Silk Road forums
Discussion => Security => Topic started by: wiggum on June 15, 2013, 02:23 am
-
I know that people here say the best practice is to not use Tor from your home ISP because the ISP "can tell you are using Tor."
What exactly do they "see" that gives away your Tor use? The data itself is obviously encrypted. I know that if they wanted to, they could figure out you're using Tor by seeing that your traffic is going to a known entry node for Tor.
But what if you use a random variety of different bridge relays - would the ISP still be able to tell you're using Tor (assuming they don't have a list of known bridges to cross-reference)?
Is there something about the metadata or Tor protocol that allows an ISP to detect you are using Tor even if you're using a bridge that the ISP doesn't know anything about?
-
Detecting Tor is simple. China has been detecting it and blocking it for the last couple of years. Check this out (Clearnet): http://www.technologyreview.com/view/427413/how-china-blocks-the-tor-anonymity-network/
The data may be encrypted, but the behavior of the packets is still detectable. The same goes for most VPN protocols including OpenVPN. Every protocol has its own "handshake". The only way to get around that is to tunnel your data over one of these protocols using SSH or SSL. That way the eavesdropping party would have to block all SSH and SSL traffic in order to stop you from transmitting. Note that they STILL can't decrypt your data or even find out who you are if you aren't completely incompetent.
If you don't want your ISP to see what you're doing online then use a trusted and recommended VPN service. One that doesn't keep logs, doesn't require any personal info and allows you to pay for services with bitcoins. Run Tor or anything else over your VPN. Your ISP will never find anything because they can't see anything. Your VPN provider will only know your real IP and its encrypted destination IP (your VPN provider's box). No one else will know anything unless you're compromised in some other way (rootkit keylogger, hidden camera or mic, a bug in or around your computer, someone close to you who gives you up, whatever).
-
From what I read on the Tor Project website, as far as I understood it, your ISP can tell someone in the area is using Tor, not necessarily you. Please correct me if I misunderstood that.
Tor Project recommends getting people that live nearby to use Tor too because it will make it harder for the ISP to know for sure that it was you.
I've also read that having cleanet traffic running while you use Tor helps mask the fact that you're using Tor. Can anyone verify?
One thing to keep in mind is using Tor is not illegal. I've actually been using Tor long before I found SR. I stumbled onto it when I was looking for something to mask my IP to fool a system I was working on several years ago. I've been using it ever since whenever I want to look up "sensitive" information. So I dont think it matters a whole lot even if your ISP knows you're using it. (Again, correct me if I'm wrong, please :) )
-
From what I read on the Tor Project website, as far as I understood it, your ISP can tell someone in the area is using Tor, not necessarily you. Please correct me if I misunderstood that.
Your ISP can trivially determine that you in specific are using Tor, unless you use a bridge (preferably with Obfsproxy). Your ISP can see that you are connecting to known Tor entry nodes. They can also fingerprint your traffic as being consistent with Tor traffic, which is very unique looking. Bridges help prevent the first issue and obfsproxy helps prevent the second issue.
Tor Project recommends getting people that live nearby to use Tor too because it will make it harder for the ISP to know for sure that it was you.
In any case the ISP can know for sure that it is you using Tor. Tor suggests getting people nearby to use Tor to protect from a very specific sort of membership revealing attack. For example, if the DEA knows that somebody in Bobsville is sending drug shipments, then they can try to get a list of all users in Bobsville who are using Tor. If there is only one person there using Tor then they are pretty screwed, if there are a thousand people there using Tor then it is still really expensive to put them all under surveillance trying to find the one who is sending the drug shipments.
I've also read that having cleanet traffic running while you use Tor helps mask the fact that you're using Tor. Can anyone verify?
I can verify that it makes no difference at all
One thing to keep in mind is using Tor is not illegal. I've actually been using Tor long before I found SR. I stumbled onto it when I was looking for something to mask my IP to fool a system I was working on several years ago. I've been using it ever since whenever I want to look up "sensitive" information. So I dont think it matters a whole lot even if your ISP knows you're using it. (Again, correct me if I'm wrong, please :) )
It depends. Certainly for vendors it is best if nobody can tell they are using Tor, to help prevent the attack I mentioned previously. For people in places like China they need to hide that they use Tor so that they can use Tor in the first place, since China tries to block Tor. People in some countries might even be killed if they are detected trying to circumvent the government censorship. There are a lot of situations where it is useful to hide that you are using Tor, and in general I suggest considering how important it is to you. But in some cases it doesn't really matter a whole lot. Tor naturally makes membership enumeration more difficult than it is against I2P, for example.
-
Going to starbucks/mcdonalds and using their free wifi sounds like the easiest idea to me :P
-
I've also read that having cleanet traffic running while you use Tor helps mask the fact that you're using Tor. Can anyone verify?
I can verify that it makes no difference at all
It's funny because in other threads on the front page of this forum people make the opposite claim.
-
So say when i connect to my ISP THEN before i connect to TOR i use a IP mask, Like cyberghost? which changes your Ip and makes you appear to bee somewhere else also..? then connect to tor?
-
@astor & @kfmkewm,
You guys seem to know a lot about this. Can you point me to some trustworthy links where I can read up on this and educate myself?
Thanks
-
sub'd
-
So say when i connect to my ISP THEN before i connect to TOR i use a IP mask, Like cyberghost? which changes your Ip and makes you appear to bee somewhere else also..? then connect to tor?
That'd be using a VPN or proxy but I wouldn't use any VPN or proxy for that, you're better off not hiding TOR than using a potentially malicious proxy. If it's a free proxy or a VPN that keeps logs, I wouldn't do it.
-
Do any of the experts think that ISP's in the US and western nations are actively looking for Tor traffic, including traffic using obfsproxy bridges? It seems to me they wouldn't really give a shit, unless someone is being a bandwidth hog.
Governments forcing ISP's to keep logs of who they suspect of using Tor seems more likely. Hell, if the justification for NSA spying is detecting terrorist plots, it makes more sense than the PRISM stuff. Obviously no competent wannabe terrorist is going to be using unencrypted gmail and Facebook to plan their grand scheme.
-
heres a link to the TOR project page about obfsproxy.. it says on it that all you do is add the bridges by going to vidalia settings-network settings- and adding your bridges.
will that successfully manage it?
They also have a Tor browser bundle with obfsproxy built in on that link that they say works in all censored countries, So i assume that it must work as a reliable VPN?
can anyone confirm this for me.
Cheers
**edit**
i have been reading up on tails via the torproject website Links here https://tails.boum.org/doc/first_steps/startup_options/bridge_mode/index.en.html - where it talks about bridges and basicaly says always start tails in bridge mode if your in a censored country blah blah, Should we not do this anyway?
here https://tails.boum.org/doc/about/warning/index.en.html - Specifically the paragraph "Your Internet Service Provider (ISP) or your local network administrator can see that you're connecting to a Tor relay, and not a normal web server for example. Using Tor bridges in certain conditions can help you hide the fact that you are using Tor."
And here, this is the documents page which provided overall general info - https://tails.boum.org/doc/index.en.html
my questions are this.
So does using the torbundle with built in obfsproxy basically mask that you are using tor to your ISP?
will you need to update tails's bridges periodically even in "bridge mode"
is the partition encrypted enough with the linux encryption or should you install truecrypt as well and add the secret drive thing in as well?
And it frequently says that bridges arent completely safe even obfuscated bridges, So how do you make this properly safe?
thanks in advance, i know some people are going to hate me for asking all this lol
-
bump
-
heres a link to the TOR project page about obfsproxy.. it says on it that all you do is add the bridges by going to vidalia settings-network settings- and adding your bridges.
will that successfully manage it?
Yes that is how you start using bridges.
They also have a Tor browser bundle with obfsproxy built in on that link that they say works in all censored countries, So i assume that it must work as a reliable VPN?
Obfsproxy tries to obfuscate the fingerprint of the Tor protocol. Pretty much there are two ways that your ISP can tell that you are using Tor. One way is by keeping a list of all known Tor nodes and monitoring for any connections to those IP addresses. Bridges help solve this problem because it is relatively harder to enumerate all Tor bridges than it is to enumerate all public Tor relays. Government level attackers have managed to enumerate a large percentage of Tor bridges, but even China has not been able to enumerate 100% of all bridge IP addresses 100% of the time. Also you can use private bridges for the best membership concealment. But the ISP can also detect you are using Tor by looking for traffic that has a fingerprint matching Tor traffic. For example, Tor packets are all 512 bytes and so by looking for streams of 512 byte packets the ISP can detect Tor traffic even if it isn't being routed to a Tor relay known to the ISP. Obfsproxy tries to obfuscate your traffic, which means that it tries to make it so somebody observing your traffic can not fingerprint it as Tor traffic. Using a bridge with obfsproxy is your best bet for hiding that you are using Tor from your ISP, in addition to not connecting to any public Tor relays your traffic will also be modified so that it doesn't look like Tor traffic. Using a semi-private bridge with obfsproxy is probably better membership concealment than using a VPN, using a private bridge with obfsproxy is pretty much state of the art membership concealment.
**edit**
i have been reading up on tails via the torproject website Links here https://tails.boum.org/doc/first_steps/startup_options/bridge_mode/index.en.html - where it talks about bridges and basicaly says always start tails in bridge mode if your in a censored country blah blah, Should we not do this anyway?
It totally depends on if you want to try to hide the fact that you are using Tor or not. It really is a rather complicated decision to make. If you are a vendor shipping packages out of butt fuck nowhere, and LE can enumerate Tor users in butt fuck nowhere, then you could be in very big trouble. In such a case it makes sense to try your best to hide that you are using Tor. On the other hand if you ship packages out of a major city, and LE can break the membership concealment properties of Tor, they might be able to tell that out of the 1,000 people using Tor in your city only you are trying to hide that you are using Tor, and then you could be worse off than you were in the first place. For the most part I would definitely lean towards using membership concealing techniques though, but it isn't so cut and dry actually.
here https://tails.boum.org/doc/about/warning/index.en.html - Specifically the paragraph "Your Internet Service Provider (ISP) or your local network administrator can see that you're connecting to a Tor relay, and not a normal web server for example. Using Tor bridges in certain conditions can help you hide the fact that you are using Tor."
Yes using a bridge is pretty much the bare minimum you must do to be able to hide that you are using Tor. It is not 100% guaranteed to hide that you are using Tor, but it is pretty much 100% guaranteed that you will not hide that you are using Tor unless you use a bridge (or VPN I suppose, but then you are revealing that you use a VPN, whereas bridges try to hide that you are using any anonymizer at all).
So does using the torbundle with built in obfsproxy basically mask that you are using tor to your ISP?
Using a bridge with obfsproxy is meant to hide that you are using Tor from your ISP. If it can actually do it is debatable, but it is definitely your best bet for attempting to do it. Using a private bridge is best for membership concealment, but even if you use a private bridge it is possible that your ISP could fingerprint your traffic even with obfsproxy. Tor Project is currently in an obfuscation/fingerprinting arms race with the Chinese government, and neither of them has been staying ahead of the other for long. On the other hand your traffic is not likely to be analyzed quite as thoroughly as the average Chinese citizens traffic is, and you might have an easier time hiding that you are using Tor from your ISP than a Chinese person will have of hiding that they are using Tor from the government censors.
will you need to update tails's bridges periodically even in "bridge mode"
I am not sure what bridge mode is, but generally you do need to update your bridges periodically. Bridges tend to come and go very quickly, sometimes they change IP address every 24 hours. This is really good in a sense as it requires the censors / people trying to identify Tor connections to continuously enumerate bridges, but it is bad in that it requires you to frequently change your entry nodes which is quite bad for anonymity. Bridges also don't have the same restrictions on them as normal entry guards do, and it is a bit easier for an attacker to add bad bridges than it is for an attacker to add bad entry guards. If you can manage to use persistent bridge entry guards it shouldn't be a big deal, but lots of bridges change their IP address every 24 hours.
And it frequently says that bridges arent completely safe even obfuscated bridges, So how do you make this properly safe?
The best you could hope to do is run a private Obfsproxy bridge. However even doing that doesn't guarantee you membership concealment. Obfsproxy bridges are current state of the art in implemented membership concealment systems (although keep in mind that your bridges ISP can still tell that you are using Tor. Ideally bridges would use bridges of their own, to try to hide this). Unfortunately in this case, state of the art means that when the attackers get ahead they will not maintain their lead for long, it doesn't mean that the attackers will not frequently get slightly ahead.
-
Hi, All:
I can't seem to find how to use a bridge with my Tor browser bundle. Is that the same as relay? And what if I choose to help censored users?
-
Can my ISP see what onion/clearnet websites I'm browsing while using Tor Browser?
-
Can my ISP see what onion/clearnet websites I'm browsing while using Tor Browser?
Tor tries to prevent your ISP from determining what onion/clearnet websites you are browsing. If it accomplishes its goal then the answer to your question is no.
-
Well if no one uses Tor because their ISP will detect they're using Tor, then the project would be pointless. There are some more permissive ISPs than others though. Some bridges can hide your Tor traffic if your ISP blocks Tor (I think obfsproxy encrypts the data into HTML format to make it hard to detect).
They can see that you're using Tor, just not what are you sending and where, so it's almost safe to use it.
-
heres a link to the TOR project page about obfsproxy.. it says on it that all you do is add the bridges by going to vidalia settings-network settings- and adding your bridges.
will that successfully manage it?
Yes that is how you start using bridges.
They also have a Tor browser bundle with obfsproxy built in on that link that they say works in all censored countries, So i assume that it must work as a reliable VPN?
Obfsproxy tries to obfuscate the fingerprint of the Tor protocol. Pretty much there are two ways that your ISP can tell that you are using Tor. One way is by keeping a list of all known Tor nodes and monitoring for any connections to those IP addresses. Bridges help solve this problem because it is relatively harder to enumerate all Tor bridges than it is to enumerate all public Tor relays. Government level attackers have managed to enumerate a large percentage of Tor bridges, but even China has not been able to enumerate 100% of all bridge IP addresses 100% of the time. Also you can use private bridges for the best membership concealment. But the ISP can also detect you are using Tor by looking for traffic that has a fingerprint matching Tor traffic. For example, Tor packets are all 512 bytes and so by looking for streams of 512 byte packets the ISP can detect Tor traffic even if it isn't being routed to a Tor relay known to the ISP. Obfsproxy tries to obfuscate your traffic, which means that it tries to make it so somebody observing your traffic can not fingerprint it as Tor traffic. Using a bridge with obfsproxy is your best bet for hiding that you are using Tor from your ISP, in addition to not connecting to any public Tor relays your traffic will also be modified so that it doesn't look like Tor traffic. Using a semi-private bridge with obfsproxy is probably better membership concealment than using a VPN, using a private bridge with obfsproxy is pretty much state of the art membership concealment.
**edit**
i have been reading up on tails via the torproject website Links here https://tails.boum.org/doc/first_steps/startup_options/bridge_mode/index.en.html - where it talks about bridges and basicaly says always start tails in bridge mode if your in a censored country blah blah, Should we not do this anyway?
It totally depends on if you want to try to hide the fact that you are using Tor or not. It really is a rather complicated decision to make. If you are a vendor shipping packages out of butt fuck nowhere, and LE can enumerate Tor users in butt fuck nowhere, then you could be in very big trouble. In such a case it makes sense to try your best to hide that you are using Tor. On the other hand if you ship packages out of a major city, and LE can break the membership concealment properties of Tor, they might be able to tell that out of the 1,000 people using Tor in your city only you are trying to hide that you are using Tor, and then you could be worse off than you were in the first place. For the most part I would definitely lean towards using membership concealing techniques though, but it isn't so cut and dry actually.
here https://tails.boum.org/doc/about/warning/index.en.html - Specifically the paragraph "Your Internet Service Provider (ISP) or your local network administrator can see that you're connecting to a Tor relay, and not a normal web server for example. Using Tor bridges in certain conditions can help you hide the fact that you are using Tor."
Yes using a bridge is pretty much the bare minimum you must do to be able to hide that you are using Tor. It is not 100% guaranteed to hide that you are using Tor, but it is pretty much 100% guaranteed that you will not hide that you are using Tor unless you use a bridge (or VPN I suppose, but then you are revealing that you use a VPN, whereas bridges try to hide that you are using any anonymizer at all).
So does using the torbundle with built in obfsproxy basically mask that you are using tor to your ISP?
Using a bridge with obfsproxy is meant to hide that you are using Tor from your ISP. If it can actually do it is debatable, but it is definitely your best bet for attempting to do it. Using a private bridge is best for membership concealment, but even if you use a private bridge it is possible that your ISP could fingerprint your traffic even with obfsproxy. Tor Project is currently in an obfuscation/fingerprinting arms race with the Chinese government, and neither of them has been staying ahead of the other for long. On the other hand your traffic is not likely to be analyzed quite as thoroughly as the average Chinese citizens traffic is, and you might have an easier time hiding that you are using Tor from your ISP than a Chinese person will have of hiding that they are using Tor from the government censors.
will you need to update tails's bridges periodically even in "bridge mode"
I am not sure what bridge mode is, but generally you do need to update your bridges periodically. Bridges tend to come and go very quickly, sometimes they change IP address every 24 hours. This is really good in a sense as it requires the censors / people trying to identify Tor connections to continuously enumerate bridges, but it is bad in that it requires you to frequently change your entry nodes which is quite bad for anonymity. Bridges also don't have the same restrictions on them as normal entry guards do, and it is a bit easier for an attacker to add bad bridges than it is for an attacker to add bad entry guards. If you can manage to use persistent bridge entry guards it shouldn't be a big deal, but lots of bridges change their IP address every 24 hours.
And it frequently says that bridges arent completely safe even obfuscated bridges, So how do you make this properly safe?
The best you could hope to do is run a private Obfsproxy bridge. However even doing that doesn't guarantee you membership concealment. Obfsproxy bridges are current state of the art in implemented membership concealment systems (although keep in mind that your bridges ISP can still tell that you are using Tor. Ideally bridges would use bridges of their own, to try to hide this). Unfortunately in this case, state of the art means that when the attackers get ahead they will not maintain their lead for long, it doesn't mean that the attackers will not frequently get slightly ahead.
Thank you very much +1 that is one of the most coherent replies i have ever received on the road, and i have met some pretty friendly and helpful people on here.
questions answered, i could not have asked for more, Thank you very much mate.
have a great day :)
-
Clearnet links for bridges:
https://www.torproject.org/docs/bridges.html.en
Tor Project: Bridges
https://bridges.torproject.org/
Tor Project: Bridge Relay List