[tor-talk] To Toggle, or not to Toggle: The End of Torbutton

Moritz Bartl moritz at torservers.net
Mon Apr 18 05:09:35 UTC 2011

On 12.04.2011 16:59, Milton Scritsmier wrote:
> After reading most of the replies to this topic, I'm not sure the
> average user has weighed in. [...]

Thank you. This list is dominated, if not completely focused, on
development and security research. The Torproject as a whole has for the
last 10 years failed to split off a separate section for users (website,
FAQ, mailing list, whatever). I don't think there is a proper way to do
it and not duplicate stuff, however. There are a few other reasons that
stopped Torproject from doing that, the most prominent I think always
was that "devs should not lose contact with actual users".

> And so far I don't think anybody has solved the problem of a user
> who understands relatively little about computers trying to remain
> secure against a regime with vast resources and skills at its disposal.

I don't consider myself a security researcher, but I've been following
the Tor project since its early days. The misconception and
misunderstandings grew over time as the user base expanded, and while
Torbutton is a great and excellent project, in a way it only further
complicated things.

The problem is rooted in the vocabulary. I am not sure if it's the best
thing to cite, and I am in no way educated enough to say it is the
definitive guide, but as far as I know the "Anon Terminology" paper
published by Andreas Pfitzmann since 2000 tried to form a definitive
base for discussion. He collected, if not influenced, different terms
around anonymity.


It's been a while since I've last read it, but if I remember correctly
it fails to separate anonymity into different "types".

Anonymity is a hard term, and simply cannot be achieved when using
electronic communication. Tor, without Torbutton, tries its best to
anonymize *traffic*, ie. make it hard to know who is talking to whom.
Tor does not, and never did, try to fix the problem of identifying
information *inside* the transported data. Tor is completely neutral in
that respect.

The problem is that a lot of applications transmit user identifyable
information. It is not Tor's job to stop that, mostly because there is
no way to know what kind of information is "identifying" in a certain
situation, and if the user wants to transmit that kind of information in
the first place.

Torbutton, despite its name, has nothing to do with Tor. It works great
for any other proxy software, too. Torbutton does what Tor does not:
Block application-specific information that could leak your identity
without you explicitly telling it to do so. For that, it has to know the
protocol and the application. Any other application or protocol could as
well be "screened and cleaned" by something like Torbutton. For example,
one could write a "BittorrentButton" for a torrent client.

In general, I find it hard to explain the difference, because the
community lacks different names for the different properties that, as a
whole, define "anonymity". At least I don't know how to separate these,
but maybe I'm just not educated enough.

Moritz Bartl

More information about the tor-talk mailing list