Can my ISP read & log CONTENT coming back from Tor servers?

I know using Tor & Privoxy keeps your own ISP from knowing WHICH site you are going - just shows you connecting to a Tor server.

And Tor hides your real IP from the site you visit.

But what about the actual data being RETURNED to your computer (say unencrypted email). Yes, my ISP would see that it came from a Tor server address, but can't / couldn't they read & log the content? Thus, having info to turn over in case of a court order (or as we know, even w/o court order)?

This is the part I don't understand. It's fine to keep a site you're visiting from knowing your IP, but what about your own ISP seeing the returning data, even if they don't know the actual website it came from. If it was an email w/ header "From: I'm a big idiot at someemail dot kom", it'd be pretty easy to trace that down.

Thanks.

 

TOR encrypts the data going from and coming back to your computer so your ISP wouldn't be able to read any emails. The data is however in plain text after leaving the final TOR node before hitting the website server so unless you have an encrypted session with your webmail then that could be read and may or may not be able to be traced back to you depending on what is in the email.

 

I just found out three useful threads about this:

ISP question - regarding anonymous browser

How do ISPs keep track of where we visit?

Privacy and your ISP

 

Thanks Diggi (& Jim),
Wow - this is obviously a complicated issue. I've seen & gotten a lot of different answers Re: if when using Tor & Privoxy (or similar), whether YOUR own ISP will be able to see / read / log the actual data coming back FROM Tor TO your ISP TO your computer, or if it IS ENCRYPTED till it hits your PC. It appears most agree your ISP won't know which website the data came from (only from a proxy site, like Tor).

If it's in fact encrypted (UNTIL it hits your PC) & therefore unreadable by the ISP under most normal means, they would STILL have to log ALL that encrypted data.

In avg divorce or simple civil trial cases, it wouldn't be worth anyone's time to have data released under court order & crack the encrypted data (say emails), if the ISP ONLY logs it in ENCRYPTED form.

I read a BUNCH on Tor's site, and Jim's links & others & not really seen much discussion (for the U.S.) about what your ISP sees coming back from the proxy (i.e., Tor), except they only see a proxy address. What form the data comes back to the ISP from a proxy (Tor) is where opinions differ. So that be the question.

If anyone knows of the answer on this from an authority on the subject, please share (not slighting anyone's contribution here).

Did find this useful link about "Generating Hard to trace email accts," using webmail. Page down to "Step 2."
http://advocacy.globalvoicesonline.org/tools/guide/#email

 

Take a look at this diagram from the TOR website

http://www.torproject.org/images/htw2.png

The first green link is the only one your ISP can see, the only info they can get from that is the IP address of the 1st node and if they were to look at the actual packets then just random encrypted data which is of no use to them.

The red link at the end is viewable to anyone, all the data is unencrypted and could be read by anyone but there should be no information identifiable to you in there (no one viewing that link could see that the data is heading back to you). The only problem which could arise is if you were to be sending for example an email in plain text with private info in it as that could be read by the operator of the final node or in between the final node and your destination server.

 

Thanks again Diggi & others,
Yes, I'd seen that diagram, but being a newbie to this, didn't fully understand. Appreciate you pointing it out.

Guess the key (assuming we're talking about keeping an anonymous email acct): 1) from being discovered by a cheating spouse &/or atty, and 2) keep both the email provider & my ISP from getting my IP, or logging where I'm going (i.e., to the secret email acct), is

Create the webmail acct while using Tor/ Privoxy, or other,
Use only fake info when creating the acct,
ALWAYS login to the secret acct using a proxy,
Don't send any personally identifiable info in text or subj
of email or docs,
Instruct others sending info TO me not to use any personally identifiable info & hope they don't.

If anyone has other suggestions / precautions to add, please do. Another idea I've seen is get Firefox or Opera for USB, then just log into some anonymous proxy, so nothing is on my HDD.

But, there seem to be questions on how well some of those other proxies protect anomymity & whether they keep logs, which they'd turn over under a court order (some like Proxify definitely keep logs for a time & WILL turn them over). Thanks again.

 

An easy solution in addition to those you mentioned would be to have an encrypted session with your webmail provider I think most offer this, just try sticking https:// before the address and see if it works. Or you could use PGP to encrypt the message maybe?

 

F-Secure had an interesting article regarding TOR recently.

See: http://www.f-secure.com/weblog/archives/00001321.html

 

Thanks Diggi & Tony,

Please explain how having a secure connection (https) would help keep the acct or what's in it secret, other than keeping someone (? my spouse's atty or hired hacker?) from intercepting email in transit?

Yes, encrypting the messages would accomplish something, but I'd have to ask everyone that sends / receives anything from it to also use PGP. Doubt they all would or could.

The main goal was to keep my ISP from having logs showing I accessed this webmail acct, which could be turned over under a divorce court order. And to keep the webmail provider from identifying my IP, so they don't know who it belongs to. Assuming I & others don't put personally ID'g info in email or docs.

Even if I / they did put personally ID'g info in emails, I'm not sure how cooperative Hotmail, Yahoo, Gmail, etc., would be if lawyers said, "Could you please scan ALL the text in bodies of ALL emails in ALL your accts, looking for these particular names, addresses, etc? Not likely.

 

If you are using Tor, how could they possibly even know that you were using *any* email service? Much less know what account it is. But yahoo and gmail etc aren't just going to give out that info without a warrant.....here in the US anyway.

But here is the thing: If your wife's attorney has hired a "hacker", which is illegal as far as I know, then the hacker could possibly be using a keylogger or screenshots or whatever to see what you are doing. So if you think that is happening, use a different computer for all sensitive stuff. Put Tor (xerobank browser) on a USB stick and take it to a public library. You could also reformat your computer and install a really good firewall and spyware program. If I suspected something like this, I would definitely clean off the comp and reformat......and add a firewall/antispyware.

 

Thanks caspian for helpful post.

Well, I'm guessing (and I'm NO expert here), because of recent posts on Wilder's about numerous ways Tor or your browser or the site you visit or having java, javascript & on & on, there are numerous ways & circumstances that proxies like Tor may be bypassed (intentionally or not) to reveal your true IP. Like here: https://www.wilderssecurity.com/showthread.php?p=1130946#post1130946
It's fairly mind boggling to me, even though I'm a technical person.

True, but IF & HOWEVER the atty discovered such an acct existed, they could get a court order. If (Tor/browser, etc.) leaks my IP to a webmail site, then seems possible it could also leak to my ISP where I'm going (in spite of Tor). If so, they atty could just say they discovered the existance of the "secret" email acct by requesting (thru court order) my ISP's logs (which WOULD be legal). They wouldn't have to admit to hacking, or even RESORT to hacking.

Good advice. Gonna look into the USB. In yours or others opinions, for the USB method & using TOR, would Xerobank be better that Firefox mobile, in terms of anonymity or not leaking IPs?

I've got up to date Zone Alarm Pro FW & Kaspersky AV. Run Spybot S&D, AdAware. I think the biggest concern is other atty requesting my ISP's logs & Tor or other prgms / methods leaked addresses (email) I visited, or the email provider having my true IP, & the atty requesting thru court order (any or all) email providers search for users coming from IP addresses linked from my ISP's logs. Maybe a little paranoid, but there are LOTs of article / posts about "de-anonymizing Tor or proxies.

 

Your IP may possibly be leaked if you are not careful, but that's it. Nothing else would be visible.

Your IP address shows your location and who your ISP is. When you send out a request to go to a website, it is encrypted and sent to tor. Tor reads it and sends it out and not your ISP. Your ISP cannot see any of the websites that you visit and they cannot see any of the content. All they see is a bunch of random, meaningless data.

As far as I know, there is nothing as good as the xerobank browser for security while using tor.

Do you think that maybe you are being a little overly paranoid? An attorney cannot just get records like that unless there is some very serious criminal allegations and with probable cause. And I do not think that an email provider would be able to see your true IP even if they wanted while using tor. You certainly don't need to have scripts enabled to go to an email site anyway.

To my knowledge, the only thing that someone could possibly see is your true IP. And that is only if they have the special knowledge of knowing how, and if you are allowing scripts. But even if a website gets your IP, what does that have to do with your ISP? They are the ones that give you your IP address.

 

I don't know where you live, but it's not unusual for most companies out there to comply with jurisdictions when asked. They cooperates with governments with disclosure of all your data, and there are even laws to retain everything you do (data retention) in some countries. Fishing expeditions are not something from another world. On the contrary.

Privacy is something not respected these days. We don't have a freedom of expression, we can't say something about a person, without a judge asks for your IP to the site where the comments were made. People are being sued for any reasons these days.

So, it's very rare to find a company like XeroBank which resists subpoenas and the decision of hand over informations to law enforcement authorities.

If I were in charge of one company, any data from users should be destroyed any time the users want it (closing their accounts), and nothing being recorded, not a single data about them, or at least deleted after a few days. So, even if they filled a subpoena, no data will ever be found. Now, I defy you to find someone who embraces this privacy policy.

That's not exactly accurate. Most email services out there, and I know lots of them, need you to allow scripts like Java in order for you to start using them. I have disabled Java/Javascript here and most features of email services, like sending a email, were not available.

But, then again, you are entitled to allow scripts. You just have to prevent them from leaking your true IP. And that is only possible if you have a firewall installed, using the correct rules for your browser.

I suggest you start reading this whole thread, in order to understand the dangers of not using a firewall to prevent the leakage of your true IP, while allowing scripts like Java or Flash to be executed.

De-anonymizing Tor and Detecting Proxies

If you don't start using the correct rules on your firewall that I gave on that thread, then your ISP will see, in case of someone uses those two Java/flash codes, that you have send outbound packets back to the site who have used the code in the first place.

And why is that?

Because both tests are bypassing the browser/proxy settings, removing your anonymous cloacking device. And if they are doing that, you're naked in the eyes of your ISP.

Of course this only applies in cases of people not using VPN, or whatever special you have to protect yourself (other than single setups).

 

Jim this is the first time time that I have heard someone suggest that these java tests that reveal your true IP also reveal your DNS requests to your ISP and also decrypt your data, making it readable to your ISP. "you're naked in the eyes of your ISP" as you put it . Are you sure about this? Because I kind of doubt that this is true. I do not know much about computer stuff, but from what I have read about this particular subject, scripts *may* or could *possibly* reveal your true IP, if a website knows how to use them for this purpose and does so intentionally. But how does this decrypt your connection to tor?

 

caspian, why is this so hard to believe (and even understand?). Think again. I will try to elaborate.

When you're connecting through Tor, you're using the proxy settings from your browser. You're connecting though the port 9050, the one and only required for Tor. Tor is built inside Firefox browser (I am talking about XeroBank).

When you disable Tor (Tor button, or even modifying your browser internal options to make direct connections), you're surfing on the web naked in the eyes of your ISP. It's the same thing that you have left it Firefox/XeroBank browser and start using Internet Explorer, making direct connections through the port 80 (used for HTTP).

My firewall rules on that thread (Deanonymizing...) are actually preventing the Firefox.exe file from accessing this remote port 80, used for direct HTTP connections.

And it's also preventing that any plugins like Java or Flash, when allowed on the Noscript whitelist (the first makes direct connections using the port 80 - the last one tries to send outbound packets back to the site of origin, using any port the webmaster wants it).

Actually, my firewall rules are blocking all remote ports for outbound packets. I am only allowing connections through the port 9050, if (attention here) they are going through the remote address localhost/127.0.0.1 which is also the path all Tor data goes through.

This way, nothing can leak here.

If you take time to look into all your DNS/blocked/allowed connections logs, from your firewall, you will see that when a plugin is allowed to be executed, like Java or Flash, only in case of these both evil tests, the site of origin is also making your ISP sees your traffic.

If they can see your true IP, that means you're not anonymous anymore. And if you're not anonymous, you're actually making your ISP sees you.

If they cannot see your true IP, then you're making all of your data invisible to your ISP. Your ISP will know that you're using Tor, but will not be able to see what's inside of your data, because it will be encrypted.
When these plugins modify your browser to ignore proxy/Tor settings, your data is not being sent encrypted. On the contrary.

Remember, these two tests are actually bypassing proxy configurations. And if they are doing that, it means you're not using anymore any means to mask your data (including your IP for them).

The solution for this problem is quite simple - stay using a firewall with my correct set of rules to avoid this leakage, or start using VPN of whatever special you have here (the better XeroBank plan, for instance).

But also remember to make those two tests in order to verify if your true IP is being leaked (when you allow plugins to be executed - if you never allow any site to run Java/Flash, you will not have problems (and we don't want to do this, we need plugins enabled)).

Read that whole Deanonymizing thread for more details (about configuring Java cpanel, for example).

 

Just because, for a split second, Java is capable of getting your true IP does not mean that it can read your traffic.....and it does not mean that your ISP can either. I have seen discussions of this to the contrary.

I am not saying that I am right, but I have no reason to think that it can be done and maybe I am wrong.

I cannot even tell that Java disables tor when it gets your IP. I still show that tor is running just before and just after that test. So even if they could read it for a split second, I doubt that they could get much. But I think you are assuming that your ISP can read your tor traffic.

 

caspian,
I am not assuming my ISP can read my Tor traffic, because it's encrypted, according to all explanations on this board.

When using a browser like XeroBank, your ISP cannot see what websites you visit. Unless you have disabled the use of Tor network inside XeroBank, of course.

Don't you read what I said a dozen times while discussing with Steve on his thread? Firefox is a hybrid. It can make proxy connections, and direct connections. And if it's possible to make direct connections, it can leak your true IP.

You were correct. For a split of second, your ISP will only see the request for the DNS of the site which the Java or Flash exploits are located. So, when you do that test, in my conditions stated above, your ISP will know.

But the outbound packets send back to the site where these exploits are requesting is not going through Tor network. It's going right from your ISP to them. It's not being encrypted.

Java and Flash are both plugins located on your computer and they are bypassing proxy configurations and making your browser behave like you never had used Tor network in the first place.

I suggest you visit my thread again, in order to read about DNS requests made while using Tor.

ISP question - regarding anonymous browser