@jeffcouch

by jeff couch (@jeffcouch) with gene meltser (@gmeltser, a security expert and technology guru)

UPDATE: 3/7/2010 - Google and the Tor Project is a cool blog about how the Google Summer of Code has helped the Tor Project and Why.

Why?

Many folks, including my father, would ask why someone needs anonymity on the internet unless they are going to do something nefarious.  To that I simply say that if you trust every internet service provider, destination website, and all the communications between, then you dont.  For the rest of the world that needs the ability to occasionally anonymize communications there is Tor.  For more information about the general benefits on anonymity there is a nice post on the tor blog (https://www.torproject.org/press/presskit/2009-General-Online-Anonymity-with-Tor.pdf)

Who uses Tor?

I cant put it any better than the Tor project does themselves here.

Still not sure... then suspend your doubts briefly and be entertained

If the idealist in you cant see past the potential illegal abuse, maybe you can just be entertained by the idea of bouncing you internet traffic around the world...

remember Swordfish?

anyway, back to the point at hand...

Tor Blurb

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.

Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers, instant messaging clients, remote login, and other applications based on the TCP protocol.

Hundreds of thousands of people around the world use Tor for a wide variety of reasons: journalists and bloggers, human rights workers, law enforcement officers, soldiers, corporations, citizens of repressive regimes, and just ordinary citizens. See the Who Uses Tor? page for examples of typical Tor users. See the overview page for a more detailed explanation of what Tor does, and why this diversity of users is important.

Tor doesn't magically encrypt all of your Internet activities, though. You should understand what Tor does and does not do for you.

Tor's security improves as its user base grows and as more people volunteer to run relays. (It isn't nearly as hard to set up as you might think, and can significantly enhance your own security.) If running a relay isn't for you, we need help with many other aspects of the project, and we need funds to continue making the Tor network faster and easier to use while maintaining good security.

My experience

The first step in understanding how Tor works is to understand that Tor redirects your internet traffic through a series of secure servers.  To use Tor you have two options.

1. Install the Tor client and configure your applications to use it.
2. Install a Tor browser bundle which includes a preconfigured Firefox executable that can be installed onto a USB thumb drive and used without additional configuration.

I chose to use option 2.  It is easy and effective.  Why make things more complicated right?

Once installed on the thumb drive I am able to launch the "Start Tor Browser" application from my USB thumb drive and immediately browse the internet in a uniquely anonymous way. 

WARNINGS!

Jeff's warning:

• dont be stupid
• internet traffic that is bounced around the world is a bit slower than normal internet traffic.  If Tor acts slow, its only because it is working hard to anonymize.

Gene's warnings:

• "anonymity is not security".
• Using Tor for illegal activity does not make one immune to being traced or caught.
• All of the usual security best practices such as using updated software, not clicking on untrusted/suspicious links, opening up attachements, using strong SSL encryption, etc., still apply and should be used.
• Also - consider that while Tor anonymizes connections, it also presents single points of attack to potential attackers - a compromise in a Tor infrastructure means that everything that is going through Tor is now in the hands of attackers, including credentials, passwords, etc. Being the aggregator point of many connections, it is naturally a big target for attackers that are looking for high risk/high reward returns on a successful attack, so once again, due diligence and internet use best practices very much apply.

The Tor Project's Warnings:

Warning: Want Tor to really work? ...then please don't just install it and go on. You need to change some of your habits, and reconfigure your software! Tor by itself is NOT all you need to maintain your anonymity. There are several major pitfalls to watch out for:

• Tor only protects Internet applications that are configured to send their traffic through Tor — it doesn't magically anonymize all your traffic just because you install it. We recommend you use Firefox with the Torbutton extension.
• Torbutton blocks browser plugins such as Java, Flash, ActiveX, RealPlayer, Quicktime, Adobe's PDF plugin, and others: they can be manipulated into revealing your IP address. For example, that means Youtube is disabled. If you really need your Youtube, you can reconfigure Torbutton to allow it; but be aware that you're opening yourself up to potential attack. Also, extensions like Google toolbar look up more information about the websites you type in: they may bypass Tor and/or broadcast sensitive information. Some people prefer using two browsers (one for Tor, one for unsafe browsing).
• Beware of cookies: if you ever browse without Tor and a site gives you a cookie, that cookie could identify you even when you start using Tor again. Torbutton tries to handle your cookies safely. CookieCuller can help protect any cookies you do not want to lose.
• Tor anonymizes the origin of your traffic, and it encrypts everything between you and the Tor network and everything inside the Tor network, but it can't encrypt your traffic between the Tor network and its final destination. If you are communicating sensitive information, you should use as much care as you would on the normal scary Internet — use HTTPS or other end-to-end encryption and authentication.
• While Tor blocks attackers on your local network from discovering or influencing your destination, it opens new risks: malicious or misconfigured Tor exit nodes can send you the wrong page, or even send you embedded Java applets disguised as domains you trust. Be careful opening documents or applications you download through Tor, unless you've verified their integrity.

Be smart and learn more. Understand what Tor does and does not offer. This list of pitfalls isn't complete, and we need your help identifying and documenting all the issues.

The wikipedia intro on Tor for your convenience.  

From Wikipedia, the free encyclopedia

The Onion Router (Tor) is a free software implementation of second-generation onion routing enabling Internet anonymity by thwarting network traffic analysis. Roger Dingledine, Nick Mathewson, and Paul Syverson presented "Tor: The Second-Generation Onion Router" at the 13th USENIX Security Symposium on Friday, August 13, 2004.[5]

Tor employs cryptography in a multi-layered manner (hence the Onion routing analogy), ensuring perfect forward secrecy between routers.[citation needed] A user of the Tor network runs a proxy server on his computer. Internet-facing software can then access Tor through a SOCKS interface. Once inside a Tor network, the traffic is sent from router to router, the Tor software periodically negotiating a virtual circuit through the Tor network, ultimately reaching an exit node at which point the cleartext packet is forwarded on to its original destination. Viewed from the destination, the traffic appears to originate at the Tor exit node.

Tor cannot and does not attempt to protect against monitoring of traffic at the boundaries of the Tor network, i.e., the traffic entering and exiting the network.[6] The United States government, for example, has the capability to monitor any broadband Internet traffic using devices mandated by the Communications Assistance For Law Enforcement Act (CALEA) and can therefore legally monitor either (or both) end of a Tor connection if it originates or terminates in the US. While Tor does provide protection against traffic analysis, it cannot prevent traffic confirmation (also called end-to-end correlation).[6]

Originally sponsored by the US Naval Research Laboratory, Tor became an Electronic Frontier Foundation (EFF) project in late 2004 and the EFF supported Tor financially until November 2005.[7] Tor software is now developed by the Tor Project, which since December 2006 is a 501(c)(3) research/education non-profit organization based in the United States of America that receives a diverse base of financial support.[1][7][8]

Jump to: navigation, search