On 7 Jul 2017, at 10:42, Roger Dingledine arma@mit.edu wrote:

As part of my upcoming Defcon talk on onion services: https://www.defcon.org/html/defcon-25/dc-25-speakers.html#Dingledine I'm thinking of including a section on Tor mythbusting. That is, there are all sorts of Tor misunderstandings and misconceptions floating around, and it seems smart to try to get them organized into one place as a start to resolving them. (Later steps for resolving them should include better and more consistent communication, and actually changing things so Tor is safer/stronger/better. One step at a time.)

Below is an initial list to get us started, along with overly brief summaries of the reality underlying the myth. Please contribute more entries!

To contribute best, please frame your entry from the perspective of a helpful and concerned Tor user or advocate, rather than as a crackpot conspiracy theorist. (Fun as it might be, I have little interest in socket-puppet trolling myself on stage, so phrasing myths in a constructive manner is the best way to move forward.)

...

• "I heard Tor is broken."

(Man, this phrase represents a fundamental misunderstanding of computer security. All the academics go after Tor -- and it's great that they do -- because we're the best thing out there, plus we provide good documentation and help them in analyzing the attacks. You don't hear about breaks in centralized proxy companies because there's nothing interesting about showing flaws in them. Also, security designs adapt and improve, and that's how the field works. I'll try to keep my rant on this one short so it doesn't take over.)

"Isn't using Tor illegal?"

(Depends on your country.)

"I heard that using Tor can cost you your security clearance"

(Some people who research and develop on Tor have security clearances.)

"I heard that most Tor relays are run by a few non-profits"

(More like 20? major orgs and individuals)

"I heard that Tor users are mainly activists and dissidents"

(And regular people and police and military and government)

"I heard that Tor is hard to use" "I tried Tor, but it never worked"

"I heard that Tor doesn't work on X" "There are so many Tor apps, which one do I choose?"

T -- Tim Wilson-Brown (teor)

teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n ------------------------------------------------------------------------

Hi,

I collected some of these earlier, including responses from various members of the Tor community. Feel free to cull and de-dupe them.

The flip side is to talk about the many great uses of Tor, including onion services.

Cheers,

-Katie

Some myths about Tor:

The myth that Tor is difficult to use.

The myth that Tor is hopelessly pwned by the FBI or X agency.

The myth that Tor is only for people who need especially intense security.

Answer: In this era of mass surveillance, when Google collects information about users every day—everyone needs Tor.

The myth that Tor is on par with other security tools (decipher what popular ones do and why Tor is different)

The myth that security is hopeless and surveillance is inevitable so you don’t need Tor.

The myth that exit relays are evil and many are controlled by three-letter agencies.

What is the truth?

The problem, while not negligible, is often blown out of proportion. Statistically speaking, you will encounter a bad exit relay every now and then when you use Tor a lot but that doesn't mean that all is lost. Tor Browser protects you from a lot of off-the-shelf attacks and we regularly disable the malicious relays we discover. But of course, Tor is no panacea: make sure to embrace Internet security best practices such as always logging in using HTTPS.

Cheers, Philipp Winter

Myth: Doesn't the use of guard nodes make some users vastly more vulnerable rather than making every user just a little vulnerable? (Aren't streams changed often, so the one compromised stream won't be too useful anyway?) Aren't you basically sacrificing some users for the benefit of everyone?

Myth: Aren't almost all hidden services 'illegitimate'?

I'm a normal person using a normal ISP in a normal country. Doesn't using Tor make me _less_ secure, as the adversary who can temper with my traffic goes from people like "My ISP"/"My Government"/"Really Sophisticated Hackers" to "Anyone [who runs an exit node]?"

-tom Ritter

Myth: You will become a target if use Tor, and the internet suddenly gets less safe for you. (China, Iran, etc.)

What is the truth?

_Everyone_ is a target on this internet as we know it. Tor mixes you in a crowd of people where everyone looks the same and it helps you to protect yourself against most of common attacks on the internet.

By using Tor, you and your traffic will become less exposed and vulnerable to those attacks.

-- Nima

Tor is an illegal botnet, operated by shady blackhats, used for extortion and black-market activities.

What is the truth?

Tor is a research project and a network of over 5000 volunteers whom create the Tor community. People from all faces of the earth contribute to Tor: University Professors, mad scientists, hard-core activists, thought leaders and ordinary citizens of our "global village".

Tor is the world's largest privacy network on the Internet.

All the best, Sina

—

Roger Dingledine:

As part of my upcoming Defcon talk on onion services: https://www.defcon.org/html/defcon-25/dc-25-speakers.html#Dingledine I'm thinking of including a section on Tor mythbusting. That is, there are all sorts of Tor misunderstandings and misconceptions floating around, and it seems smart to try to get them organized into one place as a start to resolving them. (Later steps for resolving them should include better and more consistent communication, and actually changing things so Tor is safer/stronger/better. One step at a time.)

Below is an initial list to get us started, along with overly brief summaries of the reality underlying the myth. Please contribute more entries!

To contribute best, please frame your entry from the perspective of a helpful and concerned Tor user or advocate, rather than as a crackpot conspiracy theorist. (Fun as it might be, I have little interest in socket-puppet trolling myself on stage, so phrasing myths in a constructive manner is the best way to move forward.)

And also, don't get too hung up on the quick rebuttal text I've written: the goal here is to brainstorm the myths, not to write the perfect answer to each of them. That can come later.

• "I heard the Navy wrote Tor originally (so how can we trust it)."

  (They didn't. I wrote it.)

• "I heard the NSA runs half the exit relays."

  (Hard to disprove, but it doesn't make any sense for them to run exits. But that shouldn't make you relax, since they already surveil a lot of the internet, including some of the existing exit relays, so they don't *need* to run their own. Also, the Snowden documents give us some good hints that say no. Btw, use SSL.)

• "I heard Tor is slow."

  (You're right, it's not blazing fast. But it's a lot faster than it was in earlier years. Tor's speed has most to do with how much load there is on the network, not on latency between the relays as many people believe. We need more relays.)

• "I heard Tor gets most of its money from the US government."

  (Alas, this one is true. We have three categories of funding: basic research like from NSF, R&D like from the Open Technology Fund, and deployment and training like from the State Dept. See the financial documents that we publish for details. Alternatives would sure be swell.)

• "I heard 80% of Tor is bad people."

  (There have been a bunch of confusing studies about Tor users and usage, and the numbers vary wildly based on what you're measuring and how you classify bad. But for the above stat, you probably heard it from a US DoJ attorney who misunderstood a journalist's article about one of these studies. Or who knows, maybe she maliciously twisted the results. See also the ongoing research work on measuring the "dark web".)

• "I heard Tor is broken."

  (Man, this phrase represents a fundamental misunderstanding of computer security. All the academics go after Tor -- and it's great that they do -- because we're the best thing out there, plus we provide good documentation and help them in analyzing the attacks. You don't hear about breaks in centralized proxy companies because there's nothing interesting about showing flaws in them. Also, security designs adapt and improve, and that's how the field works. I'll try to keep my rant on this one short so it doesn't take over.)

Thanks! --Roger

---

tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project

On Thu, Jul 06, 2017 at 08:42:59PM -0400, Roger Dingledine wrote:

As part of my upcoming Defcon talk on onion services: https://www.defcon.org/html/defcon-25/dc-25-speakers.html#Dingledine I'm thinking of including a section on Tor mythbusting. That is, there are all sorts of Tor misunderstandings and misconceptions floating around, and it seems smart to try to get them organized into one place as a start to resolving them. (Later steps for resolving them should include better and more consistent communication, and actually changing things so Tor is safer/stronger/better. One step at a time.)

Below is an initial list to get us started, along with overly brief summaries of the reality underlying the myth. Please contribute more entries!

To contribute best, please frame your entry from the perspective of a helpful and concerned Tor user or advocate, rather than as a crackpot conspiracy theorist. (Fun as it might be, I have little interest in socket-puppet trolling myself on stage, so phrasing myths in a constructive manner is the best way to move forward.)

And also, don't get too hung up on the quick rebuttal text I've written: the goal here is to brainstorm the myths, not to write the perfect answer to each of them. That can come later.

• "I heard the Navy wrote Tor originally (so how can we trust it)."

  (They didn't. I wrote it.)

Hmmm. This doesn't really answer the question. People could then immediately ask in response how they can trust you (and maybe even observe that you wrote it in collaboration with Navy employees while you were working under a contract to the Navy). (Plus the first stuff came from Matej, and his stuff was gone fairly quickly but not before Nick was making substantial contributions.) This is all red herrings. It was designed so that they don't have to trust you (or that legendary guy who writes such great code, aka "The Navy", or anybody). To quote "A Peel of Onion"

Anything coming out of, for example, a Navy-only onion routing network would be known to be coming from the Navy and anything entering it would be known to be headed to the Navy: this would not adequately separate identification from routing. But the diverse users needed to provide this protection also have diverse trust values. Thus the entire network infrastructure cannot be provided by or under the control of a single entity. And since those running the network will similarly have diverse trust, they must be able to examine for themselves the code that they run, or at least be sure that independents whom they trust can do so. These points were part of our vision for onion routing from the very beginning, and we obtained our first publication release for onion routing code in 1996, before ’open source’ was a generally adopted concept.

Then of course there's providing documentation and specs, encouraging researchers to pound on it and publicize their results about what Tor does and doesn't provide (as you note a few bullets below), plus deterministic builds, plus probably something else I'm not thinking of.

Again, the number one point is that they _shouldn't_ be trusting it based on whether or not they trust you, and they don't have to.

aloha, Paul

• "I heard the NSA runs half the exit relays."

  (Hard to disprove, but it doesn't make any sense for them to run exits. But that shouldn't make you relax, since they already surveil a lot of the internet, including some of the existing exit relays, so they don't *need* to run their own. Also, the Snowden documents give us some good hints that say no. Btw, use SSL.)

• "I heard Tor is slow."

  (You're right, it's not blazing fast. But it's a lot faster than it was in earlier years. Tor's speed has most to do with how much load there is on the network, not on latency between the relays as many people believe. We need more relays.)

• "I heard Tor gets most of its money from the US government."

  (Alas, this one is true. We have three categories of funding: basic research like from NSF, R&D like from the Open Technology Fund, and deployment and training like from the State Dept. See the financial documents that we publish for details. Alternatives would sure be swell.)

• "I heard 80% of Tor is bad people."

  (There have been a bunch of confusing studies about Tor users and usage, and the numbers vary wildly based on what you're measuring and how you classify bad. But for the above stat, you probably heard it from a US DoJ attorney who misunderstood a journalist's article about one of these studies. Or who knows, maybe she maliciously twisted the results. See also the ongoing research work on measuring the "dark web".)

• "I heard Tor is broken."

  (Man, this phrase represents a fundamental misunderstanding of computer security. All the academics go after Tor -- and it's great that they do -- because we're the best thing out there, plus we provide good documentation and help them in analyzing the attacks. You don't hear about breaks in centralized proxy companies because there's nothing interesting about showing flaws in them. Also, security designs adapt and improve, and that's how the field works. I'll try to keep my rant on this one short so it doesn't take over.)

Thanks! --Roger

---

tor-project mailing list tor-project@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project