Ask Slashdot: Alternatives To Tor Browser Bundle For Windows?

← Back to Stories (view on slashdot.org)

Ask Slashdot: Alternatives To Tor Browser Bundle For Windows?

Posted by timothy on Sunday May 8, 2011 @05:50AM from the send-your-answer-via-smart-missile-please dept.

SonnyJim writes "I frequently use Tor for my anonymous browsing needs, via the Tor Firefox bundle for Windows. I noticed that there are many other applications out there that use Tor as a proxy as well (Janus VM, ChrisPC, etc.) Are any of them more secure than the original Tor bundles, or am I just wasting my time trying these other applications? Is there anything more secure than Tor, as far as anonymous browsing goes?"

35 of 201 comments (clear)

Min score:

Reason:

Sort:

Tor by x*yy*x · 2011-05-08 05:50 · Score: 5, Insightful

I personally find it funny when people use Tor and then leave behind the same cookies, the same user-agent, LSO and Flash cookies, same system configuration, same screen size, same fonts, same installation and versions of plugins, same MAC address, don't change DNS servers and countless amount of other things that make it very easy to identify your other activity or what you're doing. Especially to Google via Google Analytics.

Nevermind also that half of the TOR network end nodes are monitored and sniff your traffic and can modify your browsing session in various ways. Just imagine the fun when you happen to use an end node that serves you a drive-by download exploit instead of the page you requested.
1. Re:Tor by clang_jangle · 2011-05-08 05:58 · Score: 3, Interesting
  
  I personally find it funny when people use Tor and then leave behind the same cookies, the same user-agent, LSO and Flash cookies, same system configuration, same screen size, same fonts, same installation and versions of plugins, same MAC address, don't change DNS servers and countless amount of other things that make it very easy to identify your other activity or what you're doing. Especially to Google via Google Analytics.
  
  Nevermind also that half of the TOR network end nodes are monitored and sniff your traffic and can modify your browsing session in various ways. Just imagine the fun when you happen to use an end node that serves you a drive-by download exploit instead of the page you requested.
  You have some good points, though some of those concerns are easily addressed in your privoxy config. I use tor regularly BTW, and am impressed with its performance compared to a few years ago. I don't drink the kool-aid, but between privoxy and tor you can certainly avoid being tracked by all but the most devoted bad guys. However, if someone competent is targeting you specifically you're screwed no matter what you use, unless you're an uberhacker with access to some heavy hardware.
  
  --
  Caveat Utilitor
2. Re:Tor by WrongSizeGlass · 2011-05-08 05:58 · Score: 2
  
  Nevermind also that half of the TOR network end nodes are monitored and sniff your traffic and can modify your browsing session in various ways. Just imagine the fun when you happen to use an end node that serves you a drive-by download exploit instead of the page you requested.
  At least it will arrive securely and anonymously - and isn't that what it's really all about? ;-)
3. Re:Tor by Anonymous Coward · 2011-05-08 05:59 · Score: 4, Informative
  
  I personally find it funny when people use Tor and then leave behind [...]same MAC address, don't change DNS servers [...]
  Proof that you know less about this than you think you do. MAC addresses become irrelevant after the first network layer hop or an application layer gateway like TOR. Also TOR acts as a socks 5 proxy and will resolve names for you, again the the DNS settings are irrelevant.
4. Re:Tor by cdp0 · 2011-05-08 06:01 · Score: 5, Informative
  
  Use TorButton then (the Windows bundle includes it IIRC). AFAIK it solves most of the problems you mentioned. If you are using Firefox 4 then you need the alpha version from here.
  Add to that BetterPrivacy, and you should be much harder to track.
5. Re:Tor by 93+Escort+Wagon · 2011-05-08 06:06 · Score: 4, Funny
  
  I personally find it funny when people use Tor and then leave behind the same cookies, the same user-agent, LSO and Flash cookies, same system configuration, same screen size, same fonts, same installation and versions of plugins, same MAC address, don't change DNS servers and countless amount of other things that make it very easy to identify your other activity or what you're doing.
  
  I solved this problem simply by finding out what your user-agent, LSO and Flash cookies, system configuration, screen size, fonts, plugins, MAC address, and default DNS servers were. Now whenever I'm on Tor I pretend to be x*yy*x - so I'm golden.
  
  --
  #DeleteChrome
6. Re:Tor by x*yy*x · 2011-05-08 06:08 · Score: 2
  
  DNS resolving depends on settings. You're correct about MAC addresses, but it's good to remember them too since they are still somewhat relevant if you really want good anonymity.
7. Re:Tor by Hazel+Bergeron · 2011-05-08 06:14 · Score: 3, Insightful
  
  Except, of course, if you're running wireless. Then MAC addresses are recorded by various data gatherers and used, among other things, for that Google location guesser thing.
  Of course, it's OK if you never speak wireless in the clear and always use an encryption protocol which will never be found insecure in the future.
8. Re:Tor by icebraining · 2011-05-08 06:18 · Score: 2
  
  DNS resolving depends on settings.
  
  TorButton - included in the bundle - configures Firefox to use Tor for DNS (using the SOCKS proxy).
  
  --
  Dilbert RSS feed
9. Re:Tor by ibsteve2u · 2011-05-08 06:18 · Score: 2
  
  I don't drink the kool-aid, but between privoxy and tor you can certainly avoid being tracked by all but the most devoted bad guys. However, if someone competent is targeting you specifically you're screwed no matter what you use, unless you're an uberhacker with access to some heavy hardware.
  Didn't you know? Is "the good guys" doing the most tracking these days.
  
  lolll..and as a rule you're paying them to watch you.
  
  --
  Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
10. Re:Tor by burni2 · 2011-05-08 06:26 · Score: 3, Interesting
  
  But mostly you can identify tor-users which are not having all plugins switched off, by a java applet which acts as a beacon* , also if you have switched it off in your Firefox, it get's reactivated by every juscheded update ;)
  But I also want to point the attention to the lately added
  local web storage in the current generation of browsers, like Opera and doing a picture search in opera and just check the link of the thumb nail you will be interested So the question is how long will it take till it get's abused for traking
  "data:image/jpg;base64,/.*CONTENT*."
  *(udp connection, even through DNS/53 port some PSFs don't catch outgoing connection on this port and won't bring the fact to your attention)
11. Re:Tor by lostthoughts54 · 2011-05-08 06:39 · Score: 3, Interesting
  
  what he means is the old good guys are our new bad guys. and good guy doesn't exist anymore, only you vs. them.
12. Re:Tor by ibsteve2u · 2011-05-08 07:55 · Score: 2
  
  Might, perhaps, have been best to leave out the adjective "bad", which implies the existence of "good" and so leads those of us who are foolish enough to take someone literally into hypothesizing the existence of an anode in their cathode-only universe.
  
  --
  Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
13. Re:Tor by Anonymous Coward · 2011-05-08 08:57 · Score: 4, Informative
  
  Easy to fix when you use user agent switcher, ghostery, better privacy, noscript, google sharing, cloned mac addresses and torbutton.
  Check out http://www.decloak.net to see how anonymous you are.
  It's hard to beat Tor for anonymous public web browsing, but i2p is already a better darknet.
14. Re:Tor by smellotron · 2011-05-08 09:09 · Score: 2
  
  Once some one has your mac address (assuming they have the real one) they know the manufacturer of your device. From there they can figure out where it was sold and they tie that to a credit card or bank card if you didn't pay cash.
  
  Are you telling me that if I tell you 00:50:ba:* you can identify where I bought my NIC? And you can tie it to my credit card? You must be a spook in full collusion with D-Link (for the credit card and inventory records), in which case the mac address reveal is probably the least of my worries. If you look in my windows while you're wardriving, you might even see me, too!
15. Re:Tor by blincoln · 2011-05-08 10:35 · Score: 2
  
  "I never saw any good reason why HTTP Referrers and user-agent headers were ever included in the HTTP spec in the first place. The first is extraneous information and the second is contrary to a Web based on open standards (and tends to help malicious sites know which exploits to use)."
  The referrer is useful for a number of reasons. Beyond the obvious one (statistical information), this is helpful for setting up mechanisms to help prevent people hot-linking to images (or other content) on your site. For people who have transfer caps or surcharges, it's really frustrating to have a significant part of that taken up by people who hot-link to your images for use as forum icons or other heavily-used things which don't benefit your site in any way.
  re: the user-agent header - just because the web is supposedly based on open standards doesn't mean users should all get the same content. Ideally they should all be able to *choose* to access the same content, but most people are going to be happier if a website detects that they're using a smartphone and sends them a version of the content optimized for display on a smaller screen.
  
  --
  "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
16. Re:Tor by Jane+Q.+Public · 2011-05-08 11:04 · Score: 2
  
  Which is exactly why, if you REALLY want to be "anonymous", you simply spoof your IP and MAC addresses (ridiculously easy to do in most cases) and use somebody's open wifi.
17. Re:Tor by MrNaz · 2011-05-08 14:14 · Score: 2
  
  Your referrer solution: This solution would overload web servers quickly, as every object request would require a log file parsing. It would also suffer from the problem that the image may be loaded from a different server than the HTML file. Thus, your solution is fraught with difficulty in both efficiency of hardware use as well as implementation. Also, its stupid.
  Your user-agent solution: So you're saying that my smart phone, which is on a slower network connection, with a lower usage quota should receive both the mobile page AND the multimedia heavy regular page, and then choose which to render? That's massively inefficient and will clog low-power, bandwidth restricted devices. Also, it's stupid.
  
  --
  I hate printers.
18. Re:Tor by Miaomiao · 2011-05-08 17:44 · Score: 2
  
  As someone who's worked for years as a web developer: Knowing what browser people are using is 100% needed.
  Mostly, you use it as a priority list as far as what browser bugs you're fixing, it's not as serious now, but I know there's many web developers waiting for IE6 usage to drop below .1% so they can safely ignore it.
  Now, using content headers to "guess" which version of a page to serve up is wrong (you can easily use mobile stylesheets for that) but we're nowhere near that kind of real world application.
19. Re:Tor by MstrFool · 2011-05-08 18:42 · Score: 2
  
  To be honest, I have never really understood that mindset. It only comes into play when you wish to flood the page with all sorts of, glamor. And I mean that word in the sense of distracting effects, sounds and movement. It's only needed for making a big show of it, and IMHO, rather few sites benefit from such things. If your business is selling programs for inserting all kinds of special effects, then your page would likely benefit from using such. But if your site is for disseminating information, then all the bells and whistles rather get in the way. Sites that hide and ap that starts playing audio as soon as you load the page? Come on, your taste in music is not that impressive to the random person stopping in, or loud adds that you can't find to shut them up that interrupt what you are listening to while surfing... It's at best rude. I can only speak for my self, but I closed such pages the instant they started, till I got no-scripts and prevented it that way. I've since found my elf back on some of those sites I remembered dumping before. More then once found that exactly the item I was looking for at a better price then I ended up paying on the site that didn't try to scream in my ear. But if I have to fight the site to get through to what I ant, why should I? If you are more interested in showing off your l33t flash skills then you are in trying to sell your product or service, then I'm likely better off going with a company that feels their product or service information matters more then a flash tag or animation, or vulnerable flash plug in. And before any one takes offense, I am using 'you' in a general term, and not meaning any one personally. Or to sum up my feelings on the subject. I am interested in the contents, not how showy the box looks. And honestly, outside of the catalog or ordering system, how many web sites really need flash or scripts? Many here have typed out full web pages with out tools and fancy plug ins that look every bit as good as the web pages with 30 scripts, 6 java applets and a few flash objects. Don't use a tool simply because you have it, use it only when it's needed and most of those compatibility issues would vanish.
  
  --
  Question reality.
Re:OperaTOR by Anonymous Coward · 2011-05-08 06:08 · Score: 2, Informative

Does it have functionality similar to Firefox with TorButton ? Otherwise I assume it offers weaker privacy.
Btw, according to this link OperaTor is not maintained anymore, and it was replaced by YAPO which does not support Tor.
Re:VPN? by icebraining · 2011-05-08 06:09 · Score: 2

VPN is only one hop between you and any server, so they know both who you are (especially if it's paid), what IPs you connect to and any unencrypted traffic.
If you trust them more than your ISP, sure, but I think it's far from anonymous, even when compared to Tor.

--
Dilbert RSS feed
I don't get Tor by Hazel+Bergeron · 2011-05-08 06:20 · Score: 2, Interesting

Can someone explain to me why someone who is monitoring sufficient backbones and running sufficient Tor nodes himself can't just watch a packet stream being bounced between Tor nodes?
Then there are people using Tor really dumbly such that you don't even need a three-letter acronym to work out who it is.
1. Re:I don't get Tor by betterunixthanunix · 2011-05-08 06:31 · Score: 3, Informative
  
  Can someone explain to me why someone who is monitoring sufficient backbones and running sufficient Tor nodes himself can't just watch a packet stream being bounced between Tor nodes?
  This is one of many known attacks on Tor, and is the reason why as many people as possible should be running Tor relays, entry nodes, and exit nodes. This is also why Tor circuits are periodically changed by the client. In general, though, it is possible for someone who can monitor a large enough fraction of the Tor network to break the anonymity of the system, even if they cannot control the nodes themselves.
  
  --
  Palm trees and 8
2. Re:I don't get Tor by Nimey · 2011-05-08 07:00 · Score: 2
  
  I'd thought about running a Tor entry/exit node, but I really don't want to get dinged for someone else looking at kiddie porn and using me as an exit point. The authorities won't know the difference, and might not even care.
  
  --
  Hail Eris, full of mischief...
  
  E pluribus sanguinem
3. Re:I don't get Tor by Hazel+Bergeron · 2011-05-08 07:42 · Score: 3, Informative
  
  I recall a raid in Germany. Depending on police behaviour and accessibility of records, in some countries that can be as harmful as a conviction (e.g. if you're working in a job with vulnerable people).
4. Re:I don't get Tor by betterunixthanunix · 2011-05-08 09:31 · Score: 2
  
  To date, not a single case has been bought against anyone running a tor exit node.
  ...and yet your life can be ruined just because you were arrested for "downloading child pornography."
  
  --
  Palm trees and 8
LiveCDs - TAILS v0.7.1, Liberté Linux by integral-fellow · 2011-05-08 08:05 · Score: 4, Informative

First, don't bet your life on this technology or OpenSSH or other tech.
Second, rather than run TOR on an everyday personal or work computer (Windows or Mac or Linux) with sensitive data and identifiable traits, I'd recommend booting a LiveCD: TAILS (v0.7.1 is the latest) and Liberté Linux:
http://tails.boum.org/
http://dee.su/liberte
or get Knoppix and harden it:
http://knoppix.com/
Change your MAC and connect at a coffee shop (if paranoid-- on the other side of town, and wear sunglasses in case of surveillance), not from home. Or connect to someone else's open WiFi, or get the key with Backtrack. Less secure is running a LiveCD in a VM (virtualbox or vmware). Another less secure option is running a hardened Linux, or at least running the Bastille script.
What am I missing? The main trouble with the LiveCD/DVDs is the NIC driver/module, but Knoppix is good for that.
integral-fellow
What is the actual purpose of using TOR? by Warma · 2011-05-08 09:12 · Score: 3, Insightful

I understand that what I'm going to ask is almost a logical fallacy in Slashdot, but I'm going to ask anyway.
Why exactly are you making things complicated for yourself and using Tor in the first place? A person as paranoid as you would use only properly secured banking connections and reputable services anyway, so the chance of any identity theft whatsoever is minuscule. I really can't think of any credible motivation for completely endorsing anonymity except the fear of being caught surfing something explicitly illegal. However, the amount of replies in this thread and their tone suggest, that you can't all be 3rd world revolutionists or Chinese students circumventing the Great Firewall.
Is this just a matter of principle, or do you actually have something to hide? If it's the principle, what are you hoping to accomplish and why? If you're into snuff or whatever, I really don't care, but at least one anonymous reply confirming this would be amusing.
This is not a troll. I'm genuinely interested. Technical answers about repercussions I may have not understood, are not only accepted, but appreciated.
1. Re:What is the actual purpose of using TOR? by Larryish · 2011-05-08 09:44 · Score: 2
  
  From what I gather (remember this info is all secondhand) some people in former first-world countries (USA anyone?) use TOR, Privoxy, livecds, etc. to research the sort of things that might throw up a flag.
2. Re:What is the actual purpose of using TOR? by Jane+Q.+Public · 2011-05-08 11:38 · Score: 3, Insightful
  
  "I really can't think of any credible motivation for completely endorsing anonymity except the fear of being caught surfing something explicitly illegal. "
  History has clearly shown that the right to free and anonymous speech is essential to maintaining a free society. That fact alone is sufficient motivation to do it. If you don't practice and enforce your rights, you are likely to lose them. Your attitude is exactly why this is true.
3. Re:What is the actual purpose of using TOR? by Altanar · 2011-05-08 13:07 · Score: 2
  
  Anonymous free speech is a by-product of public free speech and is useless if the society doesn't allow public free speech from a known individual. The uncited source is useless if the government doesn't allow the brave individual to include their reference in a public, non-anonymous article. Without someone, anyone standing up to vouch for a story, publicly, anonymous free speech is easily dismissed, easily forgotten, easily covered up.
  What good would the Deep Throat informant have done if Bob Woodward and Carl Bernstein didn't publicly vouch for his information?
  What are the Federalist Papers without people like Patrick Henry publicly stating "Give me Liberty or give me death?"
  Which affected Iran and the world more? Reading @persiankiwi's tweets or seeing Neda Agha-Soltan, dying on a street with the entire world watching?
4. Re:What is the actual purpose of using TOR? by Jane+Q.+Public · 2011-05-08 17:58 · Score: 2
  
  "Anonymous free speech is a by-product of public free speech and is useless if the society doesn't allow public free speech from a known individual."
  I am quite sure that the authors of the "Federalist Papers" and "Antifederalist Papers" would very strongly disagree with you, Patrick Henry notwithstanding. Thomas Paine is probably a better example, and he was not exactly a friend of the existing government. But here is the most telling point: the very people who were writing the Federalist Papers were our Founding Fathers... they just did not dare do it publicly under their own names. To do so would have called unwanted and perhaps disastrous attention to themselves and their families, at a vulnerable time. THAT is the value of anonymous speech. The government doesn't have shit to do with it.
  
  "The uncited source is useless if the government doesn't allow the brave individual to include their reference in a public, non-anonymous article."
  You make my point for me! Without government sanction, only anonymous speech can truly be free.
  
  "What good would the Deep Throat informant have done if Bob Woodward and Carl Bernstein didn't publicly vouch for his information? "
  It might have actually been believed SOONER if it had come out in Rolling Stone rather than the Washington Post. Seriously, you are making my point for me. You are trying to say that only government-sanctioned sources are reliable, which is precisely the point behind what I originally stated. Woodward and Bernstein had no authority to "publicly vouch" for the information. All they could vouch for was a supposedly "reliable source". Once again, proof of what I say. Deep Throat was an anonymous source. But that source could have used many outlets. Remember, he chose Woodward & Bernstein, not the other way around.
  
  "Which affected Iran and the world more? Reading @persiankiwi's tweets or seeing Neda Agha-Soltan, dying on a street with the entire world watching?"
  That is a straw-man argument. It has nothing to do with the issue at hand, which is: is anonymous speech necessary? Regardless of which is more dramatic, anonymous speech has probably had a much larger impact on history.
i2p by bjs555 · 2011-05-08 10:19 · Score: 2

I was trying out iMule and saw that it uses a network layer called i2p that supports any application that can run using a proxy. You might want to give it a try.
i2p is available at http://www.i2p2.de/
Here's a description of i2p from the introduction:
-----
"I2P is a scalable, self organizing, resilient packet switched anonymous network layer, upon which any number of different anonymity or security conscious applications can operate. Each of these applications may make their own anonymity, latency, and throughput tradeoffs without worrying about the proper implementation of a free route mixnet, allowing them to blend their activity with the larger anonymity set of users already running on top of I2P.
Applications available already provide the full range of typical Internet activities - anonymous web browsing, web hosting, chat, file sharing, e-mail, blogging and content syndication, newsgroups, as well as several other applications under development.
Web browsing: using any existing browser that supports using a proxy.
Chat: IRC, Jabber, I2P-Messenger.
File sharing: I2PSnark, Robert, I2Phex, PyBit, I2P-bt and others.
E-mail: susimail and I2P-Bote.
Newsgroups: using any newsgroup reader that supports using a proxy."
Don't use Torbutton on your everyday Firefox by Anonymous Coward · 2011-05-08 12:08 · Score: 2, Interesting

Torbutton as an addon is a step backwards from Tor Browser Bundle. It was discontinued for a reason. You're not smarter about Torbutton than the developer of Torbutton, and here's what he says:

I realized at that same instant that in hindsight, this decision [to use one browser instance/profile for Tor and vanilla browsing] was monumentally stupid, and that I had been working harder, not smarter. However, I thought then that since we had the toggle model built, we might as well keep it: it allowed people to use their standard issue Firefoxes easily and painlessly with Tor.
I now no longer believe even this much. I think we should completely do away with the toggle model, as well as the entire idea of Torbutton as a separate piece of user-facing software, and rely solely on the Tor Browser Bundles, except perhaps with the addition of standalone Tor+Vidalia binaries for use by experts and relay operators.
The Tor Browser Bundles will include Torbutton, but we will no longer recommend that people use Torbutton without Tor Browser. Torbutton will be removed from addons.mozilla.org, and the Torbutton download page will clearly state that it is for experts only. If serious unfixed security issues begin to accumulate against the toggle model, we will stop providing Torbutton xpis at all.
Makes sense to me.