I used Tor for surveillance. But an appropriate kind, IMHO.
I used Tor as a small part of one of the capabilities of a supply chain integrity startup. I built a fancy scraper/crawler to discreetly monitor a major international marketplace (mainstream, not darknet), including selecting appropriate Tor exit nodes for each regional site, to try to ensure that we were seeing the same site content that people from those regions were seeing.
Tor somehow worked perfectly for those needs. So my only big concern was making sure everyone in the startup knew not to go bragging about this unusually good data we had. Since we were one C&D letter away from not being able to get the data at all.
(Unfortunately, this had to be a little adversarial with the marketplace, not done as a data-sharing partnership, since the marketplace benefited from a cut of all the counterfeit and graymarket sales that we were trying to fight. But I made sure the scraper was gentle yet effective, both to not be a jerk, and also to not attract attention.)
(I can talk about it now, since the startup ran out of runway during Covid investor skittishness.)
Next time you find yourself in this situation, a $5 VPN subscription (Mullvad, etc.) gets you the same result without the IP being an obvious Tor exit node. Faster, too, in latency, bandwidth, and the time it takes to change locations. You only care about the VPN part for this, not the onion part.
Worth mentioning a $5 cloud instance and installing Algo VPN on it gets you the same thing without having to trust a 3rd party VPN provider (only a generic VM provider such as AWS). It’s always worth minimizing companies you deal with if you already use AWS, GCP, etc.
Incorrect - you've obviously never used one of these services. You get N concurrent connections to your choice of exit nodes. Sometimes N is even infinity.
Sites know about them though. If you need to be even sneakier there's residential proxy networks.
Are Mullvad IPs somehow non-obvious? I assume all mainstream VPNs are detected by their IPs and slapped with captchas at best (and blocked outright at worst).
This is not a good way to do this. Tor exit nodes are public and may be marked for special behavior by the marketplace you are surveying. There is no reason to believe you are getting good information this way.
The right way to do this would be through a VPN/tor + Residential proxy to hide your intentions from everyone involved.
> There is no reason to believe you are getting good information this way.
Spot checks checked out. And it was a perfectly fine way to do it.
You are correct that Tor exit nodes often get special handling (at the moment, including by Cloudflare, and by Google Recaptcha). And the idea of poisoning of data is starting to propagate, due do anti-AI-scraper sentiment.
Poisoning the data has been around for at least a decade now. I used to work for a very large pricing analytics company that would track product pricing for Fortune 500 manufacturers.
We found on several occasions that some shady retailers would find the CIDR of the manufacturers corp networks and comply with the MAP policies on pricing if traffic came from them. Then when our bot went through with obviously generic AWS / Proxy ips we would see a much lower price that broke their agreement. That one was a fun realization for the manufacturers as to the level of shadiness some retailers would go through.
> So, a proxy? Onion routing doesn't really play a role for this use case.
The onion routing obscured our identity from the "proxy" exit nodes.
Separately, Tor was also a convenient way to get a lot of arbitrary country-specific "proxies", without dealing with the sometimes sketchy businesses that are behind residential IP proxies.
(Counterfeiting/graymarket operations can be organized crime. I'd rather just fire up Tor, and trust math a little, than to try to vet the legitimacy and intentions of a residential IP broker.)
Right, but the question was "why would you need to obscure your identity from the exit nodes", in the context of why the person chose Tor vs. a simple proxy.
Yes, but many scrapers configure their Torrc into single-relay mode (following tutorials and open source “rotating tor proxy” repos), in which case the exit relay can easily identify who is scraping which site.
(Strange coincidence: We also had different key tech with the codename of Raptor, but it had nothing to do with Tor nor Web scraping. It was for discreet smartphone-based field auditing of physical product, in global physical retail and other locations. The codename was the result of a great morale-boosting impromptu brainstorming session between engineering and marketing people ("can you help think of a cool codename for this..."), and the resulting name highly apt, at least for the movie velociraptors. I built it, and, until Covid disrupted our F500 customers and investors, I was looking forward to hiring engineers to do further work on something cool-sounding like "Raptor", rather than "internal-app" or whatever first came to mind when creating the Git repo. :)
The major attack of concern described in the paper is the transparent early terminated encryption attack, and root trust signing that fall under effectively the same centralized hands at the AS level.
Where an AS level entity MITMs all outbound connections from a region in automated fashion for collection, before that traffic ever makes it to TOR or its destination.
It works for TOR, TLS, pretty much any protocol out there where key exchange or trust occurs; so long as the protocol is known and has distinct classifiable characteristics allowing computation to automatically do this.
There have been instances where public certs issued by a CA with the same domain names, but are issued from a root CA that is other than the legitimate site's root CA which are used for attacks. CT logs don't stop this either.
There is a lot of ephemeral content, and private information that can be both collected, and injected on a targeted basis if one has access to such junctions which the industry (Telecom) has proven time and again that they can't secure following basic practice; largely because mandates to backwards compatibility at the regulatory level.
Social credit, where invisible factors people don't control force those same people into poverty through targeted denial of service (communications for job hunting/social contacts), zersetzung, etc; that all would be a breeze to set up without any external indicator, or remedy using that attack.
What the target sees vs what everyone else sees would be quite different, and of course there would be people that gaslight and torture on top of it all (as a natural psychological defense mechanism of denial).
Compromised communications under such type of attacks are madness inducing.
Listings of items for sale (for ~100 brands), and how that changed over time. With the marketplace having a pretty rich schema to reconstruct from their server-side rendering.
One of the purposes was cold sales outreaches to an exec at a brand, maybe something like, "Here's a report about graymarket/counterfeit of your brand online, using data you probably haven't seen before; we have a solution we'd like to tell you about".
No. And when people share info on HN, I don't like to see speculation in the comments about things they obviously intentionally didn't say (assuming that they seem to be speaking in good faith). That person, and other people who see the dynamic, presumably are less likely to share in the future.
I feel there is a level of irony in you being bothered about people interacting with content you've shared in a way you don't like when said content is a story about you interacting with other's content in a way they've explicitly put up barriers to try and stop you from doing that.
I think you have a valid general question (and you'll note I said "appropriate kind, IMHO" at the top of the original comment, acknowledging others might disagree that it was appropriate), but I'd like to contrast two distinct situations:
* A collegial forum, where people might go to share information, sometimes with discretion about what can and can't be said (or just comfort levels).
* A large corporation that was profiting off of illegal businesses (e.g., contract-violating, IP-violating, defrauding buyers, possibly fencing), and we wanted to gather evidence of that on behalf of some of the harmed parties, to try to stop it. And we did that in a technologically gentle, non-disruptive way. And (as I mentioned in the original comment) we had a conscious policy to immediately cease if we were ever told to.
I am not a lawyer but you should know that in most/many/all cases, website ToS have no legal effect whatsoever.
They amount to the same thing as stating "we don't like if you do X and we'll probably ban you" but written in legalese so people take it more seriously.
Get the advice of an actual lawyer before relying on this of course.
Thank you for pointing that out. Really appreciate you sharing.
To the parent, please do not try to lure info out of people it is just not cool online or in real life when people obviously are being generic for a reason.
I think they publicized it so they could obscurely use it for military purposes. The users are easy to spot if they are all military users. Get tons and tons of regular users to use it and you obscure who is trying to hide.
It's unclear if they really did this, or if this was just the pitch they gave to the government. But it was never secret that this was a goal they had explained to the US government: the inventors were pretty straightforward about everything.
I've also read this at some point. Bit hard to have deniability if you're hacking into $ENEMY_COUNTRY servers using a network that only the US Government has access to.
I think we have to distinguish between "the Navy proposed using it this way for this reason" (clearly they did, in writing!) and "the government actively uses it this way for this reason" (extremely hard to confirm).
I've met law enforcement people who talked about using Tor for anonymity during investigations, but in context they were looking for anonymity on the exit side rather than the entry side (so, a traditional VPN would have worked too). The original proposal about onion routing is focused on the security provided on the entry side (preventing local telecommunications operators from knowing whom you're communicating with).
It's a really good book! I was on the very edges of this scene for a chunk of the time described, and I thought it managed to catch a lot of the complexities without picking one possible narrative over another.
Plus I learned a lot -- it came out of some academic research that pursued a unique angle: finding and talking to the Tor exit node operators about their experiences, rather than just say the developers, the executives, or the funders.
I'd never used Tor, though had to scrape a bunch of things that required different IPs. I figured their endpoints were already tarred.
With the porn block in the UK though, the "New Private Window with Tor" in Brave is very convenient.
Maybe not for long, or maybe not. I guess websites don't need to comply beyond a certain point.
There are tons of "residential proxy" and whatnot type services available, IP being a source of truth doesn't seem to matter much in 2025. The Perplexity 'bot' recent topic being an example of that.
Basically if you want to access any resource on the web for a dollar a GB or so you can use millions of IPs.
Indeed, I've investigated some cyber attacks recently that came from residential IPs in California and NY, though investigation turned up the real origins as coming from India. It's pretty easy to pull off nowadays
Residential proxies usually piggy back off unsuspecting users, either through hacked routers/IoT, malicious browser extensions, malicious smartphone applications, or any other kind of malware. If you're looking for a tutorial on how to infect and exploit users, you're not on the right site.
Indeed. Plenty of shady VPN providers over the years have done exactly this, offering a free VPN service but silently using your residential IP as an exit node for paying customers
Yeah, I'm debating whether I should disclose that or not. I am generally a believer in disclosure, but simple awareness of how I figured it out would enable them to better hide their tracks. I think I probably will disclose it, but I need to think on it just a little bit more first
Not OP but there are many methods, with more available as you gain more execution privileges. On the “no privileges” end, you have things like accept-language and ping times (which can be coupled with known location of exit node to get an extremely rough “ping to exit” time.. not very useful but at least another data point). Then you have linkage to other devices, e.g. same account logs into site with and without VPN. Or if you have any inputs from the user (search history), maybe they make some typos or Autocorrect that leaks metadata about their native language. On the “some privileges” point of the spectrum, if you’ve got JavaScript execution, you can learn a _lot_ about the region of the user. And on the “many privileges” side, where you’ve got native code execution in a mobile app or similar, it’s game over.
For literature on this kind of thing, look into “PETS” (privacy enhancing technology) research. Incidentally, Tor spends a lot of time plugging these holes in their browser…
Tbh, all these sound like obvious noob mistakes. If I'd be trying to fake coming from NY then of course I don't use my russian-language browser or run Javascript code in a non-sandboxed environment that leaks where I am. The login and auto-complete channels don't really work either because all those things use HTTPS/SSL/TLS/... nowadays and you are rarely the endpoint. If you are and they still do this then again, they don't really know what they are doing.
It doesn't need a highly skilled+funded state actor to avoid those mistakes.
Tho trying to solve a social issue with technological solutions is just going to force the other side's hand more. Tor/vpn might work today, but there's no telling what new laws tomorrow will be enacted to ban vpns. And having such laws (that everyone breaks) is just a way for the gov't to selectively punish those they deem troublesome - a great chilling effect.
The way to fight these draconian laws is via democratic means - even if it takes long and arduous. For example, enshrining privacy into constitutional guarantees etc.
While I agree with your overall sentiment, I'm also always surprised by the asymmetric expectation between legislation and executive power. If the premise is "let's ensure by democratic means that the laws are such-and-such", why not equally ask for "let's ensure by democratic means that we have a government that we trust"? That is to say, if you expect to have a government that is your adversary and wants to suppress you then how come you are hoping for laws to protect you? The same process that brings those governments into power also creates the laws.
TL;DR: Too much focus on laws, too little focus on trustworthy government?
A govt is just a bunch of people. What makes people trustworty? Whatever floats your boat, pick that. And I really hope that something floats your boat. A free society is based on trust. Without that, all you get is anarchy. And no laws will save you.
no, adhering to a set of laws (such as the constitution) generates trust.
That's what i was trying to get at, rather than any vagueness that is proposed in your comment about 'something floats your boat'.
That's why term limits in constitutions are a must, for example. And rights enshrined in it are immutable and forever.
Of course, you could argue that it's just a piece of paper, and without pre-existing trust, whatever is written there is meaningless. But the bootstrap, and continuation, of this trust, needs to be there, and i argue that it is from this piece of paper that other forms of trust are built.
It depends on the motivations of the people behind the ban, though. VPNs aren't terribly interesting to the government over a porn age verification plan, largely because subscribing to a VPN costs money and requires a debit card. Some might manage that, but most probably won't. If the motivation was to ban porn entirely and they valued that more than they valued giving business a break (banning VPNs being rather bad news for some companies) then it'd be another story.
> largely because subscribing to a VPN costs money and requires a debit card.
there are VPNs that are proxied out of local residential IP because these gateways are running off users' machines; these VPNs are "free" (they make money by making you run their gateway, and then sell your IP to botnets for example).
i would want to envision a true p2p vpn network not too dissimilar to bittorrent (but without the spyware/malware).
I assume when I’m using Tor that every packet is the under the highest level of collection/analysis priority. I think maybe sometimes it’s better to blend into in the crowd
Simply download the Tor Browser [1], which is simply a hardened version of Firefox that connects to the Tor network.
Don't install addons in this browser. Don't resize the browser window. All tor browsers instances have the same default window size, which prevents websites from tracking you. Obviously don't login into websites with your regular email or provide websites with your PII.
If you are in a country or on a network that blocks the basic Tor network, the FAQ explains how to get around this by using Tor bridges or other techniques [2].
Also don't use non-HTTPS websites while using Tor, and avoid downloading things on hidden services. Using a clearnet website's hidden service is better than the https version if available (duckduckgo and reddit offer both, for example), too, although only marginally so
You could also imagine a website first using ~15 queries to know what the window width is upto 100px, and then provide coarser media queries on the next page load.
You have to explicitly switch to "Safest" mode to turn it off completely.
>Why does Tor Browser ship with JavaScript enabled?
We configure NoScript to allow JavaScript by default in Tor Browser because many websites will not work with JavaScript disabled. Most users would give up on Tor entirely if we disabled JavaScript by default because it would cause so many problems for them. Ultimately, we want to make Tor Browser as secure as possible while also making it usable for the majority of people, so for now, that means leaving JavaScript enabled by default.
Yes, CSS and <picture> etc. can load different resources based on viewport size. Then there are side channels like lazy loading, layout + what you interact with.
You are correct. I was going off my memory. They say [1]
> To prevent fingerprinting based on screen dimensions, Tor Browser starts with a content window rounded to a multiple of 200px x 100px. The strategy here is to put all users in a couple of buckets to make it harder to single them out.
Moreover, even if you resize your window, the browser tries to protect you
> by adding margins to a browser window so that the window is as close as possible to the desired size while users are still in a couple of screen size buckets that prevent singling them out with the help of screen dimensions.
They removed OS spoofing just recently, and there isn't a mitigation for Raptor, some think meek might help with Raptor, but its very much up in the air.
Note this means instead of always sending a Windows user-agent, they send either Windows, Mac, or Linux: one of three user-agents. They don't send more than that, e.g. they don't reveal your Windows version.
I haven't kept up with the space much since then, so am unaware if there is more recent work.
In any case, there are valid threat models where you want to mitigate website fingerprinting but aren't necessarily concerned with AS-level adversaries.
I've seen that, but I didn't see much of a mitigation, though I'll go back and recheck just to be sure, I was pressed for time last time I look at that.
In fairness, most of big tech are AS-level adversaries at this point.
Active attack through BGP-hijacking may be partially mitigated, but this isn't really needed for the most pernicious attacks which are interception/injection from a regional entity that's routing to the broader internet (outbound connections).
The same entities can do early transparent encryption termination for outbound connections (to the general web) since they have their own private signing keys tied to root trust CAs (just not the one the valid cert was issued to), and that lets them collect a treasure trove of forensic artifacts to improve their citizen dossier for advertisers/highest-bidder, or inject content that is ephemeral in nature.
For a guide that goes into so much detail (as far as suggesting enterprise-grade drives, recommended RAID configurations, etc.), not even a passing mention of Tails or Qubes-Whonix is a really interesting choice (read: discouraging omission)!
I sympathise with a bit of paranoia about this. Personally, I'd use a platform like "Tails" (do your own research) which wraps Tor up in a USB bootable Linux OS.
The generally recommended way is to download Tails to a USB thumb drive and boot off of that. This is safer than just using the TOR browser and if something does attack your system none of your actual data is on the OS.
I think i2p will eventually replace Tor. Or should replace. Because Tor has inherent issue with de-anonymisation: you just need to deploy certain number of nodes to facilitate that. And there’s no way of knowing if certain agencies already did that.
I ran a bridge until recently, but the server died a heat death after I moved to another apartment :(
I have not yet had time to find a suitable replacement machine. But running a bridge is a cheap, safe low network volume method people can help out from home. I had it going to help people in 'bad' countries to get out to the rest of the world.
Were you running specifically a bridge or just a non exit relay? Bridges are generally unlisted and are somewhat expensive to mass scrape (the bridge distributors will require captcha or email or Telegram etc) so they are less likely to show up in those lists. Whereas all relays are listed in the consensus and can be trivially enumerated.
It depends on your threat model. Tor is focused on hiding from small-scale passive adversaries (eg, you're in Iran and don't want the Iranian government to see what you're doing. Or your ISP. Or any single node operator). Even the original Tor paper makes it clear that Tor isn't secure against a "global passive adversary" that can observe a large portion of global internet traffic, like the five eyes likely can today.
If you want to avoid global passive adversaries, a mixnet like Nym can work. I'm also working on a related project which takes a different approach of building your own circuit of proxy servers manually with lots of traffic padding: https://github.com/markasoftware/i405-tunnel
Nym is cool, but it has many of the same vulnerabilities as Tor. You can set higher per-node delays in principle, which means your packets will also take longer to get there. But this makes it hard to use most network protocols.
I don't believe these solutions protect against flow correlation observations. If a global adversary is monitoring the entry and exit points, they can identify the user without needing to decrypt the traffic. There are research papers that demonstrate attacks on both these models.
Onion endpoint sites use encrypted traffic and the padding strategy, too and are still susceptible to the correlation attack.
There's a security blog that publishes research papers on different attack models. It's a total PITA to find but I'll see if I can locate it.
There's some subtlety here so my apologies for the long reply.
Nym/Loopix (and I405, though it's so experimental I feel bad even talking about it) completely defeat end-to-end correlation attacks, where an attacker tries to find statistical similarities between the encrypted traffic on the first hop (from the user's home network to some proxy), and the final hop (from some proxy to the final destination clearnet site).
Tor is trivially vulnerable to end-to-end correlation attacks. In addition to the paper you posted, my favorite is http://petworkshop.org/2007/papers/PET2007_preproc_Sampled_t... , which describes how an adversary monitoring just a small fraction (<0.1%) of traffic at key internet exchanges could deanonymize many Tor users.
Nym/Loopix and I405 defeat end-to-end correlation attacks with the same basic idea: Send fixed-rate traffic on the first hop, regardless of whether the user is actually trying to send any tunneled traffic. Both sample from a statistical distribution to decide when to send the next packet, and they send an empty packet if there is no actual data to send. In this way, the traffic being sent on the first hop does not depend at all on the inner cleartext data the user is sending/receiving.
The Mixmatch paper, which AFAIK is the only published attack against Nym/Loopix, is NOT an end-to-end correlation attack. It relies on the attacker controlling one or more Nym "gateways" (equivalent of guard nodes in Tor) and therefore being able to decrypt traffic from users whose first hop goes through that gateway. Further, I believe that the attack described in this paper becomes increasingly difficult as the number of users increases, and the authors of the paper include Nym developers who are actively making changes to make this attack harder. It's not a fundamental weakness in Nym/Loopix, the way that E2E correlations are for Tor.
It's been assumed that three-letter agencies operate many exit nodes for a hot minute. I don't know if this is a special case of infiltration because it's TOR SOP.
This isnt necessarily malicious. As the OP states TOR only works if a lot of people use it for regular browsing. The government wants it to work for the covert stuff so they need buy in from regulars and improving the service is how to do that.
Read some story about some authority having set up tons of servers within the tor network to bust some criminal activity effectively making it not anonymous anymore. Was a while back on HN
The feds and other equivalent agencies in other countries have been running exit nodes for years, but its still better than most solutions even if not perfect. Anyone who has gotten caught though likely wasn't because of any flaws in Tor (or said exit nodes) but because of other lapses in OpSec.
That being said, yes, feds can de-anonymize traffic, probably reliably at this point. There are only about 7-8000 active nodes, most in data centers. The less nodes you hop through, the more likely that traffic can be traced back to the entry point (guard node), and combined with timing can be reasonably traced back to the user. Tor works best with many, many nodes, and a minimum of three. There's not as many nodes as there needs to be so quite often it's only 3 you are going through (guard node/entry point, middle node, exit node)
Plus browsing habits can also be revealing. Just because someone is using Tor doesn't mean they also have disabled javascript, blocked cookies, aren't logging into accounts, etc.
> Anyone who has gotten caught though likely wasn't because of any flaws in Tor (or said exit nodes) but because of other lapses in OpSec.
There have been some cases where some consider the "other lapses in OpSec" to be parallel construction to disguise a Tor vulnerability/breach, and others where the government has declined to prosecute because they'd have to reveal how they know.
If Tor were compromised, we'd likely not know. It's highly likely that it's fine for "normal people" things.
I mean if anything it’s harder today in many ways for the government than it was during the Snowden days, because that prompted tech people to take internet security seriously. Look at the cost trends for 0days over the past ten years.
I can't find a link, but I think people have done simulations and the privacy benefits of more hops are not as great as one might think. If you control the guard and exit, then traffic confirmation is relatively easy by just looking at timing and volume of traffic no matter how many hops are in between.
Does controlling exit nodes necessarily help with deanonimizing? You would need control of the internal nodes for classic de-anonymization, or monitoring of both the exit nodes and the originating network for timing attacks. Also, exit nodes aren’t involved in hidden services. That 7-8000 figure you quoted: is that just exit nodes, or all nodes? My understanding was there aren’t a ton of exit nodes because anyone operating an exit node is liable to get harassed by people impacted by any malicious traffic originating from Tor. But that isn’t really an issue for internal nodes, and so there are more of them
Looks like about 8,000 relays, inclusive of entry and exit nodes. Looks like about 2,500 exit nodes, and ~5,000 guard nodes. With that few I'd say it's reasonable to assume that a large number of both entry and exit are controlled by government agencies, at least enough to reliable to conduct timing attacks against a specific target they are interested in.
> Am also interested in the current understanding of culpability in the US for operating an exit node.
It's a little ambiguous.
Section 230 (which continues to be under attack) provides some legal immunity, along with the DMCA is a safe harbor against copyright infringement claims for the Tor relay operator. Running a middle relay is generally fine and safe.
But, running an exit relay is risky. Even if you can't be held legally liable for the traffic coming from the exit, you could still get raided, and it has happened before where exit node operators have been raided after the traffic coming out of it was attributed to the node owner.
That being said, it's legal to run an exit node (for now). The problem is more so dealing with the inevitable law enforcement subpoenas or seizures, and having the money and resources to prove you are innocent.
> Ross Ulbrect was connected to his dark website by tracing via exit nodes
Ulbricht wasn't caught because of flaws in Tor, but he made other mistakes. He posted stuff on LinkedIn alluding to his activities, he used a real photo on his fake IDs to rent servers, he used his real name, posting a question on stack over flow about running a Tor service, he posted his personal gmail, looked for couriers on Google+, and lastly paid an undercover cop for a hit.
As for getting his location, once the feds gained acccess to silk road, they matched up activity logs, his posting habits were consistent with being in the pacific time zone, and they matched up his user name between his posts on silk road as altoid and he reused the same screenname, associated with his gmail address and full name, on other websites.
A series of stupid opsec mistakes got him caught, not Tor.
Leaving out ‘When did he pay to have someone killed’ from your question is disingenuous, because he directly did that.
He facilitated drug sales. If you setup ‘clucks brick and mortar Silk Road’ you’d be just as guilty.
I don’t think that was ever rosses ethical objective though, I’m pretty sure he felt that drugs should be less illegal and safe. I’m under the impression that Silk Road had rules on what could be sold, and that post SR markets do allow those things, but I could be wrong.
Allegedly. The charge that he paid to have someone killed was never brought into court and never ruled on. Federal agents had access to the site at that point and could have posed the chat. Not really provable one way or the other.
Not defending him, but clarifying that it's not proven "he directly did that"
The article talks about a user who was using very old software, which seems like a pretty straightforward mistake. There's a bunch of speculation in the comments about other things, but I don't really see sources cited, so it's hard to tell what informs those opinions.
In a world where Tor is not a honeypot of some three letter agency, there are implementations of projects like Jim Bell's Assassination Politics. In a world where Tor is not a honeypot its use would be banned, much like the use of Tornado Cash was banned and shut down until the secret services took control of it.
There are many places in the world where direct access to Tor is blocked. There are many countries where use of a VPN is illegal, VPNs are required to log by law, etc. I disagree with this premise.
Those countries seek destructive control of all within its sphere of influence.
There are generally two types of countries, those that seek agency, independence, and freedom of rational thought and action; which requires privacy, and there are those that seek ultimate control, imposing dependence, coercion and corruption of reason; from the top down.
The cultures that seek total control generally fall under totalism and are parasitic in nature. The ones that seek agency, freedom, and independence, Protean.
Many comments talk about exit nodes for surveillance, but there is a totally different vector of use and considerations that dint apply when you aren't trying to access clearnet
And even on darknet it depends on what you’re doing
Reading the NY Times’ darknet site or forum or even nuet browsing darknet markerplace from Tor Browser, whereas I would use a Tor OS like Tails or dual gated VM like Whonix for doing something illicit
VPNs just shift trust from the service provider to the VPN provider, and I don't have much reason to do so for most of my uses. NordVPN or Surfshark are way scummier than a harmless blog or HN, for example, and have more financial and legal incentives to track me
I used Tor for surveillance. But an appropriate kind, IMHO.
I used Tor as a small part of one of the capabilities of a supply chain integrity startup. I built a fancy scraper/crawler to discreetly monitor a major international marketplace (mainstream, not darknet), including selecting appropriate Tor exit nodes for each regional site, to try to ensure that we were seeing the same site content that people from those regions were seeing.
Tor somehow worked perfectly for those needs. So my only big concern was making sure everyone in the startup knew not to go bragging about this unusually good data we had. Since we were one C&D letter away from not being able to get the data at all.
(Unfortunately, this had to be a little adversarial with the marketplace, not done as a data-sharing partnership, since the marketplace benefited from a cut of all the counterfeit and graymarket sales that we were trying to fight. But I made sure the scraper was gentle yet effective, both to not be a jerk, and also to not attract attention.)
(I can talk about it now, since the startup ran out of runway during Covid investor skittishness.)
Next time you find yourself in this situation, a $5 VPN subscription (Mullvad, etc.) gets you the same result without the IP being an obvious Tor exit node. Faster, too, in latency, bandwidth, and the time it takes to change locations. You only care about the VPN part for this, not the onion part.
Worth mentioning a $5 cloud instance and installing Algo VPN on it gets you the same thing without having to trust a 3rd party VPN provider (only a generic VM provider such as AWS). It’s always worth minimizing companies you deal with if you already use AWS, GCP, etc.
It is not. VPN Providers have server all over the world. How many cloud instances in the different part of the world you can buy with $5?
The $5 will only give you the equivalent of 1 exit node.
Incorrect - you've obviously never used one of these services. You get N concurrent connections to your choice of exit nodes. Sometimes N is even infinity.
Sites know about them though. If you need to be even sneakier there's residential proxy networks.
Are Mullvad IPs somehow non-obvious? I assume all mainstream VPNs are detected by their IPs and slapped with captchas at best (and blocked outright at worst).
Your assumption is incorrect.
This is not a good way to do this. Tor exit nodes are public and may be marked for special behavior by the marketplace you are surveying. There is no reason to believe you are getting good information this way.
The right way to do this would be through a VPN/tor + Residential proxy to hide your intentions from everyone involved.
> There is no reason to believe you are getting good information this way.
Spot checks checked out. And it was a perfectly fine way to do it.
You are correct that Tor exit nodes often get special handling (at the moment, including by Cloudflare, and by Google Recaptcha). And the idea of poisoning of data is starting to propagate, due do anti-AI-scraper sentiment.
Poisoning the data has been around for at least a decade now. I used to work for a very large pricing analytics company that would track product pricing for Fortune 500 manufacturers.
We found on several occasions that some shady retailers would find the CIDR of the manufacturers corp networks and comply with the MAP policies on pricing if traffic came from them. Then when our bot went through with obviously generic AWS / Proxy ips we would see a much lower price that broke their agreement. That one was a fun realization for the manufacturers as to the level of shadiness some retailers would go through.
> selecting appropriate Tor exit nodes for each regional site
So, a proxy? Onion routing doesn't really play a role for this use case.
> So, a proxy? Onion routing doesn't really play a role for this use case.
The onion routing obscured our identity from the "proxy" exit nodes.
Separately, Tor was also a convenient way to get a lot of arbitrary country-specific "proxies", without dealing with the sometimes sketchy businesses that are behind residential IP proxies.
(Counterfeiting/graymarket operations can be organized crime. I'd rather just fire up Tor, and trust math a little, than to try to vet the legitimacy and intentions of a residential IP broker.)
The Tor exit nodes are public.
They were concerned about the exit node identifying them, not the site identifying that a Tor exit node is connecting.
Why would you need to obscure your identity from the exit nodes?
So that the exit node can't go to the site they were scraping and say "this is the person scraping your site".
But you'd have relays in between, there's no way an exit node would know who is scraping...
Right, but the question was "why would you need to obscure your identity from the exit nodes", in the context of why the person chose Tor vs. a simple proxy.
Ohh I see!
Yes, but many scrapers configure their Torrc into single-relay mode (following tutorials and open source “rotating tor proxy” repos), in which case the exit relay can easily identify who is scraping which site.
The exit nodes are free to observe and exploit the traffic that they move.
https://www.vice.com/en/article/badonion-honeypot-malicious-...
Honestly what he describes sounds like Raptor (Princeton Report, 2015)
How is this related to Princeton's Raptor, other than having the keywords "Tor" and "surveillance"?
https://www.princeton.edu/~pmittal/publications/raptor-USENI...
(Strange coincidence: We also had different key tech with the codename of Raptor, but it had nothing to do with Tor nor Web scraping. It was for discreet smartphone-based field auditing of physical product, in global physical retail and other locations. The codename was the result of a great morale-boosting impromptu brainstorming session between engineering and marketing people ("can you help think of a cool codename for this..."), and the resulting name highly apt, at least for the movie velociraptors. I built it, and, until Covid disrupted our F500 customers and investors, I was looking forward to hiring engineers to do further work on something cool-sounding like "Raptor", rather than "internal-app" or whatever first came to mind when creating the Git repo. :)
The major attack of concern described in the paper is the transparent early terminated encryption attack, and root trust signing that fall under effectively the same centralized hands at the AS level.
Where an AS level entity MITMs all outbound connections from a region in automated fashion for collection, before that traffic ever makes it to TOR or its destination.
It works for TOR, TLS, pretty much any protocol out there where key exchange or trust occurs; so long as the protocol is known and has distinct classifiable characteristics allowing computation to automatically do this.
There have been instances where public certs issued by a CA with the same domain names, but are issued from a root CA that is other than the legitimate site's root CA which are used for attacks. CT logs don't stop this either.
There is a lot of ephemeral content, and private information that can be both collected, and injected on a targeted basis if one has access to such junctions which the industry (Telecom) has proven time and again that they can't secure following basic practice; largely because mandates to backwards compatibility at the regulatory level.
Social credit, where invisible factors people don't control force those same people into poverty through targeted denial of service (communications for job hunting/social contacts), zersetzung, etc; that all would be a breeze to set up without any external indicator, or remedy using that attack.
What the target sees vs what everyone else sees would be quite different, and of course there would be people that gaslight and torture on top of it all (as a natural psychological defense mechanism of denial).
Compromised communications under such type of attacks are madness inducing.
HEH
I'm letting my imagination fill in the color on the specifics here and I'm working up a little grin.
A hat tip to you
What was the scraper gathering specifically?
Listings of items for sale (for ~100 brands), and how that changed over time. With the marketplace having a pretty rich schema to reconstruct from their server-side rendering.
One of the purposes was cold sales outreaches to an exec at a brand, maybe something like, "Here's a report about graymarket/counterfeit of your brand online, using data you probably haven't seen before; we have a solution we'd like to tell you about".
If I could wager a guess, it sounds like the startup was in the business of scraping Amazon.
No. And when people share info on HN, I don't like to see speculation in the comments about things they obviously intentionally didn't say (assuming that they seem to be speaking in good faith). That person, and other people who see the dynamic, presumably are less likely to share in the future.
I feel there is a level of irony in you being bothered about people interacting with content you've shared in a way you don't like when said content is a story about you interacting with other's content in a way they've explicitly put up barriers to try and stop you from doing that.
Who said the site put up barriers?
I think you have a valid general question (and you'll note I said "appropriate kind, IMHO" at the top of the original comment, acknowledging others might disagree that it was appropriate), but I'd like to contrast two distinct situations:
* A collegial forum, where people might go to share information, sometimes with discretion about what can and can't be said (or just comfort levels).
* A large corporation that was profiting off of illegal businesses (e.g., contract-violating, IP-violating, defrauding buyers, possibly fencing), and we wanted to gather evidence of that on behalf of some of the harmed parties, to try to stop it. And we did that in a technologically gentle, non-disruptive way. And (as I mentioned in the original comment) we had a conscious policy to immediately cease if we were ever told to.
Did you know if you violated any ToS with your software? If yes, why did you feel compelled to continue?
I am not a lawyer but you should know that in most/many/all cases, website ToS have no legal effect whatsoever.
They amount to the same thing as stating "we don't like if you do X and we'll probably ban you" but written in legalese so people take it more seriously.
Get the advice of an actual lawyer before relying on this of course.
No.
Ok, with the phrasing used it looked much more sus than it is then :)
Thank you for pointing that out. Really appreciate you sharing.
To the parent, please do not try to lure info out of people it is just not cool online or in real life when people obviously are being generic for a reason.
You won't be able to scrape Amazon using Tor.
Is it that difficult for a business to colo in various locations? Not rhetorical, I've never thought about it.
exit node is not really a colo.
though there are commercial residential-proxy services available
I think they publicized it so they could obscurely use it for military purposes. The users are easy to spot if they are all military users. Get tons and tons of regular users to use it and you obscure who is trying to hide.
It's unclear if they really did this, or if this was just the pitch they gave to the government. But it was never secret that this was a goal they had explained to the US government: the inventors were pretty straightforward about everything.
I've also read this at some point. Bit hard to have deniability if you're hacking into $ENEMY_COUNTRY servers using a network that only the US Government has access to.
This is exactly it from what I have heard. I have heard this from a large number of trustworthy sources over the years.
I think we have to distinguish between "the Navy proposed using it this way for this reason" (clearly they did, in writing!) and "the government actively uses it this way for this reason" (extremely hard to confirm).
I've met law enforcement people who talked about using Tor for anonymity during investigations, but in context they were looking for anonymity on the exit side rather than the entry side (so, a traditional VPN would have worked too). The original proposal about onion routing is focused on the security provided on the entry side (preventing local telecommunications operators from knowing whom you're communicating with).
The claim is that allows State Department, CIA, and NSA officials to communicate from remote regions with anonymity.
For anyone interested in this author’s book on Tor, it’s available for free download! https://direct.mit.edu/books/oa-monograph/5761/TorFrom-the-D... (full disclosure: i work for MIT Press)
It's a really good book! I was on the very edges of this scene for a chunk of the time described, and I thought it managed to catch a lot of the complexities without picking one possible narrative over another.
Plus I learned a lot -- it came out of some academic research that pursued a unique angle: finding and talking to the Tor exit node operators about their experiences, rather than just say the developers, the executives, or the funders.
I'll share your kind words with the author!
You can also buy it if you want to support the autor. https://mitpress.mit.edu/9780262548182/tor/
Thanks for that. Is it available as epub? I would like to read it on Kindle.
I'd never used Tor, though had to scrape a bunch of things that required different IPs. I figured their endpoints were already tarred.
With the porn block in the UK though, the "New Private Window with Tor" in Brave is very convenient.
Maybe not for long, or maybe not. I guess websites don't need to comply beyond a certain point.
There are tons of "residential proxy" and whatnot type services available, IP being a source of truth doesn't seem to matter much in 2025. The Perplexity 'bot' recent topic being an example of that.
Basically if you want to access any resource on the web for a dollar a GB or so you can use millions of IPs.
Indeed, I've investigated some cyber attacks recently that came from residential IPs in California and NY, though investigation turned up the real origins as coming from India. It's pretty easy to pull off nowadays
Any tutorial?
Residential proxies usually piggy back off unsuspecting users, either through hacked routers/IoT, malicious browser extensions, malicious smartphone applications, or any other kind of malware. If you're looking for a tutorial on how to infect and exploit users, you're not on the right site.
As an illustration of how bad things are on just the browser extension front: https://sponsor.ajay.app/emails/
Indeed. Plenty of shady VPN providers over the years have done exactly this, offering a free VPN service but silently using your residential IP as an exit node for paying customers
I’m asking how do you determine the real origins as being from India when they are using residential ips as proxies.
Yeah, I'm debating whether I should disclose that or not. I am generally a believer in disclosure, but simple awareness of how I figured it out would enable them to better hide their tracks. I think I probably will disclose it, but I need to think on it just a little bit more first
Could you share privately somehow?
Not OP but there are many methods, with more available as you gain more execution privileges. On the “no privileges” end, you have things like accept-language and ping times (which can be coupled with known location of exit node to get an extremely rough “ping to exit” time.. not very useful but at least another data point). Then you have linkage to other devices, e.g. same account logs into site with and without VPN. Or if you have any inputs from the user (search history), maybe they make some typos or Autocorrect that leaks metadata about their native language. On the “some privileges” point of the spectrum, if you’ve got JavaScript execution, you can learn a _lot_ about the region of the user. And on the “many privileges” side, where you’ve got native code execution in a mobile app or similar, it’s game over.
For literature on this kind of thing, look into “PETS” (privacy enhancing technology) research. Incidentally, Tor spends a lot of time plugging these holes in their browser…
Tbh, all these sound like obvious noob mistakes. If I'd be trying to fake coming from NY then of course I don't use my russian-language browser or run Javascript code in a non-sandboxed environment that leaks where I am. The login and auto-complete channels don't really work either because all those things use HTTPS/SSL/TLS/... nowadays and you are rarely the endpoint. If you are and they still do this then again, they don't really know what they are doing.
It doesn't need a highly skilled+funded state actor to avoid those mistakes.
Apologies, I misunderstood the reply.
>With the porn block in the UK though, the "New Private Window with Tor" in Brave is very convenient.
Has someone interested in seeing privacy secured into the future, I’ve been happy that governments are accelerating their censorship for this reason.
Tho trying to solve a social issue with technological solutions is just going to force the other side's hand more. Tor/vpn might work today, but there's no telling what new laws tomorrow will be enacted to ban vpns. And having such laws (that everyone breaks) is just a way for the gov't to selectively punish those they deem troublesome - a great chilling effect.
The way to fight these draconian laws is via democratic means - even if it takes long and arduous. For example, enshrining privacy into constitutional guarantees etc.
While I agree with your overall sentiment, I'm also always surprised by the asymmetric expectation between legislation and executive power. If the premise is "let's ensure by democratic means that the laws are such-and-such", why not equally ask for "let's ensure by democratic means that we have a government that we trust"? That is to say, if you expect to have a government that is your adversary and wants to suppress you then how come you are hoping for laws to protect you? The same process that brings those governments into power also creates the laws.
TL;DR: Too much focus on laws, too little focus on trustworthy government?
what makes a gov't trustworthy?
A govt is just a bunch of people. What makes people trustworty? Whatever floats your boat, pick that. And I really hope that something floats your boat. A free society is based on trust. Without that, all you get is anarchy. And no laws will save you.
no, adhering to a set of laws (such as the constitution) generates trust.
That's what i was trying to get at, rather than any vagueness that is proposed in your comment about 'something floats your boat'.
That's why term limits in constitutions are a must, for example. And rights enshrined in it are immutable and forever.
Of course, you could argue that it's just a piece of paper, and without pre-existing trust, whatever is written there is meaningless. But the bootstrap, and continuation, of this trust, needs to be there, and i argue that it is from this piece of paper that other forms of trust are built.
It depends on the motivations of the people behind the ban, though. VPNs aren't terribly interesting to the government over a porn age verification plan, largely because subscribing to a VPN costs money and requires a debit card. Some might manage that, but most probably won't. If the motivation was to ban porn entirely and they valued that more than they valued giving business a break (banning VPNs being rather bad news for some companies) then it'd be another story.
> largely because subscribing to a VPN costs money and requires a debit card.
there are VPNs that are proxied out of local residential IP because these gateways are running off users' machines; these VPNs are "free" (they make money by making you run their gateway, and then sell your IP to botnets for example).
i would want to envision a true p2p vpn network not too dissimilar to bittorrent (but without the spyware/malware).
The problem with most infrastructure is that there's a big gap in security where it centralizes, and its transparent.
To understand how, you should review the Princeton Report's Raptor attack, and understand how it works (2015).
If you already have an understanding of how Tor works and want to know how attacks on it work, read these!
- https://github.com/mikeperry-tor/vanguards/blob/master/READM...
- https://github.com/mikeperry-tor/vanguards/blob/master/READM...
- https://spec.torproject.org/proposals/344-protocol-info-leak...
I assume when I’m using Tor that every packet is the under the highest level of collection/analysis priority. I think maybe sometimes it’s better to blend into in the crowd
that short-term thinking is what makes it impossible to blend in the long run
I've never felt like I knew how to use Tor correctly, or trusted anyone to be able to guide me on that.
Simply download the Tor Browser [1], which is simply a hardened version of Firefox that connects to the Tor network.
Don't install addons in this browser. Don't resize the browser window. All tor browsers instances have the same default window size, which prevents websites from tracking you. Obviously don't login into websites with your regular email or provide websites with your PII.
If you are in a country or on a network that blocks the basic Tor network, the FAQ explains how to get around this by using Tor bridges or other techniques [2].
That's pretty much all you need to know.
[1] https://www.torproject.org/download/
[2] https://support.torproject.org/censorship/
Also don't use non-HTTPS websites while using Tor, and avoid downloading things on hidden services. Using a clearnet website's hidden service is better than the https version if available (duckduckgo and reddit offer both, for example), too, although only marginally so
There's a ton of little things like this (e.g. you also should consider not using bookmarks, or at least avoiding obscure ones).
A good overview is available at https://www.whonix.org/wiki/Tor_Browser#Unsafe_Tor_Browser_H...
Is window size visible to web sites when java script is turned off? It's off by default in Tor browser.
Yes, even without JS a website can tell what size your browser window is. One way would be to use a large amount of media queries like so:
You could also imagine a website first using ~15 queries to know what the window width is upto 100px, and then provide coarser media queries on the next page load.It's on by default in Tor browser.
You have to explicitly switch to "Safest" mode to turn it off completely.
>Why does Tor Browser ship with JavaScript enabled?
We configure NoScript to allow JavaScript by default in Tor Browser because many websites will not work with JavaScript disabled. Most users would give up on Tor entirely if we disabled JavaScript by default because it would cause so many problems for them. Ultimately, we want to make Tor Browser as secure as possible while also making it usable for the majority of people, so for now, that means leaving JavaScript enabled by default.
https://support.torproject.org/tbb/tbb-34/
Yes, CSS and <picture> etc. can load different resources based on viewport size. Then there are side channels like lazy loading, layout + what you interact with.
> All tor browsers instances have the same default window size, which prevents websites from tracking you.
Wouldn't that in and of itself be a possible clue that someone was using Tor?
Figuring out someone is using Tor is trivial (e.g. list of exit node IPs https://www.dan.me.uk/torlist/?exit).
This mitigation helps protect the individual Tor user (e.g. with a unique 1726x907 px window) being fingerprinted across multiple sessions / sites.
While not perfect, I thought tor rounded reported resolution to a small set of values
You are correct. I was going off my memory. They say [1]
> To prevent fingerprinting based on screen dimensions, Tor Browser starts with a content window rounded to a multiple of 200px x 100px. The strategy here is to put all users in a couple of buckets to make it harder to single them out.
Moreover, even if you resize your window, the browser tries to protect you
> by adding margins to a browser window so that the window is as close as possible to the desired size while users are still in a couple of screen size buckets that prevent singling them out with the help of screen dimensions.
[1] https://tb-manual.torproject.org/anti-fingerprinting/#letter...
They removed OS spoofing just recently, and there isn't a mitigation for Raptor, some think meek might help with Raptor, but its very much up in the air.
Note this means instead of always sending a Windows user-agent, they send either Windows, Mac, or Linux: one of three user-agents. They don't send more than that, e.g. they don't reveal your Windows version.
There is partial mitigation for RAPTOR: Counter-RAPTOR from 2017 (https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=795...) with mostly the same authors.
I haven't kept up with the space much since then, so am unaware if there is more recent work.
In any case, there are valid threat models where you want to mitigate website fingerprinting but aren't necessarily concerned with AS-level adversaries.
> There is partial mitigation for RAPTOR: Counter-RAPTOR from 2017 (https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=795...)
Oh I had missed that, thank you btw! Need more of those BGP monitoring systems...
(and they performed an actual live BGP attack (not just simulation), neat)
I've seen that, but I didn't see much of a mitigation, though I'll go back and recheck just to be sure, I was pressed for time last time I look at that.
In fairness, most of big tech are AS-level adversaries at this point.
Active attack through BGP-hijacking may be partially mitigated, but this isn't really needed for the most pernicious attacks which are interception/injection from a regional entity that's routing to the broader internet (outbound connections).
The same entities can do early transparent encryption termination for outbound connections (to the general web) since they have their own private signing keys tied to root trust CAs (just not the one the valid cert was issued to), and that lets them collect a treasure trove of forensic artifacts to improve their citizen dossier for advertisers/highest-bidder, or inject content that is ephemeral in nature.
The list of Tor nodes is public so it's trivial to detect a user is using Tor you just have to check the IP.
Or a computer of that window size, and there a lot browsers that dont support js.
> That's pretty much all you need to know.
Depends on the level of anonymity the end-user desires. That rabbit hole is deep, but not that deep: https://www.ivpn.net/privacy-guides/advanced-privacy-and-ano... / https://archive.today/9DhtT (by u/mirmir)
For a guide that goes into so much detail (as far as suggesting enterprise-grade drives, recommended RAID configurations, etc.), not even a passing mention of Tails or Qubes-Whonix is a really interesting choice (read: discouraging omission)!
I sympathise with a bit of paranoia about this. Personally, I'd use a platform like "Tails" (do your own research) which wraps Tor up in a USB bootable Linux OS.
https://tails.net/
The generally recommended way is to download Tails to a USB thumb drive and boot off of that. This is safer than just using the TOR browser and if something does attack your system none of your actual data is on the OS.
https://tails.net/
Back when I tried, it was a modified Firefox build.
That's just a browser form of it: https://www.torproject.org/download/
Tor is hardly private IMO. Whoever has the largest no of servers can see all the traffic
Tor is nice, but I still prefer i2p.
I think i2p will eventually replace Tor. Or should replace. Because Tor has inherent issue with de-anonymisation: you just need to deploy certain number of nodes to facilitate that. And there’s no way of knowing if certain agencies already did that.
I2P is a superior network design. It's a shame it gets so little attention.
But it is more difficult to run
It's all about trust
With free software the trust is minimized. Instead, you rely on the community checks.
i wish they were also a lifeline for censorship too, tor is effectively non functional in many countries :(
tor tries very hard to bypass censorship. Have you tried the numerous Tor bridges, or the new Snowflake p2p bridge?
yeah none of them work in russia, only thing that works is xray vpn
Obfs4 bridges work (if you can find an non-blocked one): https://metrics.torproject.org/userstats-bridge-country.html...
I ran a bridge until recently, but the server died a heat death after I moved to another apartment :(
I have not yet had time to find a suitable replacement machine. But running a bridge is a cheap, safe low network volume method people can help out from home. I had it going to help people in 'bad' countries to get out to the rest of the world.
https://community.torproject.org/relay/setup/bridge/
> I ran a bridge until recently
A lifetime ago, I ran bridges from RAM only distros. But early versions of the Dan list (1st in wide use) killed that.
DL didn't try hard to differentiate between bridge IPs and exit IPs. Server hosts just grabbed the first list they saw and blocked with it.
It was years before the notion of Exit != Bridge became understood but everyone had moved on. We're at the entropic 'No One Cares Anymore' phase now.
Were you running specifically a bridge or just a non exit relay? Bridges are generally unlisted and are somewhat expensive to mass scrape (the bridge distributors will require captcha or email or Telegram etc) so they are less likely to show up in those lists. Whereas all relays are listed in the consensus and can be trivially enumerated.
Especially as the internet, itself, started as a military project. [DARPA]
Friendly reminder that exit nodes are to be avoided. Hidden services are the way to go.
In this case you should use I2P, which is specifically designed for hidden services (eepsites) first.
I2P has a completely different architecture and AFAIK it remains to be known which one is better.
And now its all honey pot exit nodes.
Just setup a vpn.
Isn't Tor dead? Wasn't it infiltrated long ago?
It depends on your threat model. Tor is focused on hiding from small-scale passive adversaries (eg, you're in Iran and don't want the Iranian government to see what you're doing. Or your ISP. Or any single node operator). Even the original Tor paper makes it clear that Tor isn't secure against a "global passive adversary" that can observe a large portion of global internet traffic, like the five eyes likely can today.
If you want to avoid global passive adversaries, a mixnet like Nym can work. I'm also working on a related project which takes a different approach of building your own circuit of proxy servers manually with lots of traffic padding: https://github.com/markasoftware/i405-tunnel
Nym is cool, but it has many of the same vulnerabilities as Tor. You can set higher per-node delays in principle, which means your packets will also take longer to get there. But this makes it hard to use most network protocols.
Isn’t i2p supposed to replace Tor?
I don't believe these solutions protect against flow correlation observations. If a global adversary is monitoring the entry and exit points, they can identify the user without needing to decrypt the traffic. There are research papers that demonstrate attacks on both these models.
Onion endpoint sites use encrypted traffic and the padding strategy, too and are still susceptible to the correlation attack.
There's a security blog that publishes research papers on different attack models. It's a total PITA to find but I'll see if I can locate it.
edit: JFC... finally found it: https://www.freehaven.net/anonbib/
Correlation attack concept: https://www.ndss-symposium.org/wp-content/uploads/2024-337-p...
Attack against Mixnet and Nym: https://petsymposium.org/popets/2024/popets-2024-0050.pdf
There's some subtlety here so my apologies for the long reply.
Nym/Loopix (and I405, though it's so experimental I feel bad even talking about it) completely defeat end-to-end correlation attacks, where an attacker tries to find statistical similarities between the encrypted traffic on the first hop (from the user's home network to some proxy), and the final hop (from some proxy to the final destination clearnet site).
Tor is trivially vulnerable to end-to-end correlation attacks. In addition to the paper you posted, my favorite is http://petworkshop.org/2007/papers/PET2007_preproc_Sampled_t... , which describes how an adversary monitoring just a small fraction (<0.1%) of traffic at key internet exchanges could deanonymize many Tor users.
Nym/Loopix and I405 defeat end-to-end correlation attacks with the same basic idea: Send fixed-rate traffic on the first hop, regardless of whether the user is actually trying to send any tunneled traffic. Both sample from a statistical distribution to decide when to send the next packet, and they send an empty packet if there is no actual data to send. In this way, the traffic being sent on the first hop does not depend at all on the inner cleartext data the user is sending/receiving.
The Mixmatch paper, which AFAIK is the only published attack against Nym/Loopix, is NOT an end-to-end correlation attack. It relies on the attacker controlling one or more Nym "gateways" (equivalent of guard nodes in Tor) and therefore being able to decrypt traffic from users whose first hop goes through that gateway. Further, I believe that the attack described in this paper becomes increasingly difficult as the number of users increases, and the authors of the paper include Nym developers who are actively making changes to make this attack harder. It's not a fundamental weakness in Nym/Loopix, the way that E2E correlations are for Tor.
I just use it to get books for free so idk about all the state regulation stuff.
It's been assumed that three-letter agencies operate many exit nodes for a hot minute. I don't know if this is a special case of infiltration because it's TOR SOP.
This isnt necessarily malicious. As the OP states TOR only works if a lot of people use it for regular browsing. The government wants it to work for the covert stuff so they need buy in from regulars and improving the service is how to do that.
I personally can't see how it can be secure without dummy messages.
What makes you believe that?
Read some story about some authority having set up tons of servers within the tor network to bust some criminal activity effectively making it not anonymous anymore. Was a while back on HN
The feds and other equivalent agencies in other countries have been running exit nodes for years, but its still better than most solutions even if not perfect. Anyone who has gotten caught though likely wasn't because of any flaws in Tor (or said exit nodes) but because of other lapses in OpSec.
That being said, yes, feds can de-anonymize traffic, probably reliably at this point. There are only about 7-8000 active nodes, most in data centers. The less nodes you hop through, the more likely that traffic can be traced back to the entry point (guard node), and combined with timing can be reasonably traced back to the user. Tor works best with many, many nodes, and a minimum of three. There's not as many nodes as there needs to be so quite often it's only 3 you are going through (guard node/entry point, middle node, exit node)
Plus browsing habits can also be revealing. Just because someone is using Tor doesn't mean they also have disabled javascript, blocked cookies, aren't logging into accounts, etc.
> Anyone who has gotten caught though likely wasn't because of any flaws in Tor (or said exit nodes) but because of other lapses in OpSec.
There have been some cases where some consider the "other lapses in OpSec" to be parallel construction to disguise a Tor vulnerability/breach, and others where the government has declined to prosecute because they'd have to reveal how they know.
If Tor were compromised, we'd likely not know. It's highly likely that it's fine for "normal people" things.
At least back in the Snowden days it was very unreliable for the US to deanonymize Tor traffic based on those documents.
That was over a decade ago. They've almost certainly progressed since.
... now my back hurts and I want the damn kids off my lawn.
I mean if anything it’s harder today in many ways for the government than it was during the Snowden days, because that prompted tech people to take internet security seriously. Look at the cost trends for 0days over the past ten years.
This page on the mailing list has links to cases of people who were caught because of an unknown flaw in Tor: https://archive.torproject.org/websites/lists.torproject.org...
I can't find a link, but I think people have done simulations and the privacy benefits of more hops are not as great as one might think. If you control the guard and exit, then traffic confirmation is relatively easy by just looking at timing and volume of traffic no matter how many hops are in between.
Does controlling exit nodes necessarily help with deanonimizing? You would need control of the internal nodes for classic de-anonymization, or monitoring of both the exit nodes and the originating network for timing attacks. Also, exit nodes aren’t involved in hidden services. That 7-8000 figure you quoted: is that just exit nodes, or all nodes? My understanding was there aren’t a ton of exit nodes because anyone operating an exit node is liable to get harassed by people impacted by any malicious traffic originating from Tor. But that isn’t really an issue for internal nodes, and so there are more of them
Controlling an exit node alone doesn't help, but controlling both entry and exit nodes does.
The tor project has network stats on their website: https://metrics.torproject.org/networksize.html
Looks like about 8,000 relays, inclusive of entry and exit nodes. Looks like about 2,500 exit nodes, and ~5,000 guard nodes. With that few I'd say it's reasonable to assume that a large number of both entry and exit are controlled by government agencies, at least enough to reliable to conduct timing attacks against a specific target they are interested in.
Am also interested in the current understanding of culpability in the US for operating an exit node.
> Am also interested in the current understanding of culpability in the US for operating an exit node.
It's a little ambiguous.
Section 230 (which continues to be under attack) provides some legal immunity, along with the DMCA is a safe harbor against copyright infringement claims for the Tor relay operator. Running a middle relay is generally fine and safe.
But, running an exit relay is risky. Even if you can't be held legally liable for the traffic coming from the exit, you could still get raided, and it has happened before where exit node operators have been raided after the traffic coming out of it was attributed to the node owner.
That being said, it's legal to run an exit node (for now). The problem is more so dealing with the inevitable law enforcement subpoenas or seizures, and having the money and resources to prove you are innocent.
It was always that way, Ross Ulbrect was connected to his dark website by tracing via exit nodes.
Tor was always a government tool.
> Ross Ulbrect was connected to his dark website by tracing via exit nodes
Ulbricht wasn't caught because of flaws in Tor, but he made other mistakes. He posted stuff on LinkedIn alluding to his activities, he used a real photo on his fake IDs to rent servers, he used his real name, posting a question on stack over flow about running a Tor service, he posted his personal gmail, looked for couriers on Google+, and lastly paid an undercover cop for a hit.
As for getting his location, once the feds gained acccess to silk road, they matched up activity logs, his posting habits were consistent with being in the pacific time zone, and they matched up his user name between his posts on silk road as altoid and he reused the same screenname, associated with his gmail address and full name, on other websites.
A series of stupid opsec mistakes got him caught, not Tor.
All of this should serve as a reminder that if .gov really, really wants you, they've got you.
Unless, of course, they want everybody, which even they don't have the resources to handle.
It should (also) serve as a reminder that OpSec is important.
Maybe a reminder to also not sell heavy drugs to children or to order murder for hire?
When did he sell heavy drugs to children?
When did he sell drugs?
Leaving out ‘When did he pay to have someone killed’ from your question is disingenuous, because he directly did that.
He facilitated drug sales. If you setup ‘clucks brick and mortar Silk Road’ you’d be just as guilty.
I don’t think that was ever rosses ethical objective though, I’m pretty sure he felt that drugs should be less illegal and safe. I’m under the impression that Silk Road had rules on what could be sold, and that post SR markets do allow those things, but I could be wrong.
Allegedly. The charge that he paid to have someone killed was never brought into court and never ruled on. Federal agents had access to the site at that point and could have posed the chat. Not really provable one way or the other.
Not defending him, but clarifying that it's not proven "he directly did that"
I believe this is the thread you're talking about https://news.ycombinator.com/item?id=41584428
The article talks about a user who was using very old software, which seems like a pretty straightforward mistake. There's a bunch of speculation in the comments about other things, but I don't really see sources cited, so it's hard to tell what informs those opinions.
The observable world around us.
In a world where Tor is not a honeypot of some three letter agency, there are implementations of projects like Jim Bell's Assassination Politics. In a world where Tor is not a honeypot its use would be banned, much like the use of Tornado Cash was banned and shut down until the secret services took control of it.
And we obviously don't live in such world.
> its use would be banned
There are many places in the world where direct access to Tor is blocked. There are many countries where use of a VPN is illegal, VPNs are required to log by law, etc. I disagree with this premise.
EU countries will soon join the club.
"VPN services may soon become a new target of EU lawmakers after being deemed a "key challenge"" https://www.techradar.com/vpn/vpn-privacy-security/vpn-servi...
Probably because those governments don’t control the honeypot.
Those countries seek destructive control of all within its sphere of influence.
There are generally two types of countries, those that seek agency, independence, and freedom of rational thought and action; which requires privacy, and there are those that seek ultimate control, imposing dependence, coercion and corruption of reason; from the top down.
The cultures that seek total control generally fall under totalism and are parasitic in nature. The ones that seek agency, freedom, and independence, Protean.
Its not a binary thing, Tor updates all the time
Many comments talk about exit nodes for surveillance, but there is a totally different vector of use and considerations that dint apply when you aren't trying to access clearnet
And even on darknet it depends on what you’re doing
Reading the NY Times’ darknet site or forum or even nuet browsing darknet markerplace from Tor Browser, whereas I would use a Tor OS like Tails or dual gated VM like Whonix for doing something illicit
"A lifeline for privacy" reads more like a "hub for pedophilia and other gross, unspeakable crimes".
Just use a VPN for fuck's sake.
"People who disagree with me are paedophiles" isn't great.
VPNs just shift trust from the service provider to the VPN provider, and I don't have much reason to do so for most of my uses. NordVPN or Surfshark are way scummier than a harmless blog or HN, for example, and have more financial and legal incentives to track me
Of course any privacy measure protects criminals of all sorts, that doesn't mean it's not worth having
Hope you never lock the bathroom door or close the curtains in your house. Imagine what you might be doing in there!
>Tor: How a military project became a lifeline for privacy
Arpanet: How a military project gutted personal privacy, destabilized self esteem and strangled attention spans