[tor-talk] When to use and not to use tor.

Roger Dingledine arma at mit.edu
Wed Jun 15 02:41:36 UTC 2011


On Wed, Jun 15, 2011 at 08:44:24AM +0800, Fernan Bolando wrote:
> Please note my original intent with I started this thread was to
> create a base set of rules for my users to follow to maximimize tor
> anonymity and not become a tool against anonymity.

Which ones are 'your' users (so I can figure out how to help better)?

> 1. if somebody runs bittorrent traffic send a warning
> 2. if somebody sends an unencrypted web form through tor send a warning
> 3. set the always warn unencrypted webpage when tor is enabled.
> etc

What frustrates me is that Firefox *has* that warning enabled at first,
and everybody knows to just click it away. You'll have to make your
browser popup windows dire indeed before users will even notice you're
trying to get their attention.

> that said, I did found this
> https://www.torproject.org/download/download.html.en#warning. It forms
> a general guideline in using tor. It's not as specific as the ones
> from other forums, but it seems to be inline with that.

The challenge is that good advice differs from user to user. It depends
on your situation, what you're worried about ("what your threat model
is"), what's at risk, what online activities you need to do, etc. When
Tor does trainings for activists in dangerous countries, the conversation
always starts out the same but it never ends up in the same place.

All that said, I agree that it would be nice to have things spelled out
in more detail for the users who need that. There are a lot of handbooks
out there named things like "security in a box" that aim to explain
it all -- not just Tor but disk encryption, anti-virus, etc etc -- and
they're always forced to make tradeoffs and leave out important topics.
And they even have a specific type of user in mind when they start.

That said, here are some specific answers:

> dont use tor in banking or financial transactions

Agreed in general, but not for the reason you might think: a lot of
banks these days freak out when you log in from a foreign country, and
end up locking your account until you go through a little dance. So it
is because of poorly tuned anti-fraud algorithms that you may not want
to use Tor to connect to your bank.

That said, I used Tor when logging into my bank account on the Defcon
wireless network. So it depends on your context and what you're worried
about.

> dont use tor in non encrypted email

Don't use the Internet for non encrypted email. It's a bad idea no matter
where you are -- Starbucks, your cablemodem at home which your neighbors
can sniff, the Tor network, anywhere.

--Roger



More information about the tor-talk mailing list