[CONTENT-CHANGE] Remove/Edit recommendations of Tor

[sourcefrog]

Justification

Tor has complex security tradeoffs, and isn't a good recommendation for everyone.

On the up side, it hides your traffic from your wifi operator or ISP. On the downside, traffic eventually exits through an exit node who is completely unknown and unaccountable to you, and this exit node can both inspect and modify the traffic.

So as a baseline, Tor is a good choice for people who would rather roll the dice in trusting anyone in the world than trust their local network. That might be the case for criminals, political dissidents or people suffering domestic abuse, but it doesn't seem like the right tradeoff for the majority of users, who have a not-actively-hostile commercial ISP.

You say, and I would agree, that you should be careful in connecting to public wifi, because it may conduct active or passive attacks. But very similar problems apply to using Tor, with perhaps less obvious benefit.

As well as the performance impact, one should also consider:

• a possible false sense of security if information leaks through DNS or other programs
• Tor-supporting browsers might lag behind the upstream Firefox or Chromium in fixing security bugs
• whether using a browser with Tor built in or a separate proxy, you have a larger trusted software base

[Lissy93]

This is all very true

The thing I've found hardest about maintaining this list is documenting all trade-offs, and addressing users of different levels in a single list- what is good for an advanced user probably isn't appropriate for someone just getting started, and visa-versa.

I don't mean to give anyone a false sense of security- with Tor being a good example. It's sometimes hard to get across the point that just using the software won't make someone instantly anonymous and secure. Sometimes it could actually degrade security if not used correctly. And that each item has trade-offs: bugs, undiscovered vulnerabilities, questionable origins etc

I've now added a note about this, here. And for Tor specifically I made a small update: 7218abd to address the issue. Thanks for raising this 🙌

[Lissy93]

But for the other software on the list, it probably doesn't go far enough - there could be a whole list of issues and warnings related to almost every item in the list, and although I've documented the most serious of those (like PGP, VPN etc in the #word-of-warning sections), there is a lot missing. I'm not sure if it would be viable right now to include all the drawbacks of all the software, since most issues either overlap, or are being discovered and fixed all the time. I would hope that people have a threat model, or at least do bit of research, before heavily relying on anything

[sourcefrog]

Yes, I see what you mean about the trade-offs.

You took the time to write this so you can decide what the policy is. In my view it would be more helpful to structure it as:

1. Here is good advice for everybody: don't reuse passwords, apply updates promptly, encrypt your devices, turn on 2fa, use Gmail with enhanced protection. This list ought to be pretty short and not suggest doing anything, like Tor, that's likely to make things worse or introduce new risks or be too complicated to sustain.

2. Advice for people who are more technical or expect to be at higher risk.

3. Advice for people who expect to be targeted by governments and who're willing to make difficult trade-offs. Maybe Tor etc is here.

[Lissy93]

Yeah- that makes sense, and was what I was trying to do with the middle column here, do you think it isn't clear enough?
I couldn't think of any better words than Recommended, Optional and Advanced - which when I look at it again, maybe doesn't really make sense.

So you think if I ranked it as Everybody, Technical and Advanced that'd be clearer?

[Lissy93]

I wish there was a bit more flexibility with Markdown, I would add Tags to each item with Level, License, Language and IsMaintained. That would make things so much clearer to the reader. Am thinking of ditching this and creating a website instead, so that I can highlight important info in a much clearer way.

[0x192]

I wish there was a bit more flexibility with Markdown, [...]. That would make things so much clearer to the reader. Am thinking of ditching this and creating a website instead, so that I can highlight important info in a much clearer way.

This is exactly what I was thinking when editing the list.

Personally I'd go with the Hugo open-source framework to build a very lightweight static website. Plus, it's really easy to deploy the site on Github pages with Hugo.

So you think if I ranked it as Everybody, Technical and Advanced that'd be clearer?

Only using Everybody and Advanced seems clearer too me.

[atomGit]

late to the party, but i have a couple comments here...

[Tor] doesn't seem like the right tradeoff for the majority of users, who have a not-actively-hostile commercial ISP.

i would passionately argue that point - most people DO have hostile ISP's that spy, inject data into the stream and/or are more than happy to comply with requests by law enforcement

i agree that Tor is likely not a great choice for most people (i wrote about that here if interested), but i personally think one should absolutely be using either a VPN and/or Tor and protecting themselves against ISP threats which are very real

You say, and I would agree, that you should be careful in connecting to public wifi, because it may conduct active or passive attacks.

this is mitigated with a VPN so far as i'm aware

But very similar problems apply to using Tor, with perhaps less obvious benefit.

how so?

a possible false sense of security if information leaks through DNS or other programs

a real problem indeed - on the VPN side, any decent VPN will offer DNS as well - with Tor, i'm not sure there are any normal DNS lookups, are there?

Tor-supporting browsers might lag behind the upstream Firefox or Chromium in fixing security bugs

i would posit that the only browser one should use with the Tor network is the one built by Tor which is a Firefox fork that is pretty well hardened and, though i'm not positive, i would certainly expect that any security bugs found are probably patched immediately

[sourcefrog]

Hey @atomGit

I think your blog post is more balanced than this checklist was in March. I go a bit further in seeing more risks, and fewer benefits, in VPNs, for most users. I think https://gist.github.com/joepie91/5a9909939e6ce7d09e29 is a pretty good argument against them.

For the sake of simplicity let's talk about users in first world mostly-free countries, which seems to be the primary audience of this English language FAQ. The situation is so different in China or North Korea, where the government does very aggressive filtering on both the network and endpoint.

First of all, we have to set a baseline that users are running everything important over TLS from a modern implementation, and preferably secure DNS, otherwise none of these approaches have much safety.

late to the party, but i have a couple comments here...

[Tor] doesn't seem like the right tradeoff for the majority of users, who have a not-actively-hostile commercial ISP.

i would passionately argue that point - most people DO have hostile ISP's that spy, inject data into the stream and/or are more than happy to comply with requests by law enforcement

I have seen some stories about ISPs manipulating http or DNS, but I am not aware of data showing this is happening to most people. The highest-profile pattern I know of is turning DNS NXDOMAIN into a redirect to an ad "Redirecting DNS for Ads and Profit", Weaver, but this is pretty trivially avoided by using DNS-over-HTTPS which security-sensitive users will want to do anyhow.

I'm not aware of any ISPs successfully injecting into, or blocking, HTTPS traffic, on a wide scale.

ISPs will comply with requests from law enforcement. Whether they are "more than happy" is hard to tell - some assert they will comply only as much as is required, and push back on over-broad requests. VPN providers will also need to comply with law enforcement requests and they cannot opt out. Possibly you can arbitrage or raise the bar by using a VPN headquartered in a different, or more privacy-respecting, country.

Users also need to make a personal assessment whether law enforcement action is in their top risks, and if it is, whether network traffic is a likely vector. There are some for whom this is true but the majority of people are not the subject of an investigation, and are much more likely to suffer from untargeted cybercrime.

I think it's very difficult for end users to ascertain with confidence whether X VPN provider is more or less likely to protect their privacy than Y ISP. Some ISPs have behaved badly and some VPNs have behaved badly.

ISPs primarily sell network connectivity, which is what I want to buy. Although they may be tempted to extract marginal profit by playing tricks, they also have large capital bases, are local companies subject to regulation, and have reputations to worry about. VPNs are capital-light, often in niche jurisdictions, and much of their pitch is snake oil.

i agree that Tor is likely not a great choice for most people (i wrote about that here if interested), but i personally think one should absolutely be using either a VPN and/or Tor and protecting themselves against ISP threats which are very real

The majority of hits there are about copyright infringement notices due to torrenting. For the specific case of users that want to torrent pirated content, a VPN might be an improvement. (Although it also gives an obvious place to attack.)

You say, and I would agree, that you should be careful in connecting to public wifi, because it may conduct active or passive attacks.

this is mitigated with a VPN so far as i'm aware

Yep, that's a reasonable use for it. I would primarily trust in my application TLS implementation. If I wanted additional protection I would run my own VPN, or use noe from a very credible company.

But very similar problems apply to using Tor, with perhaps less obvious benefit.

how so?

The similarity is that you can:

1. Trust a random coffee shop's network provider not to record or alter your data (and hope the AP is not spoofed), or
2. Trust a random Tor exit node not to record or alter your data.

Seems like a toss up to me.

a possible false sense of security if information leaks through DNS or other programs

a real problem indeed - on the VPN side, any decent VPN will offer DNS as well - with Tor, i'm not sure there are any normal DNS lookups, are there?

In theory all DNS can be sent over the VPN too. In practice it may be easy for lookups to leak if the user has turned the VPN off, or before the VPN is established. If the user strictly only ever uses the VPN and the computer is configured never to send un-encapsulated traffic, maybe it's OK. What happens when you encounter a captive portal or need to debug network problems?

If I was serious about this, then perhaps I'd have a separate Linux router strictly enforcing the VPN policy and dropping all other traffic, and a separate client connected only to that router and only used for whatever is the VPN's purpose. I wonder how many people will get that right.

It seems to demand a lot of opsec from the user and leakage is highly unlikely to be noticed by the user but noticed by a serious attacker. This sort of slip up contributed to the incarceration of Ross Ulbricht.

For any prophylactic measure that requires a careful user you have to think about the theoretical protection versus the actual protection when used by a typical user with all the normal distractions in life and human falibility.

Tor-supporting browsers might lag behind the upstream Firefox or Chromium in fixing security bugs

i would posit that the only browser one should use with the Tor network is the one built by Tor which is a Firefox fork that is pretty well hardened and, though i'm not positive, i would certainly expect that any security bugs found are probably patched immediately

Yeah, actually, this does not seem to be a problem. It seems like the Tor Browser releases are nearly simultaneous with Firefox ESR releases. Good for them.

So to sum up:

• I agree, Tor's generally a worse bet than VPNs.
• VPNs also aren't a good recommendation for most users, most of the time.
• There are more useful things to spend cybersecurity time and money on. For example getting everything to a WebAuthn 2fa key, or turning on Google Advanced Protection.
• https://gist.github.com/joepie91/5a9909939e6ce7d09e29 and https://schub.wtf/blog/2019/04/08/very-precarious-narrative.html seem pretty accurate and balanced to me
• This has been debated many times elsewhere so I'll stop now and comment only on the remaining FAQ text.

[sourcefrog]

Just to stay on topic with the actual checklist:

• There is a word of warning about Tor, which is good, but it doesn't mention hostile exit nodes, which have been shown to exist (https://nakedsecurity.sophos.com/2015/06/25/can-you-trust-tors-exit-nodes/), and which seem to be a much easier attack than observing the whole network.
• The warnings about VPNs are pretty good.

[atomGit]

i think we'd agree that digital trust is a pipe dream, so whether it's a vpn, tor, etc., nothing can be trusted

that said...

I go a bit further in seeing more risks, and fewer benefits, in VPNs, for most users. I think https://gist.github.com/joepie91/5a9909939e6ce7d09e29 is a pretty good argument against them.

swap 'vpn' for 'tor' in that article and at least several of the arguments are still applicable, also the article isn't entirely against vpn's...

So when should I use a VPN?
There are roughly two usecases where you might want to use a VPN:

1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.

a vpn is going to provide far better transparency (ease of use) for users than tor

I'm not aware of any ISPs successfully injecting into, or blocking, HTTPS traffic, on a wide scale.

comcast caught injecting at DuckDuckGo
isp caught injecting at DuckDuckGo
at&t caught injecting at DuckDuckGo

ISPs will comply with requests from law enforcement. Whether they are "more than happy" is hard to tell - some assert they will comply only as much as is required, and push back on over-broad requests. VPN providers will also need to comply with law enforcement requests and they cannot opt out.

assuming the vpn doesn't log, there is massive difference between the 2 - sure they can cooperate, but there should be little or nothing to share whereas any and all isp's are legally required to log a great deal of network data

also a vpn is bound by its privacy policy which, for any decent vpn, is gonna be a hell of a lot stronger than any mainstream isp

granted, a vpn is a roll of the dice, but so is everything else and unless the privacy issues are overwhelmingly one-sided, i think a vpn makes sense for the majority given the average threat model (i.e. not an investigative journalist, whistleblower, etc.)

[Lissy93]

With Tor, malicious exit nodes are very limited in the damage they can do when the user is visiting any HTTPS site.

A couple of years ago, this was a big problem, as it was easily possible to do this - as Dan Egerstad did, when he setup a malicious exit node, and successfully sniffed mail server credentials, allowing him to intercept 1000's of private emails between foreign embassy officials.

If a user is only browsing, and not entering any information- or only enters pre-encrypted data, then malicious exit nodes become much less of an issue. And of course this issue disappears while using .onion sites, because they don't require you to leave the Tor network.

But I agree that the risk of bad exit nodes, especially when visiting improperly secured websites should still be mentioned, I will add a note about this in the checklist

[sourcefrog]

i think we'd agree that digital trust is a pipe dream, so whether it's a vpn, tor, etc., nothing can be trusted

We do. It's all a question of tradeoffs and managing the risks, and it inherently depends on the user's threat model and capabilities.

that said...

I go a bit further in seeing more risks, and fewer benefits, in VPNs, for most users. I think https://gist.github.com/joepie91/5a9909939e6ce7d09e29 is a pretty good argument against them.

swap 'vpn' for 'tor' in that article and at least several of the arguments are still applicable,

I agree.

also the article isn't entirely against vpn's...

Neither am I. I just think for many users, in many situations, they are not a good use of time or money. (Specifically: person in an at least mostly-free country, not doing any crimes, on a reputable ISP.)

So when should I use a VPN?
There are roughly two usecases where you might want to use a VPN:

1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.

a vpn is going to provide far better transparency (ease of use) for users than tor

probably agree

I'm not aware of any ISPs successfully injecting into, or blocking, HTTPS traffic, on a wide scale.

comcast caught injecting at DuckDuckGo
isp caught injecting at DuckDuckGo
at&t caught injecting at DuckDuckGo

None of these seem to be about injection into HTTPS.

Although there is a good report by Citizen Lab about those countries forcing downgrades to HTTP and then injecting crypto mining malware. I think this is probably too overt to happen in the west because ISPs, unlike Tor nodes, can be held accountable.

ISPs will comply with requests from law enforcement. Whether they are "more than happy" is hard to tell - some assert they will comply only as much as is required, and push back on over-broad requests. VPN providers will also need to comply with law enforcement requests and they cannot opt out.

assuming the vpn doesn't log, there is massive difference between the 2 - sure they can cooperate, but there should be little or nothing to share whereas any and all isp's are legally required to log a great deal of network data

I think the real heart of the matter here is that you can use an offshore VPN, whereas you must use a local ISP. It brings a different set of tradeoffs: they may not be easily reachable by your local law enforcement, but they are also not subject to your home country's privacy regulator. You're basically taking their word that they don't and can't log anything.