
The potential for timing attacks has been known since the beginning of Tor. In other words, more than a decade. But that doesn’t mean you can’t defend against it. One way to defend against it is by having more nodes. Another way is to write clients that take into account the potential for timing attacks. Both of these were specifically mentioned in the article.
Based on what was in the article and what’s in the history books, I’m not sure how to interpret your comment in a constructive way. Is there anything more specific you meant, that isn’t contradicted by what’s in the article?
- ShortN0te ( @ShortN0te@lemmy.ml ) 2•18 hours ago
Yes, sorry i worded it incorrectly you can try to make it harder but timing attacks are still possible.
Nope, just a summary that this is just old news. There is nothing new in the article.
- EherNicht ( @EherNicht@feddit.org ) English10•1 day ago
Redesign being I2P
- Possibly linux ( @possiblylinux127@lemmy.zip ) English2•12 hours ago
I2p has issues that can more easily lead to deanonymization attacks. It says it on the FAQ
- ShortN0te ( @ShortN0te@lemmy.ml ) 2•18 hours ago
Nope, I2P is still vulnerable to timing attacks. https://en.m.wikipedia.org/wiki/Garlic_routing
- ReversalHatchery ( @ReversalHatchery@beehaw.org ) English1•5 hours ago
isn’t it less vulnerable, though?
it has higher latency, even variable latency if you set up variable hops, and everyone routes the traffic of a lot of other users, so a lot of data they can gather from timing info is noise by default
- EherNicht ( @EherNicht@feddit.org ) English2•17 hours ago
I would also like to see prove for your claim.
- ShortN0te ( @ShortN0te@lemmy.ml ) 2•17 hours ago
Garlic routing[1] is a variant of onion routing that encrypts multiple messages together to make it more difficult[2] for attackers to perform traffic analysis and to increase the speed of data transfer.[3]
First sentence. Check up the linked article as source.