Tor - The Onion Router

[Darwin]

If you're worried about internet security and the footprint that you leave as you wander the net,  Free Download a Day is highlighting The Onion Router today. This FOSS app promises to provide you with a truly anonymous "presence" on the internet. There are shareware apps that do the same thing (Anonymizer and Ghostsurf spring to mind) but this one promises the same functionality for free.

[Eóin]

A nice package which really simplifies this process for a new user is the freely available xB Browser. It's a gecko based browser from XeroBank

[Darwin]

Nice find, Eóin - worth a look as well. I don't really worry about security to this point (if I did want to surf anonymously and without worrying about security, I'd use a combo of Ad-Muncher's IP scramble and Sandboxie - both of which are already installed), but it's always nice to see these various options.

[cranioscopical]

Free Download a Day is highlighting The Onion Router today.

-Darwin (November 04, 2007, 08:54 AM)

It's nice when one doesn't have to shallot for software.

[f0dder]

TOR is a nice piece of work, just remember that there's some issues with it - like, if you're not using an encrypted protocol (ie., you're browsing a site with http:// and not https://), it's still very possible for people to sniff your traffic at the exit node. Yes, this has been done.

Also, I haven't checked into this, but is it possible for TOR nodes along the way to eavesdrop on your traffic?

[Lashiec]

Yes, it's possible, but not very probable.

I would be very wary of using Tor if you are sending sensitive data, anyway, some exit nodes are operated by questionable organizations or countries... I suppose maybe you could encrypt your traffic before it's sent, but I don't know if such thing would be feasible.

(Oh man, another link to Ars Technica, it's like I work there )

[Darwin]

I *think* Ghost Surf encrypts your data before sending it... but then, it's a shareware solution. I actually used it extensively circa 2005 but stopped using it circa 2005 because I don't really feel that I need the level of security that it provides.

[f0dder]

Yes, it's possible, but not very probable.

-Lashiec (November 04, 2007, 06:08 PM)

That's "just" the identify where the traffic is from attack, which is of course bad enough. I thought I heard it having been used in the wild, but can't find the reference... I was probably just thinking about the theoretical attack.

I would be very wary of using Tor if you are sending sensitive data, anyway, some exit nodes are operated by questionable organizations or countries... I suppose maybe you could encrypt your traffic before it's sent, but I don't know if such thing would be feasible.

-Lashiec (November 04, 2007, 06:08 PM)

TOR does it's own encryption, but obviously this can be decrypted, since the exit nodes need to send something the final destionation host (outside the TOR network) can understand. So if your data is traveling through a TOR node operated by somebody with malicious intents, won't they be able to see your data stream?

Of course you can use your own encryption before going through the TOR network, but anything that's attackable with a man-in-the-middle approach will be vulnerable, since the TOR network is effectively a whole lot of middle men.

I'm not sure how often TOR's routing changes, though... if it did often enough (ie, multiple times even for the same connection) it would be a lot harder to do attacks. But my guess is that once a stable/fast route is found, it'll prefer that route.

I suppose maybe you could encrypt your traffic before it's sent, but I don't know if such thing would be feasible.

-Lashiec

HTTPS (but...), PGP encrypted emails, password-protected RAR archives, etc...

[Lashiec]

It's a good question. Traffic between nodes goes encrypted, but I suppose it has to be decrypted to perform another exchange of different keys with the next node in the path, so I guess during that moment you could see the data using appropriate tools.

It's a fact that exit nodes are capable of viewing your traffic, though. And people are also capable of viewing its traffic, just like it happened to this German guy who went to jail because his exit node was being used by a child pornographer. It was suggested that Russian and Chinese governments are operating a group of nodes in the Tor network. Now, if I could find the source...

About the encryption thing, I was asking if it's possible to encrypt any kind of traffic you send to other computers, but of course, those other computers should be able to decrypt your traffic as well, I mean, negotiation of keys is needed. Am I correct?

[f0dder]

About the encryption thing, I was asking if it's possible to encrypt any kind of traffic you send to other computers, but of course, those other computers should be able to decrypt your traffic as well, I mean, negotiation of keys is needed. Am I correct?

-Lashiec (November 05, 2007, 02:00 PM)

First of all, the applications need to either be aware of the encryption (ie., it's done at the application protocol level), or you can tunnel/encapsulate the application traffic (ie., instead of connection to the other host, you connect to a port at localhost, which has an encrypted tunnel to the real host).

If you use an automatic (transparent) encryption (or rather, keyexchange) scheme, you're vulnerable to man-in-middle attacks. Under normal circumstances, when your data is only traveling through normal routers and not something like TOR, and you're not doing anything that attracts government attention , I wouldn't worry too much.

Alternatively, you could use known-passphrase encryption (same passphrase used at both ends), but that's a hell wrt. key exchange. Or you could use public-key encryption, which is somewhat better, but you still need either central key authorities or a web of trust...

[Lashiec]

So no real solution to be used without some cooperation from the other side of the transmission. I wonder how those BitTorrent clients using encryption do to connect with the clients that do not support it, like the same Opera . Maybe they ignore those other clients and thus they don't exchange data with them?

[Ralf Maximus]

Free Download a Day is highlighting The Onion Router today.

-Darwin (November 04, 2007, 08:54 AM)

It's nice when one doesn't have to shallot for software.

-cranioscopical (November 04, 2007, 11:15 AM)

+1 for punitive damages .  :-)

[iphigenie]

It is also a good idea to use tor for non sensitive stuff, as it increases the security of the network for all.

I use tor as a proxy when on the road, and sometimes from home. I am considering making a node too, I think the whole concept is quite important.

Besides, that way if I really have something sensitive one day it wont be too obvious (can't be too paranoid!). But besides i live with someone whose work could one day be deemed sensitive so it's not a bad idea to start early

[f0dder]

So no real solution to be used without some cooperation from the other side of the transmission. I wonder how those BitTorrent clients using encryption do to connect with the clients that do not support it, like the same Opera . Maybe they ignore those other clients and thus they don't exchange data with them?

-Lashiec (November 06, 2007, 09:35 AM)

Depends on the client - you usally get some options, ranging from "Turn Off", "Accept Incoming", "Try Outgoing", "Force Outgoing"... Also, iirc the torrent id hash is used as part of the encryption key, so a man-in-middle that doesn't sniff tracker requests will probably have a hard(er) time intercepting traffic.

But it's still fully possible (although a bit tricker) for ISPs to detect even encrypted torrent traffic and throttle it.