[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How intensely do you use Tor?



On Wed, Jul 03, 2013 at 03:54:13PM -0400, Roger Dingledine wrote:
> On Wed, Jul 03, 2013 at 07:43:47PM +0000, anonymous coward wrote:
> > I think for certain things it does not make much sense to use Tor, for
> > example for online banking. When I connect to my bank I am not anonymous
> > anway. When I use ebay, I am not anonymous either, they have my adress,
> > Paypal knows my adress. So to torify such things does not make much
> > sense, doesn´t it?
> 
> Tor aims for a variety of anonymity properties:
> 
> 1) Nobody watching your local network connection can learn where you're
> going.
> 2) Nobody watching your destination can learn where you're coming from.
> 2b) The destination can't learn where you're coming from.
> 3) No single relay in the path can link your location to your destination.
> 
> I think your phrase above is most like 2b above. But even then, while
> paypal may know your physical address, why do they need to know that
> you're vacationing in Italy this week? And why should somebody watching
> Paypal's network connection get to learn that you're using Paypal right
> now? And why should somebody watching *your* network connection (or the
> company that your ISP sells all your clicklogs to [1]) learn that too?

Just to underscore this point: Your bank hopefully knows it's you when
you sign in, but as Roger noted, there are other entities Tor protects
against. In particular, someone watching you connect to the network
who also sees you connecting regularly to (one of) your bank's IP
address(es) can guess that this is your bank, which they then might
combine with other things they observe to construct spearphishing or
worse attacks against you and your money.  My guess is that the
concern he raises below will be of more immediate concern, but most
credit card vendors will be happy to have you, e.g., contact them and
say you will be in Italy for the next ten days. Similarly, if you want
to use Tor under such circumstances you can restrict to exits in a
given location when connecting to your bank. This then raises other
potential concerns...

Another issue is that if you only use Tor when it's important as
opposed to in general, local observers of your behavior will know they
are seeing important traffic because it's going over Tor (unless you
use bridges...).

For many users these may be outside their threat model, but you asked
why you would bother to use Tor when connecting to a destination that
knows you anyway. Another scenario of securely logging in somewhere
over Tor is if you are physically away from where you usually work,
need to connect to a system of your employer, but you don't want
locals to observe where/who that is.

HTH,
Paul

> 
> That said, there *is* a reason to avoid using Tor for banking: a growing
> number of banking websites use IP address to decide if you're really you,
> and if you suddenly show up from Italy (whether on vacation or because
> you're using Tor), they lock your account.
> 

> --Roger
> 
> [1] http://en.wikipedia.org/wiki/Phorm
> 
> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk