Tor Stinks: Is Tor Trustworthy and Safe?

26 Jan 2022

      https://restoreprivacy.com/tor/

                          Is Tor Trustworthy and Safe?

   December 14, 2021 By Sven Taylor — [246]48 Comments
   [247]Tor safe[248]Tor safe

   There is a lot of misinformation being promoted in various privacy circles
   about Tor. This article will examine some facts about Tor and assess
   whether it is the infallible privacy tool it’s made out to be by some.

   There is a growing chorus of people who blindly recommend Tor to anyone
   looking for online anonymity. This recommendation often ignores mountains
   of evidence suggesting that Tor is not the “privacy tool” it’s made
   out to be.

   No privacy tool is above criticism or scrutiny, and each has pros and
   cons. Unfortunately, Tor has garnered a cult-like following in recent
   years among people who pretend it's infallible. Honest criticism of Tor is
   often met with accusations of "FUD" and ad-hominem attacks, so as not to
   disrupt the collective [249]Groupthink.

   Never mind the fact that the Tor network is a popular hangout for
   [250]pedophiles and [251]drug dealers – along with the law enforcement
   these types attract. Today, Tor is being marketed as some kind of
   grass-roots privacy tool that will protect you against government
   surveillance and various bad actors.

   According to Roger Dingledine (Tor co-founder) and other key Tor
   developers, getting people (outside the US government) to widely adopt Tor
   is very important for the US government’s ability to use Tor for its own
   purposes. In this goal, they have largely succeeded with Tor being widely
   promoted in various privacy circles by people who don't know any better.

   But is Tor really a secure and trustworthy privacy tool?

   Here are the facts.

1. Tor is compromised (and not anonymous)

   That governments can de-anonymize Tor users is another well-known point
   that's been acknowledged for years.

   In 2013 the Washington Post broke an article citing reports that US
   government agencies had figured out how to de-anonymize Tor users on a
   "wide scale". From the [252]Washington Post:

     Since 2006, according to [253]a 49-page research paper titled simply
     “Tor,” the agency has worked on several methods that, if successful,
     would allow the NSA to uncloak anonymous traffic on a “wide scale”
     — effectively by watching communications as they enter and exit the
     Tor system, rather than trying to follow them inside. One type of
     attack, for example, would identify users by minute differences in the
     clock times on their computers.

   There are also reports of government agencies cooperating with researchers
   to "break" or somehow [254]exploit Tor to de-anonymize users:

     Then in July, a much anticipated talk at the Black Hat hacking
     conference was [255]abruptly canceled. Alexander Volynkin and Michael
     McCord, academics from Carnegie Mellon University (CMU), promised to
     reveal how a $3,000 piece of kit could unmask the IP addresses of Tor
     hidden services as well as their users.

     Its description bore a startling resemblance to the attack the Tor
     Project had documented earlier that month. Volynkin and McCord's method
     would deanonymize Tor users through the use of recently disclosed
     vulnerabilities and a "handful of powerful servers." On top of this, the
     pair claimed they had tested attacks in the wild.

   For $3,000 worth of hardware, this team from Carnegie Mellon could
   effectively "unmask" Tor users. And this was in 2015.

   In 2016, a court case brought more information to light about how the US
   federal government hired software engineers to effectively crack Tor and
   de-anonymize users.

   [256]Tor is not anonymous[257]Tor is not anonymous

   ARS Technica also [258]discussed this case in February 2016 where they
   noted:

     A federal judge in Washington has now [259]confirmed what has
     been [260]strongly suspected: that Carnegie Mellon University (CMU)
     researchers at its Software Engineering Institute were [261]hired by the
     federal government to do research into breaking Tor in 2014.

   The following year, in 2017, more evidence came forward showing how the
   FBI can see what you're up to on Tor.

   There are also researchers who [262]devised attacks allowing them to
   de-anonymize 81% of Tor users in the wild. This [263]article came out in
   2014, before the Carnegie Mellon research was carried out.

   [264]Tor attack NSA[265]Tor attack NSA

   And there's more...

  2017 court case proves FBI can de-anonymize Tor users

   The means by which the FBI is able to de-anonymize Tor users and discover
   their real IP address remains classified information. In a 2017 court
   case, the FBI refused to divulge how it was able to do this, which
   ultimately led to child abusers on the Tor network going free. From the
   [266]Tech Times:

     In this case, the FBI managed to breach the anonymity Tor promises and
     the means used to collect the evidence from the dark web make up a
     sensitive matter. The technique is valuable to the FBI, so the
     government would rather compromise this case rather than release the
     source code it used.

     "The government must now choose between disclosure of classified
     information and dismissal of its indictment," federal prosecutor Annette
     Hayes said in a court filing on Friday.

   The cat is out of the bag. The FBI (and presumably other government
   agencies) has proven to be fully capable of de-anonymizing Tor users. Most
   Tor promoters simply ignore these different cases and the obvious
   implications.

2. Tor developers are cooperating with US government agencies

   Some Tor users may be surprised to know the extent to which Tor developers
   are working directly with US government agencies. After all, Tor is often
   promoted as a grass-roots privacy effort to help you stay "anonymous"
   against Big Brother.

   One journalist was able to clarify this cooperation through FOIA requests,
   which revealed many interesting exchanges.

   Here is one email correspondence in which Roger Dingledine discusses
   cooperation with the DOJ (Department of Justice) and FBI (Federal Bureau
   of Investigation), while also referencing "backdoors" being installed.

   [267]fbi tor browser[268]fbi tor browser

   You can see more details from this correspondence [269]here.

   In another exchange below, Tor developer Steven Murdoch discovered a
   vulnerability with the way Tor was handling TLS encryption. This
   vulnerability made it easier to de-anonymize Tor users, and as such, it
   would be valuable to government agencies. Knowing the problems this could
   cause, Steven suggested keeping the document internal,

     ...it might be a good to delay the release of anything like `this attack
     is bad; I hope nobody realizes it before we fix it'.

   Eight days later, based on the emails below, Roger Dingledine alerted two
   government agents about this vulnerability:

   [270]is tor safe[271]is tor safe

   While there is disagreement as to the seriousness of these issues, one
   thing remains clear.

    Tor developers are closely working with the US government.

   The journalist who collected the FOIA documents also [272]suggests that,
   "Tor privately tips off the federal government to security vulnerabilities
   before alerting the public."

   Whether or not you agree with the ultimate conclusion of this researcher,
   the facts remain for anyone who wants to acknowledge them. The big issue
   is the close cooperation between Tor developers and US government
   agencies.

   You can see numerous exchanges between Tor developers and US government
   agencies [273]here. ([274]Backup copy of documents.)

   And if you really want to dive in, check out the [275]full FOIA cache
   here.

3. When you use Tor, you stand out like a glow stick

   Meet Eldo Kim. He was the Harvard student who assumed Tor would make him
   "anonymous" when sending bomb threats.

   [276]eldo kim[277]eldo kim

   Kim didn't realize that when he connected to Tor on the university
   network, he would stand out like a f***ing glow stick.

   The FBI and the network admins at Harvard were able to easily pinpoint Kim
   because he was using Tor around the time the bomb threat email was sent
   through the Tor network. From the [278]criminal complaint:

     Harvard University was able to determine that, in the several hours
     leading up to the receipt of the e-mail messages described above, ELDO
     KIM accessed TOR using Harvard’s wireless network.

   [279]Case closed.

   Eldo Kim is just one of many, many examples of people who have bought into
   the lie that Tor provides blanket online anonymity - and later paid the
   price.

   Had Kim used a bridge or VPN before accessing the Tor network, he probably
   would have gotten away with it (we'll discuss this more below).

4. Anybody can operate Tor nodes and collect your data and IP address

   Many proponents of Tor argue that its decentralized nature is a benefit.
   While there are indeed advantages to decentralization, there are also some
   major risks. Namely, that anybody can operate the Tor nodes through which
   your traffic is being routed.

   There have been numerous examples of people setting up Tor nodes to
   collect data from gullible Tor users who thought they would be safe and
   secure.

   Take for example Dan Egerstad, a 22-year-old Swedish hacker. Egerstad set
   up a few Tor nodes around the world and [280]collected vast amounts of
   private data in just a few months:

     In time, Egerstad gained access to 1000 high-value email accounts. He
     would later post 100 sets of sensitive email logins and passwords on the
     internet for criminals, spies or just curious teenagers to use to snoop
     on inter-governmental, NGO and high-value corporate email.

     The question on everybody's lips was: how did he do it? The answer came
     more than a week later and was somewhat anti-climactic. The 22-year-old
     Swedish security consultant had merely installed free, open-source
     software - called Tor - on five computers in data centres around the
     globe and monitored it. Ironically, Tor is designed to prevent
     intelligence agencies, corporations and computer hackers from
     determining the virtual - and physical - location of the people who use
     it.

     People think they're protected just because they use Tor. Not only do
     they think it's encrypted, but they also think `no one can find me'.

   To not assume government agencies are doing this right now would be
   extremely naive.

   Commenting on this case, security consultant Sam Stover [281]emphasized
   the risks of someone snooping traffic through Tor nodes:

     Domestic, or international . . . if you want to do intelligence
     gathering, there's definitely data to be had there. (When using Tor) you
     have no idea if some guy in China is watching all your traffic, or some
     guy in Germany, or a guy in Illinois. You don't know.

   In fact, that is exactly how Wikileaks got started. The founders simply
   setup Tor nodes to siphon off more than a million private documents.
   According to [282]Wired:

     WikiLeaks, the controversial whistleblowing site that exposes secrets of
     governments and corporations, bootstrapped itself with a cache of
     documents obtained through an internet eavesdropping operation by one of
     its activists, according to a new profile of the organization's founder.

     The activist siphoned more than a million documents as they traveled
     across the internet through Tor, also known as "The Onion Router," a
     sophisticated privacy tool that lets users navigate and send documents
     through the internet anonymously.

  Are governments running Tor nodes for bulk data collection?

   Egerstad also suggests Tor nodes may be controlled by powerful agencies
   (governments) with vast resources:

     In addition to hackers using Tor to hide their origins, it's plausible
     that intelligence services had set up rogue exit nodes to sniff data
     from the Tor network.

     "If you actually look in to where these Tor nodes are hosted and how big
     they are, some of these nodes cost thousands of dollars each month just
     to host because they're using lots of bandwidth, they're heavy-duty
     servers and so on," Egerstad says. "Who would pay for this and be
     anonymous?"

   Back in 2014, government agencies seized a number of different Tor relays
   in what is known as "Operation Onymous". From the [283]Tor Project blog:

     Over the last few days, we received and read reports saying that several
     Tor relays were seized by government officials. We do not know why the
     systems were seized, nor do we know anything about the methods of
     investigation which were used. Specifically, there are reports that
     three systems of Torservers.net disappeared and there is another report
     by an independent relay operator.

   Commenting on this case, [284]ARS Technica noted in 2014:

     On July 4, the Tor Project identified a group of Tor relays that were
     actively trying to break the anonymity of users by making changes to the
     Tor protocol headers associated with their traffic over the network.

     The rogue relays were set up on January 30, 2014—just two weeks after
     Blake Benthall allegedly announced he had taken control of Silk Road 2.0
     and shortly after the Homeland Security undercover officer who
     infiltrated Silk Road 2.0 began getting paid to be a site administrator.
     The relays not only could have de-anonymized some users, but they also
     “probably tried to learn who published hidden service descriptors,
     which would allow the attackers to learn the location of that hidden
     service,” Tor project leader Roger Dingledine [285]wrote in a July 30
     blog post.

   This issue continues to gain attention. In this [286]Gizmodo article from
   2021, we find the same problems. Bad actors can and do operate Tor nodes.

   Additional reading: [287]A mysterious threat actor is running hundreds of
   malicious Tor relays

  No quality control!

   The fundamental issue here is there is no real quality control mechanism
   for vetting Tor relay operators. Not only is there no authentication
   mechanism for setting up relays, but the operators themselves can also
   remain anonymous.

   Assuming that some Tor nodes are data collection tools, it would also be
   safe to assume that many different governments are involved in data
   collection, such as the Chinese, Russian, and US governments.

   See also: [288]Tor network exit nodes found to be sniffing passing traffic

5. Malicious Tor nodes do exist

   If government-controlled Tor nodes weren't bad enough, you also have to
   consider malicious Tor nodes.

   In 2016 a group of researchers presented a paper titled "[289]HOnions:
   Towards Detection and Identification of Misbehaving Tor HSDirs", which
   described how they identified 110 malicious Tor relays:

     Over the last decade privacy infrastructures such as Tor proved to be
     very successful and widely used. However, Tor remains a practical system
     with a variety of limitations and open to abuse. Tor’s security and
     anonymity is based on the assumption that the large majority of the its
     relays are honest and do not misbehave. Particularly the privacy of the
     hidden services is dependent on the honest operation of Hidden Services
     Directories (HSDirs). In this work we introduce, the concept of honey
     onions (HOnions), a framework to detect and identify misbehaving and
     snooping HSDirs. After the deployment of our system and based on our
     experimental results during the period of 72 days, we detect and
     identify at least 110 such snooping relays. Furthermore, we reveal that
     more than half of them were hosted on cloud infrastructure and delayed
     the use of the learned information to prevent easy traceback.

   When conspiracy "theory" becomes conspiracy fact.

   The malicious HSDirs identified by the team were mostly located in the
   United States, Germany, France, United Kingdom and the Netherlands.

   Just a few months after the HSDir issue broke, a different researcher
   identified a malicious Tor node injecting malware into file downloads.

   [290]tor malware[291]tor malware

   According to [292]ITProPortal:

     Authorities are advising all users of the Tor network to check their
     computers for malware after it emerged that a Russian hacker has been
     using the network to spread a powerful virus. The malware is spread by a
     compromised node in the Tor network.

     ...It has emerged that one of these exit nodes had been modified to
     alter any program downloaded over the network. This allowed the attacker
     to put his own executable code in such programs, and potentially take
     control of victims' computers.

     Due to the altered node, any Windows executable downloaded over the
     network was wrapped in malware, and worryingly even files downloaded
     over Windows Update were affected.

   Use at your own risk.

   [293]tor network not safe[294]tor network not safe

   See also:

   [295]OnionDuke APT Malware Distributed Via Malicious Tor Exit Node

6. No warrant necessary to spy on Tor users

   Another interesting case highlighting the flaws of Tor comes form 2016
   when the FBI was able to infiltrate Tor to bust another pedophile group.

   [296]tor hacked[297]tor hacked

   According to [298]Tech Times:

     The U.S. Federal Bureau of Investigation (FBI) can still spy on users
     who use the Tor browser to remain anonymous on the web.

     Senior U.S. District Court Judge Henry Coke Morgan, Jr. has ruled that
     the FBI does not need a warrant to hack into a U.S. citizen's computer
     system. The ruling by the district judge relates to FBI sting called
     Operation Pacifier, which targeted a child pornography site called
     PlayPen on the Dark web.

     The accused used Tor to access these websites. The federal agency, with
     the help of hacking tools on computers in Greece, Denmark, Chile and the
     U.S., was able to catch 1,500 pedophiles during the operation.

   While it's great to see these types of criminals getting shut down, this
   case also highlights the severe vulnerabilities of Tor as a privacy tool
   that can be trusted by journalists, political dissidents, whistleblowers,
   etc.

   The judge in this case [299]officially ruled that Tor users lack "a
   reasonable expectation of privacy" in hiding their IP address and
   identity. This essentially opens the door to any US government agency
   being able to spy on Tor users without obtaining a warrant or going
   through any legal channels.

   This, of course, is a serious concern when you consider that journalists,
   activists, and whistleblowers are encouraged to use Tor to hide from
   government agencies and mass surveillance.

   Now let's put this all into context by looking at the history of Tor and
   it's funding.

7. Tor was created by the US government (and not for your "right to privacy")

   If you think Tor was created for "privacy rights" or some other
   noble-sounding cause, then you would be mistaken. The quote below, from
   the co-founder of Tor, speaks volumes.

     I forgot to mention earlier, probably something that will make you look
     at me in a new light. I contract for the United States Government to
     build anonymity technology for them and deploy it. They don’t think of
     it as anonymity technology, though we use that term. They think of it as
     security technology. They need these technologies so that they can
     research people they're interested in, so that they can have anonymous
     tip lines, so that they can buy things from people without other
     countries figuring out what they are buying, how much they are buying
     and where it is going, that sort of thing.

   — Roger Dingledine, co-founder of Tor, [300]2004 speech

   This quote alone should convince any rational person to never use the Tor
   network, unless of course you want to be rubbing shoulders with government
   spooks on the Dark Web.

   The history of Tor goes back to the 1990s when the Office of Naval
   Research and DARPA were working to create an online anonymity network in
   Washington, DC. This network was called "onion routing" and bounced
   traffic across different nodes before exiting to the final destination.

   In 2002, the Alpha version of Tor was developed and released by Paul
   Syverson (Office of Naval Research), as well as [301]Roger Dingledine and
   Nick Mathewson, who were both on contract with DARPA. This three-person
   team, working for the US government, developed Tor into what it is today.

   The quote above was taken from a [302]2004 speech by Roger Dingledine,
   which you can also [303]listen to here.

   After Tor was developed and released for public use, it was eventually
   spun off as its own non-profit organization, with [304]guidance coming
   from the Electronic Frontier Foundation (EFF):

     At the very end of 2004, with Tor technology finally ready for
     deployment, the US Navy [305]cut most of its Tor funding, released it
     under an open source license and, oddly, the project was [306]handed
     over to the Electronic Frontier Foundation.

   The Electronic Frontier Foundation (EFF) remains one of the biggest
   promoters of Tor today, which is not surprising given EFF's deep ties to
   the project.

8. Tor is funded by the US government

   It's no secret that Tor is funded by various US government agencies.

   The key question is whether US government funding negatively affects Tor's
   independence and trustworthiness as a privacy tool.

   Some journalists have closely [307]examined the financial relationship
   between Tor and the US government:

     Tor had always maintained that it was funded by a “variety of
     sources” and was not beholden to any one interest group. But I
     crunched the numbers and found that the exact opposite was true: In any
     given year, Tor drew between 90 to 100 percent of its budget via
     contracts and grants coming from three military-intel branches of the
     federal government: the Pentagon, the State Department and an old school
     CIA spinoff organization called the BBG.

     Put simply: the financial data showed that Tor wasn’t the
     indie-grassroots anti-state org that it claimed to be. It was a military
     contractor. It even had its own official military contractor reference
     number from the government.

   Here are some of the different government funding sources for the Tor
   Project over the years:

   Broadcasting Board of Governors:

   "Broadcasting Board of Governors (BBG) [now called [308]U.S. Agency for
   Global Media], a federal agency that was spun off from the CIA and today
   oversees America’s foreign broadcasting operations, funded Tor to the
   tune of $6.1 million in the years from 2007 through 2015."  ([309]source)

   State Department:

   "The [310]State Department funded Tor to the tune of $3.3 million, mostly
   through its regime change arm — State Dept's "Democracy, Human
   Rights and Labor" division." ([311]source)

   The Pentagon:

   "From 2011 through 2013, the Pentagon funded Tor to the tune of $2.2
   million, through a U.S. Department of Defense / Navy contract — passed
   through a defense contractor called SRI International." ([312]source)

   The grant is [313]called: “Basic and Applied Research and Development in
   Areas Relating to the Navy Command, Control, Communications, Computers,
   Intelligence, Surveillance, and Reconnaissance.”

   We can also see what the Tor project has to say about the matter.

   When soliciting funds in 2005, Tor claimed that donors would be able to
   [314]"influence" the direction of the project:

     We are now actively looking for new contracts and funding. Sponsors of
     Tor get personal attention, better support, publicity (if they want it),
     and get to influence the direction of our research and development!

   There you have it. Tor claims donors influence the direction of research
   and development - a fact that the Tor team even admits.

   Do you really think the US government would invest millions of dollars
   into a tool that stifled its power?

9. When you use Tor, you help the US government do spooky stuff

     The United States government can’t simply run an anonymity system for
     everybody and then use it themselves only. Because then every time a
     connection came from it people would say, “Oh, it’s another CIA
     agent looking at my website,” if those are the only people using the
     network. So you need to have other people using the network so they
     blend together.

   —Roger Dingledine, co-founder of the Tor Network, [315]2004 speech

   The implications of this statement are quite serious.

   When you use Tor, you are literally helping the US government. Your
   traffic helps to conceal CIA agents who are also using Tor, as Dingledine
   and journalists are pointing out.

   Tor is fundamentally a [316]tool for the US government, and it remains so
   today:

     Tor’s original — and current — purpose is to cloak the online
     identity of government agents and informants while they are in the
     field: gathering intelligence, setting up sting operations, giving human
     intelligence assets a way to report back to their handlers — that kind
     of thing. This information is out there, but it's not very well known,
     and it's certainly not emphasized by those who promote it.

   You will never hear Tor promoters discuss how important it is for the US
   government to get others on the the Tor network. This remains a taboo
   topic that Tor advocates simply avoid.

   The Tor Project's [317]website also discusses how Tor is actively used by
   government agencies for different purposes:

     A branch of the U.S. Navy uses Tor for open source intelligence
     gathering, and one of its teams used Tor while deployed in the Middle
     East recently. Law enforcement uses Tor for visiting or surveilling web
     sites without leaving government IP addresses in their web logs, and for
     security during sting operations.

   Michael Reed, another early developer of Tor, explained how it has always
   been a [318]tool for US government military and intelligence operations:

     The original *QUESTION* posed that led to the invention of Onion Routing
     was, "Can we build a system that allows for bi-directional
     communications over the Internet where the source and destination cannot
     be determined by a mid-point?" The *PURPOSE* was for DoD / Intelligence
     usage (open source intelligence gathering, covering of forward deployed
     assets, whatever). Not helping dissidents in repressive countries. Not
     assisting criminals in covering their electronic tracks. Not helping
     bit-torrent users avoid MPAA/RIAA prosecution. Not giving a 10 year old
     a way to bypass an anti-porn filter. Of course, we knew those would be
     other unavoidable uses for the technology, but that was immaterial to
     the problem at hand we were trying to solve (and if those uses were
     going to give us more cover traffic to better hide what we wanted to use
     the network for, all the better...I once told a flag officer that much
     to his chagrin).

   Here's another early Tor developer who spilled the beans. Tor was never
   meant for "dissidents in repressive countries" or helping various privacy
   activists fighting for human rights, which is how Tor is promoted today.

   Just as Roger Dingledine asserted in the opening quote to this section,
   Paul Syverson (Tor co-founder) also emphasized the importance of getting
   other people to use Tor, thereby helping government agents perform their
   work and [319]not stand out as the only Tor users:

     If you have a system that’s only a Navy system, anything popping out
     of it is obviously from the Navy. You need to have a network that
     carries traffic for other people as well.

   Tor is branded by many different individuals and groups as a grassroots
   project to protect people from government surveillance. In reality,
   however, it is a tool for government agents who are literally using it for
   military and intelligence operations (including spying on those who think
   they are "anonymous" on Tor).

   Tor's utility for the military-surveillance apparatus is [320]explained
   well in the following quote:

     Tor was created not to protect the public from government surveillance,
     but rather, to cloak the online identity of intelligence agents as they
     snooped on areas of interest. But in order to do that, Tor had to be
     released to the public and used by as diverse a group of people as
     possible: activists, dissidents, journalists, paranoiacs, kiddie porn
     scum, criminals and even would-be terrorists — the bigger and weirder
     the crowd, the easier it would be for agents to mix in and hide in plain
     sight.

   According to these Tor developers and co-founders, when you use Tor you
   are helping US government agents in doing whatever they do on the Tor
   network. Why would anyone who advocates for privacy and human rights want
   to do that?

10. IP address leaks when using Tor

   Another recurring problem with Tor is IP address leaks - a serious issue
   that will de-anonymize Tor users, even if the leak is brief.

   In November 2017 a flaw was discovered that exposed the real IP address of
   Tor users if they clicked on a local file-based address, such as file://.,
   rather than http:// or https://.

   [321]is tor safe[322]is tor safe

   This issue illustrates a larger problem with Tor: it only encrypts traffic
   through the Tor browser, thereby leaving all other (non-Tor browser)
   traffic exposed.

   Unlike a VPN that encrypts all traffic on your operating system, the Tor
   network only works through a browser configured for Tor. (See the
   `[323]what is a VPN` guide for an overview.)

   This design leaves Tor users vulnerable to leaks which will expose their
   identity in many different situations:

     * Tor offers no protection when torrenting and will leak the user's IP
       address with torrent clients.
     * Tor may leak IP addresses when accessing files, such as PDFs or other
       documents, which will likely bypass proxy settings.
     * Windows users are [324]also vulnerable to different types of leaks
       that will expose the user's real IP address.

   [325]windows tor[326]windows tor

   It's important to note, however, that oftentimes de-anonymization is due
   to user error or misconfiguration. Therefore blame does not lie with Tor
   itself, but rather with people not using Tor correctly.

   Dan Eggerstad emphasized this issue as well when he [327]stated:

     People think they're protected just because they use Tor. Not only do
     they think it's encrypted, but they also think `no one can find me'. But
     if you've configured your computer wrong, which probably more than 50
     per cent of the people using Tor have, you can still find the person
     (on) the other side.

   Once again, non-technical users would be better off using a [328]good VPN
   service that provides system-wide traffic encryption and an effective kill
   switch to block all traffic if the VPN connection drops.

11. Using Tor can make you a target

   As we saw above with the bomb threat hoax, Eldo Kim was targeted because
   he was on the Tor network when the bomb threat was sent.

   Other security experts also warn about Tor users being [329]targeted
   merely for using Tor.

     In addition, most really repressive places actually look for Tor and
     target those people. VPNs are used to watch Netflix and Hulu, but Tor
     has only one use case – to evade the authorities. There is no cover.
     (This is assuming it is being used to evade even in a country incapable
     of breaking Tor anonymity.)

   In many ways Tor can be riskier than a VPN:

    1. VPNs are (typically) not actively malicious
    2. VPNs provide good cover that Tor simply cannot – “I was using it
       to watch Hulu videos” is much better than – “I was just trying
       to buy illegal drugs online”

   As we've pointed out here before, VPNs are more widely used than Tor - and
   for various (legitimate) reasons, such as streaming [330]Netflix with a
   VPN.

   So maybe you still need (or want?) to use Tor. How can you do so with more
   safety?

   --------------------------------------------------------------------------

How to (more) safely use Tor

   Given that Tor is compromised and bad actors can see the real IP address
   of Tor users, it would be wise to take extra precautions. This includes
   hiding your real IP address before accessing the Tor network.

   To hide your IP address when accessing Tor, simply connect to a VPN
   server (through a VPN client on your computer) and then access Tor as
   normal (such as through the Tor browser). This will add a layer of
   encryption between your computer and the Tor network, with the VPN
   server's IP address replacing your real IP address.

   Note: There are different ways to combine VPNs and Tor. I am only
   recommending the following setup: You > VPN > Tor > Internet (also called
   "Tor over VPN" or "Onion over VPN").

   [331]Tor vs VPN[332]Tor vs VPN

   With this setup, even if a malicious actor was running a Tor server and
   logging all connecting IP addresses, your real IP address would remain
   hidden behind the VPN server (assuming you are using a good VPN with no
   leaks).

   Here are the benefits of routing your traffic through a secure VPN before
   the Tor network:

    1. Your real IP address remains hidden from the Tor network (Tor cannot
       see who you are)
    2. Your internet provider (ISP) or network admin will not be able to see
       you are using Tor (because your traffic is being encrypted through a
       VPN server).
    3. You won't stand out as much from other users because VPNs are more
       popular than Tor.
    4. You are distributing trust between Tor and a VPN. The VPN could see
       your IP address and Tor could see your traffic (sites you visit), but
       neither would have both your IP address and browsing activities.

   For anyone distrustful of VPNs, there are a handful of [333]verified no
   logs VPN services that have been proven to be truly "no logs".

   You can sign up for a VPN with a [334]secure anonymous email account (not
   connected to your identity). For the truly paranoid, you can also pay with
   Bitcoin or any other anonymous payment method. Most VPNs do not require
   any name for registration, only a valid email address for account
   credentials. Using a VPN in a safe offshore jurisdiction (outside the
   [335]14 Eyes) may also be good, depending on your threat model.

   For those seeking the highest levels of anonymity, you can chain multiple
   VPNs through Linux virtual machines (using Virtualbox, which is FOSS). You
   could also use VPN1 on your router, VPN2 on your computer, and then access
   the regular internet (or the Tor network) through two layers of encryption
   via two separate VPN services. This allows you to distribute trust across
   different VPN services and ensure neither VPN could have both your
   incoming IP address and traffic. This is discussed more in my guide on
   [336]multi-hop VPN services.

   Note: The claim that "VPN is fully, 100%, a single point/entity that you
   must trust" is false. This claim comes from [337]this Tor promoter who
   coincidently [338]works for the US government's Naval Research Lab.

   When you chain VPNs, you can distribute trust across different VPN
   services and different jurisdictions around the world, all paid for
   anonymously and not linked to your identity. With Tor alone, you put all
   your trust in The Onion Router...

Tor Project agrees on the benefits of adding VPN

   The Tor Project also agrees on the benefits of correctly using a VPN with
   Tor, as I recommend above. Here are a few quotes from the Tor Project
   about the [339]benefits of using a VPN before Tor ([340]archived):

    1. "might prevent your ISP etc from seeing that you're using Tor"
    2. Routing Tor through a VPN "can be a fine idea assuming your VPN
       provider's network is in fact sufficiently safer than your own
       network." [A verified no logs VPN is a lot safer than an internet
       provider that has your name, date of birth, payment details, and is
       collecting your data and [341]sharing it with surveillance agencies,
       such as the case with [342]US internet providers.]
    3. "Another advantage here is that it prevents Tor from seeing who you
       are behind the VPN. So if somebody does manage to break Tor and learn
       the IP address your traffic is coming from, ... then you'll be better
       off."

   While I generally agree with the points above, unfortunately, the Tor
   Project also stated some incorrect information in the beginning of their
   article as follows, "Most VPN/SSH provider log, there is a money trail, if
   you can't pay really anonymously."

   These points are incorrect.

     * "Most VPN/SSH provider log" - This is simply not true. There are many
       [343]no logs VPN services and also a small number of VPNs that are
       verified to be no logs, having undergone third-party audits, server
       seizures, or court subpoenas for user data.
     * "there is a money trail" - This is a huge misconception that is
       promoted by people who don’t know what they’re talking about. A
       “money trail” has no bearing on the effectiveness or encryption of
       a VPN. VPNs are not illegal and are becoming mainstream privacy tools.
       If an adversary knows you have a subscription with a specific VPN
       service, this has zero bearing on the effectiveness of your VPN. Even
       if the adversary has your username and password, this still has no
       bearing on the effectiveness or encryption of the VPN (it just means
       your adversary can use the VPN for free). VPN encryption is dynamic
       and negotiated new with each connection. And if you are worried about
       “money trails” then pay anonymously.
     * “can’t pay really anonymously” - This is again false, perhaps
       blatant lying to scare people away from VPNs. Most VPNs offer
       anonymous payment options, such as gift cards or Bitcoin, with no name
       required. You only need a valid email, and you can easily setup an
       anonymous/burner email for this purpose that’s not connected to your
       identity. Done.

   Note: While there have been various cases proving the FBI can easily
   de-anonymize Tor users, there has never been any court cases (that I've
   seen) proving the FBI (or any government agency) can de-anonymize VPN
   users, assuming there's good encryption with no leaks. Instead, we have
   seen a few isolated cases where the FBI pressured VPNs to log user data
   and provide this to authorities to identify a specific user, such as with
   the [344]IPVanish logging case in the US.

Tor vulnerabilities and VPNs

   There are other attacks that the Tor Project [345]admits will de-anonymize
   Tor users ([346]archived):

     As mentioned above, it is possible for an observer who can view both you
     and either the destination website or your Tor exit node to correlate
     timings of your traffic as it enters the Tor network and also as it
     exits. Tor does not defend against such a threat model.

   Once again, a VPN can help to mitigate the risk of de-anonymization by
   hiding your source IP address before accessing the guard node in the Tor
   circuit.

   Can exit nodes [347]eavesdrop on communications? From the Tor Project:

     Yes, the guy running the exit node can read the bytes that come in and
     out there. Tor anonymizes the origin of your traffic, and it makes sure
     to encrypt everything inside the Tor network, but it does not magically
     encrypt all traffic throughout the Internet.

   However, a VPN can not do anything about a bad Tor exit node eavesdropping
   on your traffic, although it will help hide who you are (but your traffic
   can also give you away).

   I discuss these points more in my [348]VPN vs Tor comparison.

Conclusion on Tor

   No privacy tool is above criticism.

   Just like with Tor, I have also pointed out numerous problems with VPNs,
   including VPNs that were caught [349]lying about logs, VPN [350]scams, and
   dangerous [351]free VPN services. All privacy tools come with pros and
   cons. Selecting the best tool for the job all boils down to your threat
   model and unique needs.

   Unfortunately, for many in the privacy community, Tor is now considered to
   be an infallible tool for blanket anonymity, and to question this dogma
   means you are "spreading FUD". This is pathetic.

   In closing, for regular users seeking more security and online anonymity,
   I'd simply avoid Tor altogether. A VPN will offer system-wide encryption,
   much faster speeds, and user-friendly clients for various devices and
   operating systems. This will also prevent your ISP from seeing what you're
   up to online.

   Additionally, VPNs are more mainstream and there are many legitimate (and
   legal!) reasons for using them. Compared to Tor, you definitely won't
   stand out as much with a VPN.

   For those who still want to access the Tor network, doing so through a
   reliable VPN service will add an extra layer of protection while hiding
   your real IP address.

   Further Reading:

   [352]Tor and its Discontents: Problems with Tor Usage as Panacea

   [353]Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries

   [354]Tor network exit nodes found to be sniffing passing traffic

   [355]On the Effectiveness of Traffic Analysis Against Anonymity Networks
   Using Flow Records

   [356]Judge confirms what many suspected: Feds hired CMU to break Tor

    About Sven Taylor

   Sven Taylor is the founder of RestorePrivacy. With a passion for digital
   privacy and online freedom, he created this website to provide you with
   honest, useful, and up-to-date information about online privacy, security,
   and related topics. His focus is on privacy research, writing guides,
   testing privacy tools, and website admin.

Reader Interactions

  Comments

    1. Alvaro

       [357]January 18, 2022

       I've always been critical of Tor since its inception. The ability to
       access Onion sites sounds cool and all but most of those links are
       dead, Tor is selfdom rarely used by free speech activists to access
       legitimate websites. Nor is it practical since most sites are
       protected by Cloudflare and require Javascript to load sites up. On
       top of that its slow, and as Sven mentioned, you can be monitored or
       compromised by bad actors at any given moment since you don't know
       whose operating the Tor servers.

       Tor simply can't compete with VPNS at the moment. It might be a
       slightly better option than using free VPNS but that's not saying
       much. Paid VPN providers with the right audits done on them is simply
       the way to go. They might not be a 100% bulletproof requiring privacy,
       and speed but HTTPS already has you takened care of since your
       VPN/Internet Service Provider cannot see your individual activities
       beyond the Home URL you are in.

       Solid article by Sven Taylor. Hope more see it to wake themselves up
       from the lies promoted by the Tor team.

       [358]Reply
    2. Patriot

       [359]January 11, 2022

       My Timeline: (I'll be shocked if this is not instantly deleted or even
       makes it here)
       - I met once a year with several others I networked around the world
       with to basically prove each other wrong and ultimately learned from
       each other. Most were from Europe, with several Oxford grads who wrote
       compilers for Borland, two from the US and one from Australia.
       - Two years before 9/11, a businessman and friend who we all knew
       wanted us guys to work for a new startup to collect data about
       companies that they would then sell. The businessman said to me, "It
       is a great opportunity and it will make you a rich man in a few
       years." The guy in charge at the new company had architected what the
       Police use. When interviewed, they led me around and showed me a large
       data center in the building and I noticed the provider was Southern
       Bell. I asked and they said they use so much bandwidth the phone
       company decided to just move the central office of the area there.
       That didn't make sense to me. They made a peculiar comment that they
       liked it that I was a military pilot and they liked pilots, which also
       made no sense. I saw three guys dumping traffic and asked what they
       were doing. The answer was, "Defending against hackers trying to get
       at our information.". What also didn't make sense is what they said I
       would be doing was too simple to hire someone like me for. It would be
       like watching paint dry for me. One of the guys they had already hired
       said, "I'm looking forward to working with you. Isn't this amazing for
       only 4 months old?" Exactly what I was thinking. While the guy
       courting me was very wealthy, he was not this wealthy. This didn't
       make sense. For $60 I could buy CD's from Microsoft with a lot of
       business information and there is Dunn&Bradstreet. I had a great job
       as CIO of a Tier-1 Automotive supplier, paid well, great family area,
       could do what I wanted, set my own hours, and I had weekends off
       except during major upgrades of my own doing. I refused. Some time
       later, I started receiving peculiar phone calls from attorneys asking
       me vague questions and insisting I knew a lot more than I did. I
       relayed that to the guy who wanted me to work with them and I never
       heard from him again.
       - A few years after 9/11 I'm in a conversation with a guy I knew who
       had worked directly for the guy who was on the board that courted me.
       He had closer ties personally with the guys but was not one of us. I
       mentioned the reason I refused was things didn't make sense and also
       the peculiar calls from attorneys. At that point he told me it was a
       front company for the government to monitor people's conversations.
       This was 2+ years before the Patriot Act. I also learned that they
       perform drone strikes from down there, which might be why the strange
       comment about me having been a military pilot. The story from him was
       the peculiar calls were because the guy in charge turned out to be a
       crook. Of the guys hired, the guy from Australia and the girl from
       Germany found out their goals were the same and both left. They got
       married and still got to stay in the US and are now citizens. As I
       recall from the last conversation, baby #11 was on the way, and they
       were homeschooling. They both work as contractors for the guy telling
       me all of this stuff. The remainder immediately ended up at
       LexisNexis, which is noteworthy, because if you need an accident
       report, this is where the police send you, and is the brain child of
       the guy I would have been working for. I know the character of the one
       who left with the girl from Germany and another in the group who was
       also a pastor, which might make sense of the move to LexisNexis. They
       were there for a long time but no longer there and seem to be bought
       and sold as a group in which they are each shareholders, of which I'm
       guessing the businessman is among them. The place that wanted to hire
       me has since morphed into an organization for healthcare support,
       which fits perfectly with what had been the businessman's main money
       maker.
       - As you might imagine, the Snowden saga is a different read for me.
       On the one hand I understand the government's interest to protect its
       citizens. On the other hand, when Snowden was hired, he would have had
       to have been sworn to secrecy before knowing the scope of what it
       entailed. The verdict of what he did afterward can swap in your mind
       daily. If you read the official story of the Julian Assange case, and
       what they claim to be his maladies, it doesn't add up. Both could
       release extremely damaging information to national security but AFAIK
       neither has yet.
       - Days ago I decided to test my VPN that had been recently purchased
       by Kape Technlogies like my last one was. I picked a far away country
       and determined it was actually exiting a server in New York. I
       published several places on YouTube how to duplicate what I had done
       and it is deleted immediately.
       - Today, I hate technology and am getting out of it and will plead
       ignorance. I wished I'd never gotten into it. My concern is not that
       they are collecting everything, it is you cannot trust those entrusted
       to safeguard us and work for the good of its citizens. Some examples
       are the IRS targeting certain groups by not only denying their rights,
       they gave their customer lists to their competition who are their
       supporters, and then pled the 5th. Then there was the Trump
       investigation fiasco where we saw attempted entrapment and obtaining
       telephone records with no warrant of any kind, which were never
       presented, so apparently worked against the narrative. Assange's
       comments at his hearing are worth noting, "I don't understand how this
       is equitable. This superpower had 10 years to prepare for this case
       and I can't access my writings. It's very difficult where I am to do
       anything but these people have unlimited resources. They are saying
       journalists and whistleblowers are enemies of the people. They have
       unfair advantages dealing with documents. They know the interior of my
       life with my psychologist. They steal my children's DNA. (which was
       proven) This is not equitable what is happening here." Others have
       plea bargained under these circumstances even when innocent because
       there was no prospect that justice would prevail.

       [360]Reply
    3. Per

       [361]January 11, 2022

       I'm a bit confused. If people can so easily be identified when using
       Tor, why would any goverment agent use it? It's not like other
       goverments wont know of US' usage of Tor for agency purposes and would
       of course put resources into unmasking them, finding security holes
       etc. Wouldn't this place them at the same risk as anyone else using
       Tor?

       [362]Reply
    4. Publius

       [363]December 27, 2021

       Thank you for writing this, Sven! Eye opening for me. So, is there ANY
       benefit at all to using TOR over VPN? As opposed to just using (for
       example) SurfShark MultiHop with the Brave browser? Seems Tor over VPN
       doesn't offer any benefit for anonymity, security or privacy. In fact,
       if VPN can't help with malicious TOR exit nodes, then you're worse off
       with TOR over VPN? As opposed to just VPN with MultiHop and a browser
       like Brave?

       Thanks so much for this work!

       [364]Reply

          * Sven Taylor

            [365]December 28, 2021

            "VPN with MultiHop and a browser like Brave"
            Yep, I would concur that is the best solution and it is what I
            also use. And of course, if you need to use the Tor network for
            some reason, such as reading ransomware blogs, then you can
            easily open a "New private window with Tor" in the Brave browser,
            with your VPN running in the background.

            [366]Reply

               * Publius

                 [367]December 28, 2021

                 Awesome, thanks!! <U+1F64C>

                 [368]Reply
               * HopefullyAnAnonymousGuy

                 [369]January 23, 2022

                 Is it true that even if you use a VPN or Tor on a android
                 phone all your actions are recorded into "logcats"? So
                 google has all your actions stored anyway and can give them
                 to thirdparties? I got curious about the darkweb from
                 youtube and decided to go snooping around and ended up
                 downloading a few things and went to drug sites although I
                 did not buy anything. But now I have learned that this will
                 always be connected to me and I am worried about this.

                 [370]Reply

                    * HopefullyAnAnonymousGuy

                      [371]January 23, 2022

                      I know Im responding to my own comment here but I also
                      wanted to thank you for writing this whole article.
                      This is very insightful and obviously took alot of time
                      and research. It was well written and interesting to
                      read even for me Im not a big computer guy.

    5. Computer-illiterate need help

       [372]July 2, 2021

       I am confused. Suppose I use a vpn + tor. I log into some sort of
       .onion website. Let's say that my ip address is completely secure, and
       nobody knows who I am. Can the exit node still see my username, the
       password I use to log in, and all the data that I see/write on that
       site? If the exit node is malicious, can it download a virus if I try
       to download a file on that site?

       If so, why would anyone use tor for anything that involves logging
       into any website or involves confidential information, like financial
       documents or making cryptocurrency transactions? Sure, I would be
       anonymous, but would it not be highly insecure, even on a .onion
       address? Or am I missing something about how it works? Does the .onion
       address need to have https:// in addition to .onion? And if they know
       your username and your password and all your data, couldn't they steal
       that confidential information for their own purposes or even to try
       and identify you based on that?

       If they can steal your data like that and log into any website you
       visit over tor, or if they can put a virus into any file you download,
       or if they can see private information, would it not be safer to use a
       vpn that you trust and has no logs, instead of a vpn over tor?

       Please explain. I am computer-illiterate.

       [373]Reply

          * Stealthbomber

            [374]October 1, 2021

            1) No, your connection to the website is TLS encrypted if you are
            using/seeing HTTPS in front of the website name ([375]https://www
            ...) Nobody in the chain will see the website content. They will
            however see where the packets come from and where they go.

            2) Your login password is never transported in clear. At least on
            any website that is halfway decent secure. It is hashed in your
            browser and this hash is transported to the website and it
            compares it with what is stored in its database. This is called
            `Hashing'. Very simple but effective.

            3) Onion addresses stay inside the Tor network. They are not
            exposed to a Exit node.

            4) Putting a virus/malware in a downloaded file is difficult. If
            your website you download from uses TLS (https) they cannot
            manipulate your download because it is encrypted. Furthermore, if
            you use a secure operating system like Linux, you would be far
            less at risk of getting malicious downloads. By design,
            virus/malware made for Windows will not run on Linux. So you
            could download it but it would do no damage as you can't execute
            (run) it.

            VPN + TOR is the best solution so the Tor entry node does not
            know your ISP assigned IP address. Therefore they can't
            collaborate your traffic by watching all entry and exit nodes.

            [376]Reply

    6. Doug

       [377]July 1, 2021

       TLDR: Tor is a hangout for feds and pedos, with the US government
       continuing to fund its existence.

       In other news this week, DoubleVPN effectively protects and hides its
       users, some of whom are criminals, so governments shut down the VPN
       and seized the domain because they call it a "criminal VPN".
       [378]https://thehackernews.com/2021/06/authorities-seize-doublevpn-service.html

       [379]Reply

          * Nunya Biz

            [380]December 21, 2021

            These actions by governments speak VOLUMES.

            ADMIN, you should pin Doug's comment to the top. It hits the nail
            on the head!!

            Feds love it when you use their honeypot Tor project. And you
            better not use an "untrustworthy VPN with a money trail!" says
            the US government contractor Matt (the paid Tor shill) Traudt.

            [381]Reply

    7. Paranoid US Citizen

       [382]June 23, 2021

       Suppose TOR is nothing more than a second internet monitored by the US
       government. If that is the case, then if TOR becomes widespread, it
       will effectively allow the US to monopolize the internet.

       1. Release TOR to the public for criminal use and for hiding
       dissidents in third world countries
       2. Introduce TOR as a privacy software while reducing allowed VPNs to
       get more normal people to use TOR as a free alternative to a VPN
       3. Completely remove all allowed VPNs
       4. Heavily advertise TOR
       5. Once about 99% of people use TOR, remove anything that the US
       doesn't like as "security risks"
       6. Outlaw usage of any other networks (i.e. the internet).
       7. Repeat step 5-6 in other countries

       If you aren't concerned about this, because you don't think you are a
       security risk, you should be. Think about your beliefs. I am a
       Christian, that means I believe what the Bible says is more
       authoritative than what the government says, and I have no problem
       disobeying a law that asks me to disobey Scripture. That makes me a
       security risk. Unless you believe you should obey everything the
       government says with no exceptions (this would put you on the side of
       the Nazis by the way), then YOU are a security risk. I am currently
       posting this using TOR, but will be finding an alternative soon to
       either replace or supplement it.

       [383]Reply
    8. Jerry

       [384]May 22, 2021

       I really liked your article on Tor. And I agree completely with this
       article.

       I have tried Tor twice-many years ago and a few years back. I will
       never use Tor again. I think it is crazy for anybody to trust the Tor
       network. News people and people in repressive countries need to find
       something else.

       I am not going to go into detail about my own experiences with Tor,
       but I am completely convinced that the Tor network is just a US
       government program that they use for their own purposes. Many of the
       servers used are probably owned by the US Navy, the FBI or the NSA, or
       even the CIA. And some people use the Tor network for criminal
       activity.

       There may be ways to use the Tor network safely, but I am not
       interested.

       [385]Reply
    9. Mark Mays

       [386]April 18, 2021

       Your article “https://restoreprivacy.com/tor/” was a great eye
       opener for me. I thought Tor was completely secure. Thanks for
       educating me.

       [387]Reply
   10. spirit

       [388]April 16, 2021

       i would say tor's safety depends entirely on the browser, which is the
       weakest part and the source of most leaks.
       It is a catastrophic mistake of the project to deliver the tbb in that
       standard config, which really is like a hybrid mode, looks good but is
       very bad at the same time.
       the pedos need javascript to watch their pervert videos, so they get
       what they deserve.
       For the innocent people who just watch youtube videos, which also
       needs javascript, tor is useless, because it doesent keep them private
       or anonymous, regardless if they use an additional vpn. The torproject
       is entirely unsafe for non-techies , video and media watchers, critics
       of governments and the State, dissidents without knowledge of the
       capabilities of the Forces they fear or fight . It is unsafe for most
       People, and that is the Reason why it failed to protect the innocent.
       No Balance of power in this world.

       [389]Reply

          * tom

            [390]June 14, 2021

            did you even read this article? Tor is by no mean safe, when
            state actors are having the great majority of servers and
            therefore great control or at least overview on the network
            traffic

            [391]Reply

   11. Wothamburger

       [392]March 23, 2021

       I would like to point out that your fixation with pedophiles early in
       the article is... Well, disturbing. If the FBI won't disclose their
       methods for "uncovering" these so-called pedos, then they may have
       fabricated all the evidence.

       They are known to do this. The Michael Flynn case has been so bogged
       down with conflicts of interest and flat-out lies - two judges, the
       lawyers on BOTH SIDES, the FBI, the jury forewoman (yea!) and even the
       goddamn transcriptionist were all caught either trying to fabricate
       evidence or just flat out throw the case. They even said right to the
       guy they would trump up charges on his son if he didn't plead guilty.
       The judge said he was going for treason and the death penalty (yah!)
       after being promised probation. And when he finally proved his
       innocence, the judge dismissed the case and REFILED the exact same
       charges. These people are fucking monstrosities.

       Just that case makes the entire justice system look like a joke; it
       shows just how far the FBI and the law itself has fallen. Do not say
       the accused were "pedos" simply because the FBI says. They are less
       trustworthy than the CIA and NSA if you can fathom that.

       And don't trust the news. I've seen articles talking about how
       horrible it was Trump pardoned him. Pfft. If there's anyone who
       deserves to be pardoned it was that poor man. Either read the actual
       court dockets or listen to Viva Frei (where I heard it first). Bureau
       of investigation my ass; more like bureau full of lies.

       [393]Reply

          * Sven Taylor

            [394]March 23, 2021

            "your fixation with pedophiles"
            Fixation? Maybe you need to read the article and then go back and
            read all of the sources. It is a well-documented fact that these
            types use Tor and are often busted for their actions on the Tor
            network. Again, this takes about 2 minutes of research. And while
            I do agree that the justice system, news, and political process
            is a joke throughout the West, that doesn't change the fact that
            pedos are using Tor.

            [395]Reply

               * pareo

                 [396]March 27, 2021

                 Here's a message from head of pedo-circle which 1/3 of its
                 member were arrested because of using VPN service and the
                 rest, Tor users, remained free

[397]https://www.schneier.com/blog/archives/2005/07/the_doghouse_pr.html/#comment...

                 [398]Reply

                    * Sven Taylor

                      [399]March 28, 2021

                      You are literally linking to a random comment that
                      tells an unverified story, on a blog post that is over
                      a decade old. And the word "VPN" does not even appear
                      on the entire page, but instead something called
                      "privacy.li".

                      But even ignoring all of this, it seems your basic
                      argument is, "Look, there's a VPN that didn't work
                      right." And I would agree, there are bad VPNs that leak
                      data, fail, etc. I've spent the past five years
                      pointing out problems with bad VPN services, such as
                      [400]IPVanish, [401]PureVPN, Hotspot Shield, and more.
                      My argument has always been use a good VPN, not a bad
                      one.

                      And if you want to get serious, then read our guide on
                      [402]how to really be anonymous online.

   12. Oxy

       [403]March 20, 2021

       I think this article might be misleading for a lot of people, because
       it sounds like it's a goverment spying app. The tools that are given
       to you are only as good as you implement them. You can use TOR; VPN,
       Bridges and route all traffic through TOR, use can use OS like Tails
       to further anonymize youself. Most importantly if you practice good
       hygiene and you use TOR for your daily use. That means there are no
       connection between you doing something you may not be allowed to and
       times when you were connected to TOR.
       Also it depends where you live too. Russian goverment would wipe their
       ass with some U.S. Warrant.

       I guess the simple answer to "is Tor Trustworthy and Safe?" would be
       Yes as much as anonymization tool could be. But it's up to users to
       use extra layers to further secure it.

       [404]Reply

          * Sven Taylor

            [405]March 21, 2021

            You are assuming that Tor itself is completely safe and that's a
            big assumption given the evidence above.

            [406]Reply

               * Saundra

                 [407]April 16, 2021

                 Tor is BS. Short and sweet. If a tool was created by some
                 intel agency or with their help, they know how to get into
                 it. Yeah, they just gave it away...lol. That's like thinkng
                 that Edward Snowden is real. The whole pole-dancing, photog
                 GF and the marriage in exile...made in heaven or a hollywood
                 basement? As if the US govt couldn't locate the guy in
                 Moscow if they wanted to. Please. I could locate him in
                 Moscow, if he were there. Trust me, he's not even close.
                 He's probably on the ISS.

                 [408]Reply

   13. Harvey

       [409]March 8, 2021

       First you gave the good advice to distribute trust, then you concluded
       that normal users should "avoid tor altogether". Tor Browser gives no
       protection on its own from the government,but used properly it's a
       good anti fingerprinting tool to protect you from advertisers, who use
       way more than just your IP address to build their profiles. Out of the
       box, its a very isolated application that stops websites from learning
       about your device.

       Conversly, VPNs protect you from the government, but not from
       advertisers, who will still identify you instantly from all the info
       your device gives away aside from just your IP address. To protect
       against both threats, both tools should be used in tandem. Not Tor
       without VPN, and not VPN without Tor.

       P.S
       I also have a philisophical disagreement. You made it sound like the
       government releasing tor publicly so it would be more effective as an
       anonymity tool is a bad thing. On its own that doesn't count as a con,
       since it just means that the trust (or in your case, lack thereof)
       goes to the effectiveness of the tool itself, not to the good
       intentions of the people who made it, and not to any
       legislation/jurisdiction that the creator may or may not care about.
       Also, releasing it publicly means taking the good with the bad. We
       help them do spooky stuff, but we also help people anonymously doing
       good stuff. And even if tor didn't exist, would VPN companies ban
       government officials from using them? Ignoring the other flaws for a
       second, isn't it better to trust in effective encryption than it is to
       trust in humans?

       [410]Reply

          * Sven Taylor

            [411]March 8, 2021

            I've never said VPNs can do everything. This is usually a
            straw-man argument that is often used in the anti-VPN argument:
            "VPNs don't make you anonymous because trackers... hurr durr...
            so don't use VPNs!"

            Of course, we recommend many different [412]privacy tools, to
            include a VPN, secure browser, and ad/tracker blocker.

            And you don't need Tor to block trackers and ads. There are many
            other [413]ad blocking methods that work better and more
            efficiently.

            [414]Reply

   14. Reginald

       [415]January 4, 2021

       Hi Sven, if one uses VPN before Tor, is it possible for the ISP to
       know the user is using Tor? I know the VPN can, but just wondering if
       ISP can tell the data was Tor even though it's encrypted via the VPN?
       I'm sure I remember reading the packet byte size was always the same
       with Tor, making it obvious, but maybe the VPN changes that? Thanks!

       [416]Reply

          * Sven Taylor

            [417]January 4, 2021

            Correct. A VPN before Tor conceals your activities and your ISP
            (or network admin) will not be able see what you're doing,
            whether it is Tor or anything else. They will only see that your
            computer has an encrypted connection to an IP address that
            belongs to a VPN server, but all traffic remains encrypted.
            This also would have saved Eldo Kim, the hoaxer from Harvard, if
            he had used a VPN before connecting to Tor.

            [418]Reply

               * CrashBandicoot

                 [419]November 13, 2021

                 Can you use multiple vpn servers over tor?
                 ex.
                 Laptop->VPN1->VPN2->VPN3->Tor->internet

                 [420]Reply

                    * CrashBandicoot

                      [421]November 13, 2021

                      #Update#
                      Ok i just saw that [422]article about multihops.. I
                      always had that idea in my mind and never knew it
                      actually existed. But now i know that i really can be
                      anonymouse.
                      How i would do it is using linux while using virtual
                      machine inside virtual machine.
                      then ofcourse using double vpn or multihops . Vpn on
                      router, vpn on computer (vm)

   15. human being

       [423]December 10, 2020

       sentinel? no, it tries to connect to google at firstrun

       [424]Reply
   16. Will Wheaton

       [425]November 24, 2020

       So, if using the tor bridge, does it make the connection slower or
       faster to soome connections arpund the world? Usong tor browser i
       mean.
       Also, reply button doesnt work.

       [426]Reply
   17. Will Wheaton

       [427]November 16, 2020

       So, vpn (which is already connected) + tor mobile browser (connecting
       tor) , just for browsing the webs not the deep web is ok? I mean how
       the connection should be.
       Also, what do you think of sentinel dvpn + tor.? Cheers.

       [428]Reply
   18. Will Wheaton

       [429]November 15, 2020

       So, november 2020... So dont use tor browser for andriod is the best
       advice? Just for surfing the web is my main reason.
       Btw fennec for andriod lets you do about:config with firefox latest
       update plus with addons and all.

       [430]Reply
   19. Anne omnibus

       [431]November 14, 2020

       About:config not accessible in torbrowser 10.0.4

       [432]Reply

          * Saundra

            [433]April 16, 2021

            But it's accessible in 10.0.11? Because it is.

            [434]Reply

   20. resident without a p

       [435]October 24, 2020

       Note to the bridge users on tor:
       obfs4 engine caught trying to connect to dns on clearnet when
       requesting a new bridge, this cannot be safe and should be only
       allowed on socks tor dns "after" already been connected to tor. It is
       understood that in some countries you will not be able to connect to
       the tor net before request a new bridge, however , it is not
       understood why only a few "wellknown" bridges are hard-coded with
       static addresses in the ffox config file. It makes no sense when those
       new bridges need to be requested, when all available bridges easily
       could be updated directly with regular torbrowser updates.
       finally, tor should never connect to clearnet dns
       just saying based on own awareness

       [436]Reply
   21. ivestigator

       [437]September 30, 2020

       i just dont know why many ppl think tor attracts the attention of the
       Controlfreaks and vpns not.... what exactly is it what you dont
       understand of the term " Controlfreaks " ???
       just b realistic for yourselves, there's a simple parameter to
       consider:
       Considering that Controlfreaks are mainly after Crimes, their logical
       thinking is....
       hide => suspicious
       suspicious => need to know whats hidden
       need to know whats hidden => break of privacy & anonymity
       thats it !
       you ( like me) may be just a privacy intussiast, advocat who just try
       to defend your basic human rights , but for the controlfreaks you
       appear to be just another suspect because its the way of thinking a
       controlfreak.
       this fact may keep the flame of eternal conflict of interest up.
       But another thing on the extreme corner is... Crimes against Humanity,
       which is really something the controlfreaks should be worried about,
       because they could one day end as the hunted for what they systematly
       and arrogantly did or are doing.
       for example:
       you do an update of your operating system, and the amount of data
       involved in the process is so big (not just some hunderts megabytes,
       but several gb's), you cannot believe anymore its a regular update,
       seams more a kind of image of what you have. So what are those
       Controlfreaks doing with all the data? is it ok to collect all the
       data of the users without their knowledge and agreement, this
       worldwide ?

       [438]Reply
   22. JDS

       [439]September 25, 2020

       It's an interesting question, for sure. Why use Tor when you can use a
       VPN and not attract any attention? Providers like Perfect Privacy and
       ProtonVPN certainly offer a good alternative. I prefer to use both.
       One of those providers coupled with the Tor Browser is more than
       enough for me. My threat model, along with probably the majority of
       your readers here, is uninteresting and will probably never warrant
       using Tor. You really have to ask yourself if using Tor defeats the
       entire purpose of the level of anonymity you were hoping to achieve.

       Unless you have a need for onion sites Tor appears at this point to be
       unnecessary. Hiding ones web traffic from ISP's should be enough for
       just about everyone. Why direct attention to yourself? I have a
       difficult time thinking that Tor users aren't actively monitored on
       the clear web, VPN or not. I don't have to wear a tinfoil hat to think
       that adversaries are actively trying to piece clearnet/Tor usage
       together. I honestly don't think it matters what you are up to while
       using Tor for this to happen. The question really is "Why bother"?

       Something for the Tor Cult to consider.

       [440]Reply

          * Saundra

            [441]April 16, 2021

            They aren't TRYING to piece anything together. They don't have to
            try, it's done. You aren't hiding from the bigger agencies, just
            your own isp, at most, and probably keeping your vape-smoking
            neighbor from sniffing your traffic.

            [442]Reply

   23. Axel

       [443]August 15, 2020

       Hello sir. I just wanted to thank you for this very informative
       article. You are absolutely right about how Tor is promoted today, as
       many of this stuff you mentioned is not widely spoken of. Many people,
       myself included, appear to misunderstand how Tor works and the risks
       that come with it.

       [444]Reply
   24. tony

       [445]July 18, 2020

       Hi could you write guide about hidding openvpn in ssh
       a)user->ovpn->ssh->internet or...
       b)user->tor->ssh->internet

       My home isp totally consorship tor and openvpn protocol. They have I
       mean strong DPI.
       I leave in desert and there is no other isp to choce.. In NY in my
       second home there is no problem.

       I like hkrs..tunnel they are awsome:)
       Normally DPI witch ssh can not recognize ..torore ovpn witch ssh layer
       over.
       I want use ssh as vpn and vpn witch ssh.

       Best
       Regards

       [446]Reply
   25. Rebel

       [447]May 9, 2020

       185.159.156.0 185.159.156.255 256
       AS8473 ProtonVPN-SE1
       SE, Arno
       185.159.157.0 185.159.157.255 256
       AS59898 ProtonVPN-CH2
       CH, Plan-les-Ouates
       185.159.158.0 185.159.158.255 256
       AS56704 ProtonVPN-IS1
       IS, Reykjavik
       185.159.159.0 185.159.159.255 256
       AS19905 ProtonVPN-CH1
       CH, Plan-les-Ouates
       Autonomous System 8473
       AS name BAHNHOF
       Reg. date 1997-09-18
       Organization [448]http://www.bahnhof.net/
       ID ORG-BIA1-RIPE
       Country
       SE, Sweden...ups
       RIR RIPE NCC
       prefix count 96
       unique ip count 591.104
       ipv4 peers 80
       Autonomous System 59898
       AS name AS-ALLSAFE
       Reg. date 2017-03-27
       Organization Allsafe LLC Hauterive, Neuchatel, Switzerland
       ID ORG-AS591-RIPE
       Country
       CH, Switzerland
       RIR RIPE NCC
       prefix count 7
       unique ip count 1.792
       ipv4 peers 4

       Autonomous System 56704
       AS name FARICE-AS
       Reg. date 2011-04-28
       Organization
       ID ORG-Fe9-RIPE
       Country
       IS, Iceland
       RIR RIPE NCC
       prefix count 5
       unique ip count 4.096
       ipv4 peers 21

       Autonomous System 19905
       AS name NEUSTAR-AS6
       Reg. date 2007-08-24
       Organization NeuStar, Inc.
       ID NEUS
       Country
       US, United States....ups
       City Sterling
       Region/State VA
       RIR ARIN
       prefix count 154
       unique ip count 41.728
       ipv4 peers 32

       good luck with the 100eyes

       [449]Reply
   26. notmyname

       [450]April 25, 2020

       would you say Mozilla Firefox modified for privacy according to your
       guide with a VPN is better than tor browser with a VPN in terms of
       privacy?

       [451]Reply

          * Sven Taylor

            [452]April 25, 2020

            It seems with the latest Tor browser update, they are making it
            more and more difficult to use the Tor browser without the Tor
            network. So yes, at this point, I'd opt for modified Firefox that
            is secure and hardened for privacy, with one of our
            [453]recommended VPN services.

            [454]Reply

   27. Nomen Nescio

       [455]March 29, 2020

       > Tor has garnered a cult-like following in recent years among people
       who pretend it’s infallible. Honest criticism of Tor is often met
       with accusations of “FUD” and ad-hominem attacks, so as not to
       disrupt the collective Groupthink.

       I have experienced this. I was viciously attacked on Reddit a couple
       years ago when I brought up what I thought was a valid point which
       should be investigated, about the first Tor node which was always the
       same. Intuitively this does not feel like a secure situation, but I
       was kind of shouted down by some users. Curiously, I can't find back
       my post now which as I remember I posted on r/Tor.

       [456]Reply
   28. postdoc

       [457]March 27, 2020

       VPN is a centralization of information about you and thus
       centralization of power over you. The perceived safety of Tor comes
       from decentralizing this information and its power. It's analogical to
       autocracy vs democracy debate. You can argue that a country under one
       wise and virtuous ruler works way better and more efficiently than any
       democratic one, but for many such system is just too dangerous. They
       prefer to let idiots vote rather than give all the power to one
       person, whoever he would be.

       [458]Reply
   29. rebel

       [459]February 2, 2020

       vpns arent more secure than tor, tor isnt more anonymous than vpns.
       tor nodes are all registered ip nodes, vpns are all registered, aswell
       as proxies of all kind, therefore vulnerable to spy . fingerprinting
       is gotten more sophisticated than most ppl are aware of. IX nodes ,
       aka internet exange nodes (probably all) are not your friends. bckd0rs
       everywhere, full of fake ssl, fake secure software, fake secure
       hardware, etc.. who has the taxpayers money?..exactly, those who have
       everything. dont forget it , lazy sheeps in tha democracy. you let it
       happen.. the law_warfare against you and your children.

       [460]Reply

 246. https://restoreprivacy.com/tor/
 249. https://en.wikipedia.org/wiki/Groupthink
 250. https://www.engadget.com/2016/01/07/fbi-hacked-the-dark-web-to-bust-1-500-pe...
 251. https://www.nytimes.com/2019/06/11/technology/online-dark-web-drug-markets.h...
 252. https://www.washingtonpost.com/world/national-security/secret-nsa-documents-...
 253. https://apps.washingtonpost.com/g/page/world/nsa-research-report-on-the-tor-...
 254. https://motherboard.vice.com/en_us/article/gv5x4q/court-docs-show-a-universi...
 255. https://www.theregister.co.uk/2014/07/22/legal_wrecking_balls_break_budget_t...
 258. https://arstechnica.com/tech-policy/2016/02/judge-confirms-what-many-suspect...
 259. https://www.documentcloud.org/documents/2719591-Farrell-Weds.html
 260. https://arstechnica.com/tech-policy/2015/01/did-feds-mount-a-sustained-attac...
 261. https://arstechnica.com/tech-policy/2015/01/did-feds-mount-a-sustained-attac...
 262. https://mice.cs.columbia.edu/getTechreport.php?techreportID=1545&format=pdf
 263. https://www.vice.com/en_us/article/4x3qnj/how-the-nsa-or-anyone-else-can-cra...
 266. https://www.techtimes.com/articles/200592/20170307/fbi-drops-child-pornograp...
 269. https://www.documentcloud.org/documents/4379303-Bbg-Tor-Emails-Stack-21.html
 272. https://surveillancevalley.com/blog/claim-tor-does-not-provide-backdoors-to-...
 273. https://www.documentcloud.org/documents/4379303-Bbg-Tor-Emails-Stack-21.html
 274. https://cdn-resprivacy.pressidium.com/wp-content/uploads/2019/09/Bbg-Tor-Ema...
 275. https://surveillancevalley.com/the-tor-files/the-tor-files-transparency-for-...
 278. https://www.wbur.org/news/2013/12/18/pdf-criminal-complaint-harvard-bomb-thr...
 279. https://edition.cnn.com/2013/12/17/justice/massachusetts-harvard-hoax/
 280. https://www.smh.com.au/technology/the-hack-of-the-year-20071113-gdrkxw.html?...
 281. https://www.smh.com.au/technology/the-hack-of-the-year-20071113-gdrkxw.html?...
 282. https://www.wired.com/2010/06/wikileaks-documents/
 283. https://blog.torproject.org/thoughts-and-concerns-about-operation-onymous
 284. https://arstechnica.com/information-technology/2014/11/law-enforcement-seize...
 285. https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-c...
 286. https://gizmodo.com/someone-is-running-hundreds-of-malicious-servers-on-the-...
 287. https://therecord.media/a-mysterious-threat-actor-is-running-hundreds-of-mal...
 288. https://web.archive.org/web/20190807043523/https://www.scmagazineuk.com/tor-...
 289. https://cdn-resprivacy.pressidium.com/wp-content/uploads/2019/02/10_honions-...
 292. https://www.itproportal.com/2014/10/28/ever-used-tor-then-you-need-to-check-...
 295. https://www.securityweek.com/onionduke-apt-malware-distributed-malicious-tor...
 298. https://www.techtimes.com/articles/167002/20160626/the-fbi-can-still-spy-on-...
 299. https://cdn-resprivacy.pressidium.com/wp-content/uploads/2019/02/Opinion-and...
 300. https://archive.org/details/3_fr_t2_15h_4-Dingledine_a
 301. https://en.wikipedia.org/wiki/Roger_Dingledine
 302. https://archive.org/details/3_fr_t2_15h_4-Dingledine_a
 303. https://cdn-resprivacy.pressidium.com/wp-content/uploads/2019/01/3_fr_t2_15h...
 304. https://pando.com/2014/07/16/tor-spooks/
 305. https://www.evernote.com/shard/s1/sh/8065781b-2110-4d01-bda7-a71a0e2b9e42/60...
 306. https://www.evernote.com/shard/s1/sh/23cf697d-2353-4247-815c-b4efa35d8639/3a...
 307. https://pando.com/2015/12/18/tor-project-super-secure-anonymity-network-will...
 308. https://en.wikipedia.org/wiki/U.S._Agency_for_Global_Media
 309. https://surveillancevalley.com/blog/notes-bbg-cia-cutout-funding-of-tor-proj...
 310. https://en.wikipedia.org/wiki/United_States_Department_of_State
 311. https://surveillancevalley.com/blog/state-department-funding-tor-project
 312. https://surveillancevalley.com/blog/notes-on-pentagon-funding-of-the-tor-pro...
 313. https://www.evernote.com/l/AAH7pJeJr95LUZE0rbTG2QeH7EZGBA7gWr4
 314. https://web.archive.org/web/20051126055913/https://tor.freehaven.net/people....
 315. https://archive.org/details/3_fr_t2_15h_4-Dingledine_a
 316. https://pando.com/2014/07/16/tor-spooks/
 317. https://www.torproject.org/about/overview.html.en
 318. https://www.csoonline.com/article/2228873/microsoft-subnet/no-conspiracy-the...
 319. https://archive.is/WR9X1
 320. https://pando.com/2014/11/14/tor-smear/
 323. https://restoreprivacy.com/vpn/
 324. https://www.bleepingcomputer.com/news/security/windows-drm-files-used-to-dec...
 327. https://www.smh.com.au/technology/the-hack-of-the-year-20071113-gdrkxw.html?...
 328. https://restoreprivacy.com/vpn/best/
 329. https://medium.com/@thegrugq/tor-and-its-discontents-ef5164845908
 330. https://restoreprivacy.com/vpn/best/netflix/
 333. https://restoreprivacy.com/vpn/no-logs/
 334. https://restoreprivacy.com/secure-email/
 335. https://restoreprivacy.com/5-eyes-9-eyes-14-eyes/
 336. https://restoreprivacy.com/vpn/multi-hop/
 337. https://archive.fo/IzoMI
 338. https://archive.is/2QWkY
 339. https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN#You-VPNSSH-Tor
 340. https://archive.fo/J9YZV
 341. https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
 342. https://www.pbs.org/video/frontline-room-641a/
 343. https://restoreprivacy.com/vpn/no-logs/
 344. https://restoreprivacy.com/ipvanish-provides-logs-to-authorities/
 345. https://2019.www.torproject.org/docs/faq.html.en#AttacksOnOnionRouting
 346. https://archive.is/15rhK
 347. https://2019.www.torproject.org/docs/faq.html.en#CanExitNodesEavesdrop
 348. https://restoreprivacy.com/vpn-vs-tor/
 349. https://restoreprivacy.com/vpn-logs-lies/
 350. https://restoreprivacy.com/vpn/scams/
 351. https://restoreprivacy.com/vpn/best/free/
 352. https://medium.com/@thegrugq/tor-and-its-discontents-ef5164845908
 353. https://cdn-resprivacy.pressidium.com/wp-content/uploads/2019/10/usersrouted...
 354. https://web.archive.org/web/20190807043523/https://www.scmagazineuk.com/tor-...
 355. https://cdn-resprivacy.pressidium.com/wp-content/uploads/2019/10/cucs-019-13...
 356. https://arstechnica.com/tech-policy/2016/02/judge-confirms-what-many-suspect...
 378. https://thehackernews.com/2021/06/authorities-seize-doublevpn-service.html
 400. https://restoreprivacy.com/ipvanish-provides-logs-to-authorities/
 401. https://restoreprivacy.com/vpn-logs-lies/
 402. https://restoreprivacy.com/how-to-be-anonymous-online/
 412. https://restoreprivacy.com/privacy-tools/
 413. https://restoreprivacy.com/ad-blocker/
 422. https://restoreprivacy.com/vpn/multi-hop/
 448. https://www.bahnhof.net/
 453. https://restoreprivacy.com/vpn/best/

grarpamp

tags

participants (1)