Re: Anonymity via Tor?

["Jeffrey F. Bloss" <jbloss () tampabay rr com>]

Krymson () gmail com wrote:

> Tor is pretty nice, although it can be slow. I think using random web proxies open on the Internet (while 
> questionably legal) is a better route (pun unintended). You can go a Google search for "free anonymous web proxies" 
> and eventually find lists of them. Think of Tor as basically the same thing as

NO!

No how, no way, not if you value your privacy/anonymity at all.

Anonymous web proxies are not anonymous in any way, shape, or form. Most
of them are either temporarily misconfigured machines with admins who
will see the extra traffic and respond accordingly, or machines set up
specifically to log and monitor the activities of people who make the
horrible mistake of believing open proxies offer any sort of protection
at all.

Forget the "legality", single hop proxies just don't work *period*. Not
alone, not chained, not any way. In fact chaining these types of
proxies is even worse than using one alone because it adds more
potential points of compromise. Everything you do is exposed to
multiple potential attackers in stead of just one. :(

We were handed definitive proof of these facts over a decade ago when
penet.fi was shut down, and penet.fi implemented the same general type
of anonymizing mechanism that eventually developed into a truly
anonymous remailer network. That network exists as a result of the real
world failures of proxies that were considerably more robust than any
"open proxy" used alone or in chains.

> Theoretically, there are some attacks that other replies may have
> vposted links to that can attack your anonymity. The first involves
> owning the DNS server you send requests to,

Easily solved by using applications with proper SOCKS4a/5 support.
These applications do not "leak" DNS requests, they're routed through
the Tor exit node which knows where you're going anyway.

This, and several other "gotchas" are well documented by Tor's
developers.

> thus knowing where you're going (pretty exotic). The second involves
> owning multiple Tor servers and getting lucky in seeing your traffic
> end-to-end. The last server your connection goes through to hit your
> target server is particularly sensitive as that will be the server
> that, for instance, sends your clear-text data to the web site. If you
> logged into a banking site and I own that Tor server you exited out of,
> I can possibly inspect your data.

Only if your bank doesn't use SSL. I seriously doubt legitimate banking
sites still exist that do not, and if they do, you're a fool to be
using them with or without Tor. Find a proper URL for your bank, or find
another bank. ;)