Is Tor still safe to use?
The Tor Project reassures users that the Tor Browser is secure despite a de-anonymization incident linked to outdated software. They emphasize the need for software updates and network improvements.
Read original article
The Tor Project has addressed concerns regarding the safety of using Tor following an investigative report about a de-anonymization incident involving an old version of the Ricochet application. The report indicated that a targeted law enforcement attack successfully de-anonymized a user due to the use of outdated software lacking modern protective features. However, the Tor Project reassures users that the Tor Browser remains secure for accessing the web anonymously. They emphasize the importance of keeping software updated to benefit from the latest security enhancements. The project is seeking more information about the incident to better understand the attack and improve user protection. They note that the Tor network is healthy, with an increase in exit nodes and ongoing efforts to enhance network diversity and security. The Tor Project encourages users to contribute to the network's growth and diversity to minimize potential surveillance risks. Overall, while the incident raises questions, the Tor Project maintains that Tor is still a reliable tool for privacy-conscious users.
- The Tor Browser is still safe for secure and anonymous web access.
- Users are advised to keep their software updated to protect against vulnerabilities.
- The de-anonymization incident involved an outdated version of the Ricochet application.
- The Tor network has seen an increase in exit nodes and improved bandwidth.
- The Tor Project is actively seeking more information to enhance user protection.
Related
Private Internet
The article highlights the inadequacies of current internet protocols regarding security and privacy, advocating for a new protocol with features like non-sensitive addresses and DoS resistance, while suggesting onion routing.
NSA tracks Google ads to find Tor users
The NSA tracks Tor users by purchasing ads on networks like Google, embedding cookies to identify them despite IP changes, raising concerns about privacy and national security balance.
"My gut says Telegram is an FSB operation"
Pavel Durov faces criticism for Telegram's alleged role in criminal activities, misleading security claims, and lack of transparency, with calls for improved encryption and accountability from the platform.
Orbot Tor router is open source
Orbot is a free app that enhances mobile internet security by using the Tor network to encrypt and anonymize traffic, protecting users from tracking and promoting human rights through privacy technologies.
Update on an upcoming German broadcasting story about Tor/Onion Services
The Tor Project is investigating claims from a German broadcaster about a deanonymization attack on Onion Services by law enforcement. They have not verified these claims and assure users of continued security.
- Many commenters express skepticism about Tor's safety, particularly regarding potential government surveillance and de-anonymization risks.
- Several users highlight the importance of maintaining updated software to mitigate vulnerabilities, referencing past incidents of de-anonymization.
- There is a debate about the effectiveness of Tor against state actors, with some arguing that it may be safe for certain users while risky for others.
- Some comments reference historical talks and reports that discuss the risks associated with using Tor, emphasizing the need for awareness of operational security (OpsSec).
- Overall, the conversation reflects a mix of caution and advocacy for privacy tools, with varying perspectives on the implications of using Tor.
55 commentsI want to find a certain kind of person so I look for people that access a specific hidden service or clearnet url.
Surely eventually I'm going to get a hit where all three nodes in the circuit are my nodes that are logging everything? It will take a long time, and I can't target a specific person, but eventually I can find someone who has all three bounces through tor nodes I control, no?
And more info here: https://lists.torproject.org/pipermail/tor-relays/2024-Septe...
Edit: The NDR alleges a timing attack (no further explanation) that allows "to identify so-called ‘entry servers’" Very little information is actually available on the nature of the attack. The NDR claims this method has already lead to an arrest.
However, some things, like Tor, can make your use of the Internet safer.
If all you’re doing is arguing that Tor shouldn’t be used because it isn’t/was never “safe”, then you might as well not use the Internet at all.
How applicable do people think this information is now 9-10 years later?
DEF CON 22 - Adrian Crenshaw- Dropping Docs on Darknets: How People Got Caught https://www.youtube.com/watch?v=eQ2OZKitRwc
Not that I think the Fed's would blow their cover to hunt down people buying drugs but still seems stupid to trust.
But at planetary scale would Tor scale in an environmentally friendly way?
But the things that do inspire confidence:
Tor is updated against vulnerabilities pre-emptively, years before the vulnerability is known to be leveraged
Tor Project happens to be investigating the attack vector of the specific tor client, which is years outdated
They should have just said “we fixed that vulnerability in 2022”
with a separate article about the old software
What do we want Tor for except as a hope that Russian citizens might be able to get to the BBC site?
I am asking honestly - and would prefer not to be told my own government is on the verge of a mass pogrum so we had better take precautions.
Couldn’t a national security organization just modify a node to route traffic to other nodes it controls instead of uncontrolled nodes?
Assume if the will is strong and the resources are strong you will be eventually identified. If your not worth it then your not worth it.
become not worth it
https://direct.mit.edu/books/oa-monograph/5761/TorFrom-the-D...
He got caught not by the FBI breaking Tor, but just by network analysis of university network traffic logs showing a very narrow list of on-campus people using Tor at the time the threat was communicated. He quickly confessed when interviewed.
https://www.washingtonpost.com/blogs/the-switch/files/2013/1...
Just another factor to consider when using Tor - who's network you're on.
>A guard discovery attack allows attackers to determine the guard relay of a Tor client. The hidden service protocol provides an attack vector for a guard discovery attack since anyone can force an HS to construct a 3-hop circuit to a relay, and repeat this process until one of the adversary's middle relays eventually ends up chosen in a circuit. These attacks are also possible to perform against clients, by causing an application to make repeated connections to multiple unique onion services.
Some specific state actors operate TOR entry and exit routers and can perform analysis which is different to others who just have access to the infra beneath TOR and can infer things from traffic analysis somewhat differently.
I have never been in a situation where my life and liberty depended on a decision about a mechanism like TOR. I can believe it is contextually safe for some people and also believe it's a giant red flag to a lead pipe and locked room for others.
...We are writing this blog post in response to an investigative news story looking into the de-anonymization of an Onion Service used by a Tor user using an old version of the long-retired application Ricochet by way of a targeted law-enforcement attack.
...From the limited information The Tor Project has, we believe that one user of the long-retired application Ricochet was fully de-anonymized through a guard discovery attack. This was possible, at the time, because the user was using a version of the software that neither had Vanguards-lite, nor the vanguards addon, which were introduced to protect users from this type of attack. This protection exists in Ricochet-Refresh, a maintained fork of the long-retired project Ricochet, since version 3.0.12 released in June of 2022.
If you are an enemy of the United States you probably aren’t but that’s a high bar
No.
If anyone tries to convince you Tor is not safe, ask yourself: cui bono?
Use Tor with extreme caution.
Sometimes I wonder wtf y'all are doing with such crazy security expectations and paranoia.
Related
Private Internet
The article highlights the inadequacies of current internet protocols regarding security and privacy, advocating for a new protocol with features like non-sensitive addresses and DoS resistance, while suggesting onion routing.
NSA tracks Google ads to find Tor users
The NSA tracks Tor users by purchasing ads on networks like Google, embedding cookies to identify them despite IP changes, raising concerns about privacy and national security balance.
"My gut says Telegram is an FSB operation"
Pavel Durov faces criticism for Telegram's alleged role in criminal activities, misleading security claims, and lack of transparency, with calls for improved encryption and accountability from the platform.
Orbot Tor router is open source
Orbot is a free app that enhances mobile internet security by using the Tor network to encrypt and anonymize traffic, protecting users from tracking and promoting human rights through privacy technologies.
Update on an upcoming German broadcasting story about Tor/Onion Services
The Tor Project is investigating claims from a German broadcaster about a deanonymization attack on Onion Services by law enforcement. They have not verified these claims and assure users of continued security.