TOR browser

General philosophy message board for Discussion and debate on other philosophical issues not directly related to veganism. Metaphysics, religion, theist vs. atheist debates, politics, general science discussion, etc.
teo123
Master of the Forum
Posts: 1393
Joined: Tue Oct 27, 2015 3:46 pm
Diet: Vegan

TOR browser

Post by teo123 »

So, what do you guys here think, is using the TOR browser regularly a good idea? I think that it is. We need more regular Tor users to remove the stigma that the users of the TOR browser, and similar privacy-protecting tools, have. Privacy protection is a good thing even if you think you have nothing to hide, and it's important for people to realize that.

The media has, if you ask me, done an excellent job completely misinforming people about security on-line. TOR browser is being demonized as being useful only for drug trafficking and other very illegal things, as if somehow the only people who should care about their privacy on-line are people doing those things.
"If you have nothing to hide, you don't need to worry about privacy." is one of the most dangerous ways of thinking, just ask anybody who has had their identity stolen. We should use every bit of security we can afford to use, because we never know how much security we actually need until it's too late. Tor regularly adds three layers of encription to the data you send on-line, and you can add two more by using the "meek" protocol.
Right now, it's trivial for a hacker (and for the government) to see exactly which websites you visit. Once DNS over TLS and ESNI become widely accepted, that will fix some of the flaws the hackers can use to track your on-line activities, but not nearly as many flaws as using TOR does.
A common misconception is that you can't hide you are using TOR, and so you might bring surveillance onto yourself by using it. While it's true that the government can potentially see you are using TOR if you are using the default configuration (though even then it's significantly harder to detect than it is to detect, for example, if you are using Skype, or a low-quality VPN), it's trivial to configure TOR to use "obfs4" or "meek" protocol, which makes it almost impossible to detect you are using TOR. So, if you are paranoid that you will be persecuted for using TOR (which has, as far as I know, never actually happened), there is a simple fix for that. Though it might be unethical towards people who actually live under repressive governments, because the servers ("bridges") that use "obfs4" and "meek" tend to have limited bandwidth.
Mainstream media has made it that Internet users who worry about their privacy and security do things that actually make them less secure. There is little doubt that most antivirus programs (Avast, McAfee...) actually make us less secure, and that those that actually help (MSE, ClamAV...) do it by a very small margin. Don't take it from me, take it from a Mozilla security expert. Yet, if you say that to somebody who takes his information from the mainstream media, they will likely call you crazy.
teo123
Master of the Forum
Posts: 1393
Joined: Tue Oct 27, 2015 3:46 pm
Diet: Vegan

Re: TOR browser

Post by teo123 »

And, what do you think, is the obfs4 protocol in and of itself actually way more secure than HTTPS is? As far as I understand it, somebody who has intercepted your HTTPS message can actually decipher your message, it's just that would take about 50 years for a modern computer to do that, because it needs to generate a private key for a given public key. Now, for the obfs4 protocol, as far as I understand it, a hacker can't decipher an intercepted message no matter how much computational power he has, unless he also manages to compromise BridgeDB to get a shared key. And then he also needs decades of computing to decipher the message. I think it's quite possible that obfs4 will replace HTTPS in the near future.
User avatar
brimstoneSalad
neither stone nor salad
Posts: 10273
Joined: Wed May 28, 2014 9:20 am
Diet: Vegan

Re: TOR browser

Post by brimstoneSalad »

teo123 wrote: Wed Jul 10, 2019 1:10 pm "If you have nothing to hide, you don't need to worry about privacy." is one of the most dangerous ways of thinking, just ask anybody who has had their identity stolen.
I agree, there are a lot of bad actors out there who will not hesitate to harm you for profit.
There are also things like spam databases which are economically harmful.

Of course, IP address provides limited information, but if it's a site you don't trust TOR or another proxy can make a lot of sense. There's a trade off with speed, though.
teo123 wrote: Wed Jul 10, 2019 1:10 pm A common misconception is that you can't hide you are using TOR, and so you might bring surveillance onto yourself by using it. While it's true that the government can potentially see you are using TOR if you are using the default configuration (though even then it's significantly harder to detect than it is to detect, for example, if you are using Skype, or a low-quality VPN), it's trivial to configure TOR to use "obfs4" or "meek" protocol, which makes it almost impossible to detect you are using TOR. So, if you are paranoid that you will be persecuted for using TOR (which has, as far as I know, never actually happened), there is a simple fix for that. Though it might be unethical towards people who actually live under repressive governments, because the servers ("bridges") that use "obfs4" and "meek" tend to have limited bandwidth.
Good point about the ethics. I worry about that with using TOR at all when not essential; do users leech more than they provide?
Some people *need* it, whereas I usually don't.

Of course you can help by turning off images/videos.

The only real defense against viruses is not downloading stuff that isn't reputable, and even then being cautious. And not plugging in dirty USBs to your device when you don't know where they've been.
teo123 wrote:I think it's quite possible that obfs4 will replace HTTPS in the near future.
I don't know much about it, but if so I hope so. I'm not really worried about somebody taking 50 years to break my encryption, more so with the post quantum world of encryption where it can be solved in seconds by quantum computation. That's going to be a big problem.

However, any encryption *can* ultimately be broken by quantum computation if you know part of the data being transferred -- like if the hacker knows you downloaded a particular image (like a banner) from a site. The larger the known segment of information the easier it is to break the encryption. They're all basically just very complex ciphers.
We might have to change how browsers work pretty radically to only encrypt what really needs to be encrypted so known information isn't transferred with the same key.
teo123
Master of the Forum
Posts: 1393
Joined: Tue Oct 27, 2015 3:46 pm
Diet: Vegan

Re: TOR browser

Post by teo123 »

brimstoneSalad wrote:Of course, IP address provides limited information, but if it's a site you don't trust TOR or another proxy can make a lot of sense.
It's not just the IP. TOR also prevents sites from identifying the repeated user using cookies, and, perhaps more importantly, by downloading external JavaScript from a different IP, it also prevents the common forms of Cross-Site-Scripting attacks. Firefox has also done quite a few steps further in recent releases to prevent the Cross-Site-Scripting attacks, but it's nowhere near secure as the TOR is.
The most important thing I find is that it prevents the man-in-the-middle from knowing exactly which message boards I visit. If it knows that, it can compromise the poorly-programmed ones and get my passwords, which I sometimes reuse. You won't need TOR for that once DNS over TLS and ESNI get widely accepted, but, for now, TOR seems like an excellent tool against such attacks.
brimstoneSalad wrote:I worry about that with using TOR at all when not essential; do users leech more than they provide?
Well, it's estimated by CloudFlare that more than 90% of the TOR exit traffic comes from spam-posting malware. Many malware connects to TOR so that the block-the-IP defense doesn't work for the message board it attacks. So, any impact you might have is miniscule compared to that.
Besides, by that logic, it would then be unethical to host something on GitHub if you don't need to, yet alone make your website and use some free hosting service.
brimstoneSalad wrote:like if the hacker knows you downloaded a particular image (like a banner) from a site.
Well, under HTTPS, that will help the hacker know the key that can be used to decipher the data sent to you by the server, that's not the same key that can be used to decipher the data you send to the server. One key can be derived from another, but it would take some 50 years for a modern computer to do that. HTTPS is not a XOR-cypher, so that the same key can be used for both.
brimstoneSalad wrote:We might have to change how browsers work pretty radically to only encrypt what really needs to be encrypted so known information isn't transferred with the same key.
Actually, that doesn't seem like a good idea to me. Isn't it much better if a browser sends a bunch of unpredictable data along with the password, so that the hacker doesn't know which part of the data is the password (ASCII text)? That's what TOR is doing, that's why it increases the bandwidth used for chatting.
teo123
Master of the Forum
Posts: 1393
Joined: Tue Oct 27, 2015 3:46 pm
Diet: Vegan

Re: TOR browser

Post by teo123 »

brimstoneSalad wrote:However, any encryption *can* ultimately be broken by quantum computation if you know part of the data being transferred
Is there some efficient quantum computing algorithm for breaking obfs4? I am not aware of that. Quantum computing is good at prime factorization, on which HTTPS relies. Obfs4 relies on elliptic curve cryptography.
User avatar
brimstoneSalad
neither stone nor salad
Posts: 10273
Joined: Wed May 28, 2014 9:20 am
Diet: Vegan

Re: TOR browser

Post by brimstoneSalad »

teo123 wrote: Sun Jul 14, 2019 4:11 amIf it knows that, it can compromise the poorly-programmed ones and get my passwords, which I sometimes reuse.
Teo...
I need a disapproving head-shaking icon here.

The best tool against those attacks is just using different passwords. You can just write them down on physical paper (or at least half of them) then reuse the other half. The chance of somebody getting that paper is very small.
teo123 wrote: Sun Jul 14, 2019 4:11 am Besides, by that logic, it would then be unethical to host something on GitHub if you don't need to, yet alone make your website and use some free hosting service.
I don't think so. People using TOR who don't need to could slow down the service and make it hard for people who really need it to connect to the system. TOR latency is a problem.
I don't think we can justify it by being a smaller problem than spammers.

Building a website on some free hosting service isn't going to interfere with anything really important, and it only drains bandwidth resources when it's accessed (which also often means ad impressions for free hosts).

I wouldn't think it right to upload large files to Github that are going to be downloaded frequently when there are other good options. Like a video or photo might be better suited to youtube or instagram.

teo123 wrote: Sun Jul 14, 2019 4:11 amIsn't it much better if a browser sends a bunch of unpredictable data along with the password, so that the hacker doesn't know which part of the data is the password (ASCII text)? That's what TOR is doing, that's why it increases the bandwidth used for chatting.
No, because as you mentioned, bandwidth.
More secure? Arguably yes.
teo123 wrote: Sun Jul 14, 2019 4:58 am
brimstoneSalad wrote:However, any encryption *can* ultimately be broken by quantum computation if you know part of the data being transferred
Is there some efficient quantum computing algorithm for breaking obfs4? I am not aware of that. Quantum computing is good at prime factorization, on which HTTPS relies. Obfs4 relies on elliptic curve cryptography.
When we're talking about a cipher all you need is a known chunk of data somewhere to reverse engineer it; or, that is, a known chunk large enough to get a statistically significant result. Quantum computation should be able to be used to figure out what key is needed to get that known data out of it at a particular location. Even adding in a bunch of garbage isn't necessarily going to help much. You can add in some red herring, but that'll take a lot of bandwidth and isn't necessarily going to slow the thing down that much relative to all the extra bandwidth you're using.
Your best bet is to use encryption on as little data as possible, and the most unknown data as possible, and pad it out with garbage so the proportion of garbage is so large that it would be cost prohibitive to dig through. Needle in a haystack. You just want to make sure your needle is very very small so your haystack doesn't need to be that big.
teo123
Master of the Forum
Posts: 1393
Joined: Tue Oct 27, 2015 3:46 pm
Diet: Vegan

Re: TOR browser

Post by teo123 »

brimstoneSalad wrote:You can just write them down on physical paper (or at least half of them) then reuse the other half. The chance of somebody getting that paper is very small.
Well, it's very convenient to be able to log into various Internet services from the university computers. And the chances of somebody getting that paper there are rather high. There seem to be some students attempting to steal the CarNET passwords for some reason: on a laboratory excercise, in which we need to log into CarNET to solve some test there before we can begin to do the work, somebody logged into their Firefox account and leaved it logged in for the next student who will use that computer, presumably hoping that somebody would press the "Save Password" button. Good thing I noticed that and logged Firefox out of the Mozilla acount before typing my CarNET password.
brimstoneSalad wrote:Building a website on some free hosting service isn't going to interfere with anything really important, and it only drains bandwidth resources when it's accessed (which also often means ad impressions for free hosts).
Free hosting services generally don't make a lot of revenue from ads, they make money from the people paying premium services.
Also, it's not just bandwidth that's the problem. You are taking up their disk space, and perhaps a lot more than you think you do.
Furthermore, using Bing or Google also takes a lot of resources on their part.
Also, sending an SMS takes a by order of magnitude more computational resources than sending an e-mail with the same content. If you are given a certain number of free SMS-es by your cellular provider, is it then somehow immoral to use them?
brimstoneSalad wrote:I wouldn't think it right to upload large files to Github that are going to be downloaded frequently when there are other good options.
Of course, but, by your logic, it would be unethical to use GitHub if it's not necessary, whenever you are not actually collaborating with other programmers. Is it wrong to publish the calculator I've made while studying Rhino and NetBeans on GitHub? I mean, the feature that makes it different from other calculators is the ability to give assembly for a certain expression, and, let's face it, that's unlikely to prove useful to anybody. Somebody may need GitHub more than I do, so am I damaging him or her?
brimstoneSalad wrote:No, because as you mentioned, bandwidth.
Bandwidth will become much less of a problem in the future. Once the 5G network gets implemented...
I mean, back in 2009, I remember I accidentally downloaded some 2 MB file onto my mobile phone from the cellular network, and it costed us around 100 kunas. These days, I get 2000 MB free every month for just 75 kunas per month.
brimstoneSalad wrote:Quantum computation should be able to be used to figure out what key is needed to get that known data out of it at a particular location.
What makes you think that's the case? Quantum computers aren't faster at all things than classical computers, it's just speculated they can solve certain problems more efficiently than classical computers (which hasn't actually been proved). For most things, including breaking most types of cyphers, they are by orders of magnitude slower than classical computers. Do you think I am wrong?
User avatar
brimstoneSalad
neither stone nor salad
Posts: 10273
Joined: Wed May 28, 2014 9:20 am
Diet: Vegan

Re: TOR browser

Post by brimstoneSalad »

teo123 wrote: Wed Jul 17, 2019 1:34 amIf you are given a certain number of free SMS-es by your cellular provider, is it then somehow immoral to use them?
I think the fundamental difference here is a company vs. more of a non-profit/public service.
teo123 wrote: Wed Jul 17, 2019 1:34 am Somebody may need GitHub more than I do, so am I damaging him or her?
Somebody else may find it useful. It's not something useless like a bunch of random characters.
You'd have to weigh the possibility of it being useful against the space it takes (which is very small). I would err on the side of uploading anything that might be useful.
teo123 wrote: Wed Jul 17, 2019 1:34 amBandwidth will become much less of a problem in the future. Once the 5G network gets implemented...
It's becoming less of an issue, sure. But I've experienced TOR latency, so my impression is that it's still an issue today.

teo123 wrote: Wed Jul 17, 2019 1:34 amWhat makes you think that's the case? Quantum computers aren't faster at all things than classical computers, it's just speculated they can solve certain problems more efficiently than classical computers (which hasn't actually been proved). For most things, including breaking most types of cyphers, they are by orders of magnitude slower than classical computers. Do you think I am wrong?
I don't know if they're going to be better or not, it's speculative, but it's something we should think about.
teo123
Master of the Forum
Posts: 1393
Joined: Tue Oct 27, 2015 3:46 pm
Diet: Vegan

Re: TOR browser

Post by teo123 »

brimstoneSalad wrote:I think the fundamental difference here is a company vs. more of a non-profit/public service.
What difference does that make? GitHub, for example, is owned by Microsoft now.
brimstoneSalad wrote:But I've experienced TOR latency, so my impression is that it's still an issue today.
Of course Tor is going to have about 4 times the latency as the clear-web has, if you are connecting to some clear-web website though Tor, you are connecting to it through 3 Tor relays, each of which needs to respond to your request one after another. That said, other factors unrelated to how loaded the Tor network is come into play:
1) Tor is more vulnerable to packet loss than clear-web is. The Croatian CrisisConnection ISP apparently has high packet loss (attempting to PING 1.1.1.1 often times out), and I guess that's the reason why Tor is significantly faster on cellular network (which apparently has lower packet loss here in Osijek).
2) Some websites, for instance linguistforum.com, apparently refuse to serve some exit nodes, but not all of them. Since Tor often changes the exit nodes, well, it takes long (sometimes up to a minute) to find a node capable of connecting to that website. Not much of a problem, since connecting to a non-HTTPS website through TOR is less secure than connecting to it without TOR, but perhaps worth mentioning.
brimstoneSalad wrote:I don't know if they're going to be better or not, it's speculative, but it's something we should think about.
It probably will get like 2 times better. But saying it will get by orders of magnitude better (better than classical computers at executing non-quantum algorithms) is a bit crazy, don't you think?
Besides, wouldn't it be more useful for somebody wanting to decipher HTTPS to intercept the TLS handshake than to intercept some large piece of ciphered data that doesn't actually contain the keys?
teo123
Master of the Forum
Posts: 1393
Joined: Tue Oct 27, 2015 3:46 pm
Diet: Vegan

Re: TOR browser

Post by teo123 »

@brimstoneSalad, if I am not mistaken, this whole fear that quantum computers will break all the cyphers comes from the common misconception, reinforced by technobabble in the mainstream media, that using quantum computation somehow makes all the nondeterministic-polynomial-time problems become polynomial-time problems (in other words, that for quantum computers, but not for classical computers, P=NP). There is no reason to think that's the case, and there are good reasons to think that's not the case. Furthermore, the idea that if P=NP most cyphers are broken is also false, because polynomial-time shouldn't be equated with fast (Suppose that there is an algorithm that can solve the subset-sum problem in n^12 time, would that mean anything in praxis?).
Post Reply