[tor-talk] When to use and not to use tor.

Wed Jun 15 03:33:10 UTC 2011

On Wed, Jun 15, 2011 at 10:41 AM, Roger Dingledine <arma at mit.edu> wrote:
> On Wed, Jun 15, 2011 at 08:44:24AM +0800, Fernan Bolando wrote:
>> Please note my original intent with I started this thread was to
>> create a base set of rules for my users to follow to maximimize tor
>> anonymity and not become a tool against anonymity.
>
> Which ones are 'your' users (so I can figure out how to help better)?
>
I think We can target just a set of general users. Like people who are
gun enthusiast or military afficionados
can read about all about those stuff without blipping as dangerous person.

>> 1. if somebody runs bittorrent traffic send a warning
>> 2. if somebody sends an unencrypted web form through tor send a warning
>> 3. set the always warn unencrypted webpage when tor is enabled.
>> etc
>
> What frustrates me is that Firefox *has* that warning enabled at first,
> and everybody knows to just click it away. You'll have to make your
> browser popup windows dire indeed before users will even notice you're
> trying to get their attention.
>

I try to limit myself to educating people, not increase there IQ. If
they chose to
ignore popups and a documented set of guidelines and suddenly a
malicous tor exit
captured there banking password thats up to them.

>> that said, I did found this
>> https://www.torproject.org/download/download.html.en#warning. It forms
>> a general guideline in using tor. It's not as specific as the ones
>> from other forums, but it seems to be inline with that.
>
> The challenge is that good advice differs from user to user. It depends
> on your situation, what you're worried about ("what your threat model
> is"), what's at risk, what online activities you need to do, etc. When
> Tor does trainings for activists in dangerous countries, the conversation
> always starts out the same but it never ends up in the same place.
>
> All that said, I agree that it would be nice to have things spelled out
> in more detail for the users who need that. There are a lot of handbooks
> out there named things like "security in a box" that aim to explain
> it all -- not just Tor but disk encryption, anti-virus, etc etc -- and
> they're always forced to make tradeoffs and leave out important topics.
> And they even have a specific type of user in mind when they start.
>
> That said, here are some specific answers:
>
>> dont use tor in banking or financial transactions
>
> Agreed in general, but not for the reason you might think: a lot of
> banks these days freak out when you log in from a foreign country, and
> end up locking your account until you go through a little dance. So it
> is because of poorly tuned anti-fraud algorithms that you may not want
> to use Tor to connect to your bank.
>
> That said, I used Tor when logging into my bank account on the Defcon
> wireless network. So it depends on your context and what you're worried
> about.

Yeah, a one size fits all guideline is probably not possible so the
warning from
the tor website will suffice for now.

>> dont use tor in non encrypted email
>
> Don't use the Internet for non encrypted email. It's a bad idea no matter
> where you are -- Starbucks, your cablemodem at home which your neighbors
> can sniff, the Tor network, anywhere.
>