TOR browser

General philosophy message board for Discussion and debate on other philosophical issues not directly related to veganism. Metaphysics, religion, theist vs. atheist debates, politics, general science discussion, etc.
Post Reply
teo123
Senior Member
Posts: 433
Joined: Tue Oct 27, 2015 3:46 pm
Religion: None (Atheist)
Diet: Vegan

TOR browser

Post by teo123 » Wed Jul 10, 2019 1:10 pm

So, what do you guys here think, is using the TOR browser regularly a good idea? I think that it is. We need more regular Tor users to remove the stigma that the users of the TOR browser, and similar privacy-protecting tools, have. Privacy protection is a good thing even if you think you have nothing to hide, and it's important for people to realize that.

The media has, if you ask me, done an excellent job completely misinforming people about security on-line. TOR browser is being demonized as being useful only for drug trafficking and other very illegal things, as if somehow the only people who should care about their privacy on-line are people doing those things.
"If you have nothing to hide, you don't need to worry about privacy." is one of the most dangerous ways of thinking, just ask anybody who has had their identity stolen. We should use every bit of security we can afford to use, because we never know how much security we actually need until it's too late. Tor regularly adds three layers of encription to the data you send on-line, and you can add two more by using the "meek" protocol.
Right now, it's trivial for a hacker (and for the government) to see exactly which websites you visit. Once DNS over TLS and ESNI become widely accepted, that will fix some of the flaws the hackers can use to track your on-line activities, but not nearly as many flaws as using TOR does.
A common misconception is that you can't hide you are using TOR, and so you might bring surveillance onto yourself by using it. While it's true that the government can potentially see you are using TOR if you are using the default configuration (though even then it's significantly harder to detect than it is to detect, for example, if you are using Skype, or a low-quality VPN), it's trivial to configure TOR to use "obfs4" or "meek" protocol, which makes it almost impossible to detect you are using TOR. So, if you are paranoid that you will be persecuted for using TOR (which has, as far as I know, never actually happened), there is a simple fix for that. Though it might be unethical towards people who actually live under repressive governments, because the servers ("bridges") that use "obfs4" and "meek" tend to have limited bandwidth.
Mainstream media has made it that Internet users who worry about their privacy and security do things that actually make them less secure. There is little doubt that most antivirus programs (Avast, McAfee...) actually make us less secure, and that those that actually help (MSE, ClamAV...) do it by a very small margin. Don't take it from me, take it from a Mozilla security expert. Yet, if you say that to somebody who takes his information from the mainstream media, they will likely call you crazy.

teo123
Senior Member
Posts: 433
Joined: Tue Oct 27, 2015 3:46 pm
Religion: None (Atheist)
Diet: Vegan

Post by teo123 » Sat Jul 13, 2019 10:23 am

And, what do you think, is the obfs4 protocol in and of itself actually way more secure than HTTPS is? As far as I understand it, somebody who has intercepted your HTTPS message can actually decipher your message, it's just that would take about 50 years for a modern computer to do that, because it needs to generate a private key for a given public key. Now, for the obfs4 protocol, as far as I understand it, a hacker can't decipher an intercepted message no matter how much computational power he has, unless he also manages to compromise BridgeDB to get a shared key. And then he also needs decades of computing to decipher the message. I think it's quite possible that obfs4 will replace HTTPS in the near future.

User avatar
brimstoneSalad
neither stone nor salad
Posts: 9387
Joined: Wed May 28, 2014 9:20 am
Religion: None (Atheist)
Diet: Vegan

Post by brimstoneSalad » Sat Jul 13, 2019 8:56 pm

teo123 wrote:
Wed Jul 10, 2019 1:10 pm
"If you have nothing to hide, you don't need to worry about privacy." is one of the most dangerous ways of thinking, just ask anybody who has had their identity stolen.
I agree, there are a lot of bad actors out there who will not hesitate to harm you for profit.
There are also things like spam databases which are economically harmful.

Of course, IP address provides limited information, but if it's a site you don't trust TOR or another proxy can make a lot of sense. There's a trade off with speed, though.
teo123 wrote:
Wed Jul 10, 2019 1:10 pm
A common misconception is that you can't hide you are using TOR, and so you might bring surveillance onto yourself by using it. While it's true that the government can potentially see you are using TOR if you are using the default configuration (though even then it's significantly harder to detect than it is to detect, for example, if you are using Skype, or a low-quality VPN), it's trivial to configure TOR to use "obfs4" or "meek" protocol, which makes it almost impossible to detect you are using TOR. So, if you are paranoid that you will be persecuted for using TOR (which has, as far as I know, never actually happened), there is a simple fix for that. Though it might be unethical towards people who actually live under repressive governments, because the servers ("bridges") that use "obfs4" and "meek" tend to have limited bandwidth.
Good point about the ethics. I worry about that with using TOR at all when not essential; do users leech more than they provide?
Some people *need* it, whereas I usually don't.

Of course you can help by turning off images/videos.

The only real defense against viruses is not downloading stuff that isn't reputable, and even then being cautious. And not plugging in dirty USBs to your device when you don't know where they've been.
teo123 wrote:I think it's quite possible that obfs4 will replace HTTPS in the near future.
I don't know much about it, but if so I hope so. I'm not really worried about somebody taking 50 years to break my encryption, more so with the post quantum world of encryption where it can be solved in seconds by quantum computation. That's going to be a big problem.

However, any encryption *can* ultimately be broken by quantum computation if you know part of the data being transferred -- like if the hacker knows you downloaded a particular image (like a banner) from a site. The larger the known segment of information the easier it is to break the encryption. They're all basically just very complex ciphers.
We might have to change how browsers work pretty radically to only encrypt what really needs to be encrypted so known information isn't transferred with the same key.

teo123
Senior Member
Posts: 433
Joined: Tue Oct 27, 2015 3:46 pm
Religion: None (Atheist)
Diet: Vegan

Post by teo123 » Sun Jul 14, 2019 4:11 am

brimstoneSalad wrote:Of course, IP address provides limited information, but if it's a site you don't trust TOR or another proxy can make a lot of sense.
It's not just the IP. TOR also prevents sites from identifying the repeated user using cookies, and, perhaps more importantly, by downloading external JavaScript from a different IP, it also prevents the common forms of Cross-Site-Scripting attacks. Firefox has also done quite a few steps further in recent releases to prevent the Cross-Site-Scripting attacks, but it's nowhere near secure as the TOR is.
The most important thing I find is that it prevents the man-in-the-middle from knowing exactly which message boards I visit. If it knows that, it can compromise the poorly-programmed ones and get my passwords, which I sometimes reuse. You won't need TOR for that once DNS over TLS and ESNI get widely accepted, but, for now, TOR seems like an excellent tool against such attacks.
brimstoneSalad wrote:I worry about that with using TOR at all when not essential; do users leech more than they provide?
Well, it's estimated by CloudFlare that more than 90% of the TOR exit traffic comes from spam-posting malware. Many malware connects to TOR so that the block-the-IP defense doesn't work for the message board it attacks. So, any impact you might have is miniscule compared to that.
Besides, by that logic, it would then be unethical to host something on GitHub if you don't need to, yet alone make your website and use some free hosting service.
brimstoneSalad wrote:like if the hacker knows you downloaded a particular image (like a banner) from a site.
Well, under HTTPS, that will help the hacker know the key that can be used to decipher the data sent to you by the server, that's not the same key that can be used to decipher the data you send to the server. One key can be derived from another, but it would take some 50 years for a modern computer to do that. HTTPS is not a XOR-cypher, so that the same key can be used for both.
brimstoneSalad wrote:We might have to change how browsers work pretty radically to only encrypt what really needs to be encrypted so known information isn't transferred with the same key.
Actually, that doesn't seem like a good idea to me. Isn't it much better if a browser sends a bunch of unpredictable data along with the password, so that the hacker doesn't know which part of the data is the password (ASCII text)? That's what TOR is doing, that's why it increases the bandwidth used for chatting.

teo123
Senior Member
Posts: 433
Joined: Tue Oct 27, 2015 3:46 pm
Religion: None (Atheist)
Diet: Vegan

Post by teo123 » Sun Jul 14, 2019 4:58 am

brimstoneSalad wrote:However, any encryption *can* ultimately be broken by quantum computation if you know part of the data being transferred
Is there some efficient quantum computing algorithm for breaking obfs4? I am not aware of that. Quantum computing is good at prime factorization, on which HTTPS relies. Obfs4 relies on elliptic curve cryptography.

User avatar
brimstoneSalad
neither stone nor salad
Posts: 9387
Joined: Wed May 28, 2014 9:20 am
Religion: None (Atheist)
Diet: Vegan

Post by brimstoneSalad » Sun Jul 14, 2019 5:48 am

teo123 wrote:
Sun Jul 14, 2019 4:11 am
If it knows that, it can compromise the poorly-programmed ones and get my passwords, which I sometimes reuse.
Teo...
I need a disapproving head-shaking icon here.

The best tool against those attacks is just using different passwords. You can just write them down on physical paper (or at least half of them) then reuse the other half. The chance of somebody getting that paper is very small.
teo123 wrote:
Sun Jul 14, 2019 4:11 am
Besides, by that logic, it would then be unethical to host something on GitHub if you don't need to, yet alone make your website and use some free hosting service.
I don't think so. People using TOR who don't need to could slow down the service and make it hard for people who really need it to connect to the system. TOR latency is a problem.
I don't think we can justify it by being a smaller problem than spammers.

Building a website on some free hosting service isn't going to interfere with anything really important, and it only drains bandwidth resources when it's accessed (which also often means ad impressions for free hosts).

I wouldn't think it right to upload large files to Github that are going to be downloaded frequently when there are other good options. Like a video or photo might be better suited to youtube or instagram.

teo123 wrote:
Sun Jul 14, 2019 4:11 am
Isn't it much better if a browser sends a bunch of unpredictable data along with the password, so that the hacker doesn't know which part of the data is the password (ASCII text)? That's what TOR is doing, that's why it increases the bandwidth used for chatting.
No, because as you mentioned, bandwidth.
More secure? Arguably yes.
teo123 wrote:
Sun Jul 14, 2019 4:58 am
brimstoneSalad wrote:However, any encryption *can* ultimately be broken by quantum computation if you know part of the data being transferred
Is there some efficient quantum computing algorithm for breaking obfs4? I am not aware of that. Quantum computing is good at prime factorization, on which HTTPS relies. Obfs4 relies on elliptic curve cryptography.
When we're talking about a cipher all you need is a known chunk of data somewhere to reverse engineer it; or, that is, a known chunk large enough to get a statistically significant result. Quantum computation should be able to be used to figure out what key is needed to get that known data out of it at a particular location. Even adding in a bunch of garbage isn't necessarily going to help much. You can add in some red herring, but that'll take a lot of bandwidth and isn't necessarily going to slow the thing down that much relative to all the extra bandwidth you're using.
Your best bet is to use encryption on as little data as possible, and the most unknown data as possible, and pad it out with garbage so the proportion of garbage is so large that it would be cost prohibitive to dig through. Needle in a haystack. You just want to make sure your needle is very very small so your haystack doesn't need to be that big.

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 5 guests