[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Building tracking system to nab Tor pedophiles

As suggested on IRC, I think
the Tor documentation strategy needs to be rethought. Most people
barely read the download page, let alone the reems of FAQ questions.

We've had two "attacks" now on Tor that rely on unmasking users who
use Tor incorrectly. One of them actually published a paper and had
decent results at unmasking this way (mostly Asian users who probably
can't read our english mailinglist or english FAQ), and the media
still doesn't seem to understand that these attacks are well

The Tor download page should have a concice "Things to know before
downloading" section that lists a few key points about the most easy
ways your identity can be revealed through Tor. Something like
Things to know before you download Tor:
- Browser plugins can be made to reveal your IP. - This includes Flash, Java, ActiveX and others. - It is recommended that you use FireFox and install the extensions NoScript, QuickJava, and FlashBlock to control this behavior if
you must have these plugins installed for non-Tor usage.
- Make sure your browser settings have a proxy listed for ALL
protocols (including Gopher and FTP).
- For further details, please consult the Tor FAQ.

I had advocated something similar some time ago. Actually what I proposed was that some sort of test server be set up. I know there are already many of them, but I was thinking that there could be testing stages in an install wizard (or a post-install testing wizard) that takes the user through various tests and what to do in response to results. I know a lot of work, maybe another suggestion to be listed on the volunteer page or a candidate for summer of code?

As a new user (about a week now) and without much of a background, hopefully I can offer some insight. The installation and documentation to get up and started is very helpful, especially the screen shots. However I am lost with Privoxy configuration, e-mail config (especially about the smtp port 465 in Thunderbird), and if.. how.. and when I need to modify modify the torrc file. I have subscribed to all the lists and am doing my best to absorb the info.

I usually learn new programs by futzing with them until I have learned the ins and outs. However, this is different because the learning curve could do some damage (stories of how Tor users were not protected).

My suggestions/responses to help protect green users like me from those who can take advantage of our lack of information are:

- A hold your hand walk through of add ons to Firefox and Thunderbird to be installed before attempting to use the programs ( just like the set info instructions, they were great)

- A few predefined configurations of Privoxy, Noscript etc. with a WALK THROUGH on how to access them, what they mean and how to tweak them in the future.

- The test server sounds like a great idea. I keep reading about things which break pages and reveal your identity but I have no idea if it is actually happening. Is there a way to set an alert which notifies the user that his/her anonymity has been compromised?

- Again, a list of IMPORTANT things you should not do is a great idea. I don't know if I can use another browser without privoxy etc installed after I have disconnected from Tor and wish to surf as I did previously. Is that bad? I am also pretty sure that I should not use any other programs which don't go through Tor while I am connected to Tor. Is it ok to use them after I disconnect?

The takeaway from my rambling is that compromises to security and the networks reputation are going to come from users like me, not from a developer or experienced user. To maintain integrity it is a good idea to devote time to developing better walk throughs regarding use after initial setup and to help new users from hurting themselves or the reputation of the network.