Does TOR + HTTPS = 100% Anonymity AND Privacy??

Discussion in 'privacy technology' started by KLB5962, Feb 20, 2012.

Thread Status:
Not open for further replies.
  1. KLB5962

    KLB5962 Registered Member

    Joined:
    Feb 19, 2012
    Posts:
    18
    I've read that Tor is very good at keeping you anonymous but that its weakness is at its exit node where your data can be read. However my understanding is that if HTTPS is used on the website your are accessing with Tor browser, your data coming out the Tor exit node is secured, so if I were signing into a website using both Tor browser and HTTPS my username and password data would be secure, and my original IP could not be tracked. Meaning Tor + HTTPS = Anonymity AND Privacy. Is this correct?

    Also is there anyway Tor + HTTPS might not be completely anonymous and private? I heard a site running Java script (and a few other things?) could cause the destination website to see your real IP address??

    Could anyone clarify this please?

    .
     
    Last edited: Feb 21, 2012
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If a site loads javascript on your computer it could possibly obtain your IP and send it back to the server.

    If you run something like Java or Flash they may not use TOR and may try to access the site unencrypted and directly.

    If a portion of the TOR exit nodes are controlled by the same person they can potentially see who you are but they have to be in the right spots.

    Any data that gets leaked in http can leak your identity.

    If you are blocking scripts and plugins (ScriptNo/NoScript do this) and running with HTTPS and you have a properly configured browser no one can see what you're doing except the server and you and the server will not be able to identify you.
     
  3. KLB5962

    KLB5962 Registered Member

    Joined:
    Feb 19, 2012
    Posts:
    18
    Thanks for the info Hungry Man!

    So just to clarify what you're saying:

    Properly configured Tor Browser + HTTPS - scripts and plugins (like Java & flash) = 100% Anonymity AND Privacy.

    The Tor browser comes pre-configured so I assume that would qualify as a "properly configured browser" in this case? or should I do any additional configuring??

    Also for some sites, like facebook, it seems Javascript is essential for it to work, is there no way to use Javascript in Tor browser without compromising my real IP address? Like sandboxing or VM or something??

    .
     
    Last edited: Feb 25, 2012
  4. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167
    Properly configured Tor Browser + HTTPS - scripts - plugins = 99% Anonymity AND Privacy. :)


    Java and java script are not the same thing. I am not a facebook user but to my knowing you don't need java to use it, perhaps java script.

    Well, Tor browser comes with noscript (scripts globally allowed), maybe you should configure noscript a bit (if you know what you are doing, if not, don't). Perhaps disable "allow pages to choose font" and disable all cookies in Firefox options (don't change anything if you are not sure what it does).
    It is true that alot of people use cookies and javascript by default and if you block them, you might be unique among them, but javascript "could" be a big mess if it is exploitet. Test it with ip-check.info.

    Tor developers don't recommend java.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Java and Javascript are two separate programming languages.

    Java is not necessary for almost any site and should be disabled in your TOR browser.

    Javascript is necessary for many sites (such as Facebook) and you can use it on a whitelist basis.
     
  6. DOSawaits

    DOSawaits Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    415
    Location:
    Belgium
    Too bad 99% of its cumstomers use it for not so proper things.
     
  7. guest

    guest Guest

    I would use a good VPN service (like Ipredator) together with the Tor Browser Bundle if I really wanted the most next thing to 100% anonymity.
     
  8. Tychon

    Tychon Registered Member

    Joined:
    Feb 2, 2012
    Posts:
    4
    That borders on overkill, but it's about the closest thing to "true" anonymity that anyone'll find.
     
  9. KLB5962

    KLB5962 Registered Member

    Joined:
    Feb 19, 2012
    Posts:
    18
    On this Javascript issue, it seems many sites do need it, so if i turn it off I assume I might not be able to use sites like facebook? However if I leave it on, it might reveal my real IP address even if using Tor browser? It "might" or "it definitely will"? Any way to know? And Any way to logon and use such sites running javascript (like facebook) without exposing my real IP and losing my anonymity? Or is that simply impossible due to the nature of javascript?


    Regarding VPN use, i dont understand why a VPN would be needed if im using Tor which is already hiding my real IP address. Could someone explain what extra benifit that would bring, if any? Also something i really dont like about paid VPN's is that while paying them i would be revealing my identity which I see as an unacceptable step if im trying to remain 100% anonymous. If they get hacked by someone, their customer info will be revealed. and even if they dont get hacked, they could have someone currupt working on the inside etc. Theres a lot of possibilities. So I really dont think paying for a VPN and revealing my identity is a logical step if trying to be 100% anonymous.
     
    Last edited: Feb 25, 2012
  10. marktor

    marktor Registered Member

    Joined:
    Dec 4, 2011
    Posts:
    143
    Tor provides great ANONYMITY. Personally I do not trust it for SECURITY. I personally do not like to log into websites etc when using Tor even if they are https. Why you may ask? Because There are probably ways for the exit node to hijack SSL sessions. See here for an older example: http://hackaday.com/2009/02/23/sslstrip-hijacking-ssl-in-network/ Not sure if this exploit has been fixed or not. Even if it has Im sure there are probably other ways for an exit node to hijack your https session. There also other reports of ways to hijack tor network traffic see here: https://threatpost.com/en_us/blogs/researchers-demonstrate-tor-network-hijack-method-102411
    As I said use Tor to browse websites but I would not login to anything important.

    What you hear about running flash,java and other plugins is true. They can leak your real IP. Only ways to protect against this is to either disable plugins in your browser.
     
  11. marktor

    marktor Registered Member

    Joined:
    Dec 4, 2011
    Posts:
    143
    You could use something like JanusVM: http://janusvm.com/ which you run a in virtual machine and then connect to it like you would a VPN and it routes ALL traffic to the internet from your computer through Tor. This includes Java and Flash. Everything on your computer that connects to the internet will be routed through Tor. Only problem is JanusVM has not been updated since 2010 so there maybe some exploits for it. I just found something called Torbox which seems to be the samething and is up to date. See here: https://trac.torproject.org/projects/tor/wiki/doc/TorBOX

    The benefit of using Tor on top of a VPN would be if your IP is leaked then the website still would not see your real IP it would see the IP of the VPN instead. Thats the advantage that I see. Im reference to your comments about VPNs having your personal information. Many VPNs do not require any personal information other than an email address. That is it. You can pay some in cash even through the mail. The ones that you can pay online many accept bit coins (read about it) and others that take payments online do the payments through a third party and they themselves do not keep your address etc on file.
    There is a level of trust you must have with a VPN provider to deliver on there service promises. It is up to you to decide.
     
  12. KLB5962

    KLB5962 Registered Member

    Joined:
    Feb 19, 2012
    Posts:
    18
    Thanks marktor for the info!

    Ok I found out that I will definitely need to use Javascript to get done the things I want to do, 1 of which does involve Facebook which wont let me access certain features without Javascript! Theres no way to avoid it. So now its about how can I do this without leaking my real IP! My understanding is, even if im using Tor browser, if I enable Javascript even for just 1 moment to just click on 1 thing, it will reveal my real IP to the server! Is that Right?? If so, then got to find some other way to protect the real IP.

    So now the question is, how can I use Javascript for a few features on sites like facebook, while keeping my real IP hidden??

    Let me go through a few of the options you mentioned and a few others:


    JanusVM: While it does say "Protects you from Javascript" im not sure if it will protect me if I enable and use Javascript, which is what I need. Is there any way to test that? plus it hasn't been updated in over 2 years! That might be a security risk in itself? Maybe that can be tested to, to see if its still safe?


    Torbox: It only mentions "Java / flash / browser plugins cannot leak your real external IP" but nothing about javascript. and not sure if this project is even finished or reliable??


    Tor browser:If I enable javascript temporarily, click on 1 thing which requires javascript to work, then disable again, is that enough to have revealed my real IP?? Is there any setting/configuration/add-on i can use to prevent my real IP being exposed through javascript use in Tor browser??


    VPN: If I were to use a VPN, either with Tor or without, would that protect my real IP if I use Javascript for a few moments?? how would Tor and VPN even work? and which would be a reliable VPN i could use without revealing my identity to them, maybe just with an email address? any recommendations?


    JonDonym / JonDoFox: I heard about these but im not sure what the difference is between these two and between them and Tor or VPN's. could they help??


    Virtual machine: Is there no way to create a VM with its own "virtual IP" and run everything in there including Tor browser and Javascripts, thus protecting my real IP??


    Firewall Settings: Is there any setting I can configure in my computer firewall to prevent javascript from sending my IP to the server?


    Any hardware solutions?? -

    Router/broadband modem: Anything i can change in its settings or plug any "privacy device" into it??


    Public Wifi connections: Could I just not connect to a free public wifi connection, using its IP address as my "real IP" when of course its not? and using Tor browser of course. If javascript causes the real IP to be revealed it would just see the wifi routers IP, right?? not my computers info??


    Can any of these above options work? Surely theres got to be a way!?!?

    .
     
    Last edited: Feb 25, 2012
  13. marktor

    marktor Registered Member

    Joined:
    Dec 4, 2011
    Posts:
    143
    You are correct having Java and other plugins enabled is a definite no no while using the Tor browser bundle that can not be emphasized enough.

    A VPN will protect your connection fully from your real IP being leaked. All internet traffic from your computer is sent through the VPN. This includes Java,Flash any Instant Messenger program. Anything that connects to the internet from your computer will be routed through the VPN. If you want to learn more about VPN. I recommend reading this thread: https://www.wilderssecurity.com/showthread.php?t=285780


    The only other things you mentioned that will protect you while having Java and Flash enabled are JanusVM and Torbox.

    I notice you keep mentioning that you are wanting to use facebook. It seems you are wanting to use facebook anonymously. Well if you are using your real name or have posted pictures of yourself on this facebook account. They already know who you are so you can use Tor or a VPN or anything else for that matter and they already know who you are. Also if you have already logged into this account without using a VPN or Tor then they already have your real IP and know who you are.
     
  14. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167
    Javascript, when is run within browser, won't reveal your IP by itself, but it will provide awesome fingerprinting, like fonts (very "unique", tab history, clock (it used to in past versions of tor browser), mime types .....
    Even if you use Noscript to whitelist javascript, site can figure out your browsing habits, by checking what sites are allowed to run javascript on your browser and what not. So.... :/
    When you login/register with your real IP and later use TOR, it is useless, your ip is allready registered with that user name, TOR doesn't protect against stupidity. If you wan't to have a complete anony ID then register and login (allways) with TOR browser, and https (for snoopy exit nodes).

    VPN. :( I am going against the flow here, but don't use VPN, TOR should be just fine, plus if you use it on public WIFI. When you buy VPN service, you pay for it and so reveal your identity via money flow. There are some who provide prepaid service, but this too ain't waterproof.
    In the recent past some "respectable " VPN turned out to be collaborating with "good guys"

    TOR provides anonymity , https privacy, they don't provide comfort for a "common" net user. Nothing protects you if you give out your identity by googling your name and login to your accounts.
     
  15. marktor

    marktor Registered Member

    Joined:
    Dec 4, 2011
    Posts:
    143
    Evidence of websites being able to see what websites you have Allowed and Disallowed in Noscript? Do you know of a known working exploit of this? I am not aware of this personally. I understand that a website can see if you have javascript enabled or disabled for the particular website you are visiting. As far as a website seeing the whitelist and blacklist of Noscript. I have seen no evidence of this.
     
  16. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    I'm sure Tor will tell you there's no such thing as 100% Anonymity & Privacy, it's still
    experimental in design and concept, but stable as far as software goes and they'll tell you not to rely on it for strong Anonymity.

    Add layers to suit your tastes, VPNs, Tor, proxies and not those supposed free lists of proxies, those are illegal... etc...


    Please don't recommend to people a VPN that only offers PPTP, this is not good... :thumbd:
     
  17. KLB5962

    KLB5962 Registered Member

    Joined:
    Feb 19, 2012
    Posts:
    18
    Would it also protect if I use specifically Javascript in my browser??


    Would these also protect my IP if a use Javascript in my browser?? any way to test this??


    lol of course i haven't done any of those things, i havent even created an account! and it seems i cant make a page there unless i use javascript which is what the problem is. got to find a way i can use javascript in my browser for just a very short time and still remain 100% anonymous by not revealing my real IP. (ps. there is a legitimate cause behind this, to do with starting a campaign/protest page about a certain important cause, but im a private person and dont wish to be famous or anything so thats why i want to protect my IP, its not because i want to play games on facebook anonymously lol)


    REALLYo_O?? I thought this was the problem! are you sure?? can anyone clarify?? is there a way to test??


    Is that all?? doesnt sound like a problem at all then to me for protecting my Anonymity/IP , i have an almost unused version of Tor browser, newly downloaded and installed a few days ago and just used it on a few random sites to test it out. How could anything on there from my very brief use reveal my identity/IP?? and if there is anything on there im sure we can wipe it with like CCleaner or something?? Seriously if Javascript isnt a problem, these "fingerprinting" stuff in browser doesnt sound like a major problem either? or is it??


    edit: oops never mind on the "cracking wep wifi" idea, just read thats actually illegal lol! I dont want to break the law! I just want to protect my anonymity while doing legal things! and as far as im aware the methods discussed in this thread are legal right? I hope so, if not please do point it out so i can avoid those. Thanks :)

    .
     
    Last edited: Feb 22, 2012
  18. guest

    guest Guest

    Although they offer some tips to securely use PPTP, I can concede that not offering support to OpenVPN and bitcoins are major drawbacks on Ipredator, but both of these issues are going to be fixed soon according to their blog.

    Anyways, we must not forget that Ipredator still has much better policies and legal protection than pretty much every other paid (and serious) VPN services. Ipredator is a pre-paid flat-rate service based on Sweden and is owned by The Pirate Bay which has a pretty good record of resiliency.

    Some links:
    https://blog.ipredator.se/
    https://www.ipredator.se/faq/qna/
    https://www.ipredator.se/faq/legal/
    https://www.ipredator.se/faq/security/
    https://www.ipredator.se/faq/about/
     
  19. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167
    go on from here
    -http://www.w2spconf.com/2011/papers/jspriv.pdf-
     
  20. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167

    Ask TOR people :)

    regarding wifi...... don't need to crack it, find unencrypted one, like coffee shop, library, pub, etc....... buy a drink, take out your pc and ask for a password (if needed).



    I hope this is not about some type of "revenge on ex-girl friend/boyfriend" using facebook.
     
  21. KLB5962

    KLB5962 Registered Member

    Joined:
    Feb 19, 2012
    Posts:
    18
    Ok I'll try that, but I cant do that regularly, so need to find a way to make connection from my own broadband line completely anonymous/private.


    HAHA! Of course not! Why would I waste my time with an ex lol what I want with Facebook is to anonymously create a page in support of a cause which then people can "like" and support it. I can already create pages for this cause on other sites, the only reason i've mentioned Facebook several times here is because thats the site causing the problems with its requirement of Javascript! Other sites are working fine for me with Tor + HTTPS. Just this damn Facebook doesn't lol which is annoying because they have the most users and it would really help the cause. and i really dont want to create a page for it with my personal facebook because i want to remain a private citizen.


    I've been looking into JanusVM some more, i think it might possibly be the solution if it can allow me to run javascript in Tor browser and still hide my real IP, but im not sure. Can anyone who knows about JanusVM help on this issue please?


    Another option that has come up during my research is to use a sandbox. and run Tor browser in the sanbox. Would that help? and which sanbox is good, i heard Sandboxie is good. any info on this sandbox stuff??
     
    Last edited: Feb 23, 2012
  22. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167
    If you are not sure about javascript, use tails from torproject.org, its live cd / OS that uses TOR for every connection.
     
  23. marktor

    marktor Registered Member

    Joined:
    Dec 4, 2011
    Posts:
    143
    Interesting stuff.. going to research more on this. It seems that this exploit is a bit limited. First you have to have allowed javascript on the particular domain for it to work. Second it does not actually pull up your entire whitelist. It only checks specific websites that the javacript specifies.... Interesting stuff though will be reading more about this. Thanks!
     
  24. marktor

    marktor Registered Member

    Joined:
    Dec 4, 2011
    Posts:
    143
    Yes the mentioned will protect your real IP from being revealed. As for testing this: While connected to a VPN or using Torbox go to these websites and see if it reveals your real IP or your VPN or Tor IP. Here is the list: https://www.wilderssecurity.com/showpost.php?p=2008106&postcount=14
     
  25. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    Yes the Swedish part is good, I'm not so sure about the Pirate Bay part, to much of a target, better to go with a smaller, under the radar Swedish VPN then these guys...
     
Loading...
Thread Status:
Not open for further replies.