I've never felt like I knew how to use Tor correctly, or trusted anyone to be able to guide me on that.
sherr · 8m ago
I sympathise with a bit of paranoia about this. Personally, I'd use a platform like "Tails" (do your own research) which wraps Tor up in a USB bootable Linux OS.
I personally can't see how it can be secure without dummy messages.
bevr1337 · 11m ago
It's been assumed that three-letter agencies operate many exit nodes for a hot minute. I don't know if this is a special case of infiltration because it's TOR SOP.
8organicbits · 25m ago
What makes you believe that?
zwnow · 22m ago
Read some story about some authority having set up tons of servers within the tor network to bust some criminal activity effectively making it not anonymous anymore. Was a while back on HN
The feds and other equivalent agencies in other countries have been running exit nodes for years, but its still better than most solutions even if not perfect. Anyone who has gotten caught though likely wasn't because of any flaws in Tor (or said exit nodes) but because of other lapses in OpSec.
That being said, yes, feds can de-anonymize traffic, probably reliably at this point. There are only about 7-8000 active nodes, most in data centers. The less nodes you hop through, the more likely that traffic can be traced back to the entry point (guard node), and combined with timing can be reasonably traced back to the user. Tor works best with many, many nodes, and a minimum of three. There's not as many nodes as there needs to be so quite often it's only 3 you are going through (guard node/entry point, middle node, exit node)
Plus browsing habits can also be revealing. Just because someone is using Tor doesn't mean they also have disabled javascript, blocked cookies, aren't logging into accounts, etc.
bombcar · 13s ago
> Anyone who has gotten caught though likely wasn't because of any flaws in Tor (or said exit nodes) but because of other lapses in OpSec.
There have been some cases where some consider the "other lapses in OpSec" to be parallel construction to disguise a Tor vulnerability/breach, and others where the government has declined to prosecute because they'd have to reveal how they know.
If Tor were compromised, we'd likely not know. It's highly likely that it's fine for "normal people" things.
https://tails.net/
That being said, yes, feds can de-anonymize traffic, probably reliably at this point. There are only about 7-8000 active nodes, most in data centers. The less nodes you hop through, the more likely that traffic can be traced back to the entry point (guard node), and combined with timing can be reasonably traced back to the user. Tor works best with many, many nodes, and a minimum of three. There's not as many nodes as there needs to be so quite often it's only 3 you are going through (guard node/entry point, middle node, exit node)
Plus browsing habits can also be revealing. Just because someone is using Tor doesn't mean they also have disabled javascript, blocked cookies, aren't logging into accounts, etc.
There have been some cases where some consider the "other lapses in OpSec" to be parallel construction to disguise a Tor vulnerability/breach, and others where the government has declined to prosecute because they'd have to reveal how they know.
If Tor were compromised, we'd likely not know. It's highly likely that it's fine for "normal people" things.