Tor browser: Amazing or overrated?

Discuss the many weaknesses of browser security and ways to mitigate the threat

Tor browser: Amazing or overrated?

Post by anon976 on Fri Feb 14, 2014 2:02 pm
([msg=79476]see Tor browser: Amazing or overrated?[/msg])

So I have been going through the fun task of trying to get anonymous internet browsing. Question I have is, is the tor browser really as useful as it claims to be? Are there ways I can make it stronger (Short of buying a VPN, I don't want to spend any money on it) and/or test how trackable I am?
anon976
New User
New User
 
Posts: 12
Joined: Wed Jan 29, 2014 1:40 am
Blog: View Blog (0)


Re: Tor browser: Amazing or overrated?

Post by cyberdrain on Fri Feb 14, 2014 3:16 pm
([msg=79480]see Re: Tor browser: Amazing or overrated?[/msg])

First of all: the TOR project gives a list of things you should and shouldn't do to improve your anonymity.

- Keep in mind that while the connection might not be track-able, anything you leave on websites will be. Analysis of the way you write, which accounts are used and the type of topics you're interested in might eventually be tracked back to you. Even the times of login can be used.
- Never leave Java-script active (use NoScript) if you can, this might compromise you.
- Never login to any accounts used in TOR outside it or the other way around.
- Lastly be careful of using credentials on a site that's not encrypted. A malicious end-node might be able to sniff the data and get a free pass into your account.

Those are a few things I could think of, again, see the website for more information.
Edit: Fix typos
Free your mind / Think clearly
I use the sarcasm color for both sarcasm and irony
User avatar
cyberdrain
Addict
Addict
 
Posts: 1526
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Tor browser: Amazing or overrated?

Post by -Ninjex- on Fri Feb 14, 2014 5:24 pm
([msg=79482]see Re: Tor browser: Amazing or overrated?[/msg])

Amazing for staying anonymous, overrated in security.

Also, please read cyberdrain's post.
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
^(-.^)>
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1470
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Tor browser: Amazing or overrated?

Post by anon976 on Fri Feb 14, 2014 6:49 pm
([msg=79484]see Re: Tor browser: Amazing or overrated?[/msg])

Ninjex, What's the difference? Cyberdrain, do I have to change certain settings, or is javascript automatically disabled? And what about cookies? Also, maybe my understanding of how tor works is wrong, but wouldn't I show up as a different IP every time I use it? So if I were to say, log in to my facebook using tor, they would have 1 tor ip address connected to me, but then when I reconnect, it would be a different ip, right? Not that I'm planning on logging into fb or anything similar while using tor...
anon976
New User
New User
 
Posts: 12
Joined: Wed Jan 29, 2014 1:40 am
Blog: View Blog (0)


Re: Tor browser: Amazing or overrated?

Post by -Ninjex- on Sat Feb 15, 2014 8:31 am
([msg=79487]see Re: Tor browser: Amazing or overrated?[/msg])

anon976 wrote:Ninjex, What's the difference?

Security will keep you protected, remaining anonymous will only make it hard to find out who / where you are.
For example, say a ninja has a smoke bomb. Typically, he could throw it and maybe get away with some things, however if he isn't careful, maybe he could run right into the bad guys. Or maybe the bad guys have machine guns, and just unload all over the place, eventually hitting the ninja several times.
ninja = tor
machine gun = exploits
Tor can help you remain anonymous, but it doesn't prevent you from being exploited. For example leaving JavaScript enabled, you are just asking those people to start shooting their guns at you.

anon976 wrote: Cyberdrain, do I have to change certain settings, or is javascript automatically disabled? And what about cookies? Also, maybe my understanding of how tor works is wrong, but wouldn't I show up as a different IP every time I use it? So if I were to say, log in to my facebook using tor, they would have 1 tor ip address connected to me, but then when I reconnect, it would be a different ip, right? Not that I'm planning on logging into fb or anything similar while using tor...


It depends on how you are setting this up. Are you using the tor bundle, or running it solo with something like polipo?
Also, with tor configured properly, yes the IP would dynamically change over time and you would essentially connect via different IP's after x time frame.
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
^(-.^)>
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1470
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Tor browser: Amazing or overrated?

Post by cyberdrain on Sat Feb 15, 2014 5:20 pm
([msg=79490]see Re: Tor browser: Amazing or overrated?[/msg])

anon976 wrote:Ninjex, What's the difference? Cyberdrain, do I have to change certain settings, or is javascript automatically disabled? And what about cookies? Also, maybe my understanding of how tor works is wrong, but wouldn't I show up as a different IP every time I use it? So if I were to say, log in to my facebook using tor, they would have 1 tor ip address connected to me, but then when I reconnect, it would be a different ip, right? Not that I'm planning on logging into fb or anything similar while using tor...


In addition to what Ninjex said:
- Javascript is enabled by default, but so is NoScript. Just change the setting to Forbid globally and you're good. Of course you can also do that in about:config and then search for javascript. That way you can't accidentally turn it back on. Killing Javascript will stop some/most sites from functioning, so try NoScript first and see how you like it.
- If you log in to your Facebook, you have already used that account normally (outside TOR), meaning the IP-address you previously used is linked to the account. Create a new Facebook under TOR, never use that outside of TOR and you're good. As said, all things you post can be linked to you, so why on earth you want to create a Facebook on TOR for yourself (non-fake) is beyond me.
- My memory of how cookies are stored in TOR is a little fuzzy, but IIRC TOR will only cache them in RAM or, if asked specifically, store those in an encrypted container. You can always remove all data & cookies by using a new identity (in the new version). This will also close all tabs; you have been warned.

I'm assuming you use the browser bundle as that is the easiest and safest to set-up when you're novice. I have no experience with setting up TOR using polipo other than back in the day when it was included in the browser bundle.

Edit: To minimize the chances of exploits (in addition to blocking Javascript), run it in Linux and if really paranoid inside a VM.
Free your mind / Think clearly
I use the sarcasm color for both sarcasm and irony
User avatar
cyberdrain
Addict
Addict
 
Posts: 1526
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Tor browser: Amazing or overrated?

Post by -Ninjex- on Sun Feb 16, 2014 12:07 am
([msg=79493]see Re: Tor browser: Amazing or overrated?[/msg])

cyberdrain wrote:In addition to what Ninjex said:
- Javascript is enabled by default, but so is NoScript. Just change the setting to Forbid globally and you're good.

I'm assuming you use the browser bundle as that is the easiest and safest to set-up when you're novice. I have no experience with setting up TOR using polipo other than back in the day when it was included in the browser bundle.


If your assumption is correct, then yes it works that way. However, if he only installed tor, usually the default port is 9050. He could then start tor alone, configure his browser to use a socks proxy located at port 9050, and it would work as well. The only thing with this setup is that if JavaScript is normally enabled on his browser, it still will be. In addition, the installed addons would be the same. (same browser, same settings, except with a proxy setup)

In short, tor alone will not configure things for security, but if you want to be more secure, install the tor browser; which is almost identical to firefox, except with some modifications / additions for security.

I think Cyberdrain also forgot to mention DNS leaks. In firefox or tor bundle, go to the URL and type in: 'about:config', go ahead and click "I'll be careful, I promise" to continue. Search for DNS up top. Look for 'network.proxy.socks_remote_dns' and set the value to 'true'
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
^(-.^)>
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1470
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Tor browser: Amazing or overrated?

Post by Goatboy on Sun Feb 16, 2014 1:56 pm
([msg=79515]see Re: Tor browser: Amazing or overrated?[/msg])

TOR is just a tool. Anonymity is a mindset. One will build you a house. The other will close your blinds at night.

#zen
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2825
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Tor browser: Amazing or overrated?

Post by anon976 on Thu Feb 20, 2014 3:27 pm
([msg=79562]see Re: Tor browser: Amazing or overrated?[/msg])

Okay, thanks guys. I am not sure about most of the questions you asked, (Like if it has noscript or not) but I will go and check.
anon976
New User
New User
 
Posts: 12
Joined: Wed Jan 29, 2014 1:40 am
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests