Tor-Enabled Browser For the iPad, and Easy Tor Nodes on EC2

An anonymous reader writes "While there has been a port of Tor for jailbroken iOS devices for a long time, there was no way to use it if you did not want to lose your warranty. Now it looks like Apple has approved a Web browser for the iPad called Covert Browser, which includes a Tor client. If you look at the first screenshot on the author's page it looks like you can even select the Exit node. According to App Shopper it already hit place 64 in the iPad/Utilites category." And from another (of course) anonymous reader comes a link to CmdrTaco's take on another instance of Tor breaking into the world of "real users." As he notes, the Tor Cloud Project has posted simple instructions for installing EC2 Tor nodes using free-tier VMs (or paid nodes for roughly $30/month).

Many Tor nodes on one service - good idea?

[GameboyRMH]

Is it just me or does clustering a large number of Tor nodes in a small handful of commercial data centers sort of defeat the purpose when it comes to packet sniffing, anonymity (commercial service has physical + RAM access) and bypassing regional censorship?

If user A goes through Tor node B and exits at node C, and B and C are both hosted on EC2 where everything that happens on B and C could be secretly logged for all we know...A isn't very anonymous is he?

Re:Many Tor nodes on one service - good idea?

[mfreed]

There *is* real privacy concern if many Tor nodes move to one cloud provider, and particularly if the Tor nodes are the first and last hop of the chain. In fact, we have a project called "Cloud-based Onion Routing" (COR) that looks at this problem.

COR discusses some policy approaches to make deployment on *multiple* cloud providers safer, as well as introducing another layer of indirection that makes Tor/COR market-friendly: We can sell (or give away) access to this higher-performance COR network, while still protecting end-user anonymity.

            http://sns.cs.princeton.edu/projects/cor/

The nice thing is that our implementation mostly just uses the local tor controller to enforce access to the tor proxy based on the presence of anonymity-preserving tokens sent during connection setup, while "Anonymity Service Providers" running Tor nodes on cloud providers (EC2, Rackspace, etc.) is just starting a VM and running a node.

Re:Can you choose the exit node?

[GameboyRMH]

Oh yes:

http://slashdot.org/journal/269014/how-to-bring-the-cops-to-tor-exit-node-operators-doors-using-the-exit-feature

I2P doesn't allow this, and changes exit points more often.

Is Tor even viable anymore?

[kheldan]

I seriously question whether Tor is even a useful service anymore. Any government spook agency can start up a whole fleet of exit nodes, and mine the data they get through them, as can anyone else, really.

Re:Is Tor even viable anymore?

[GameboyRMH]

That's true for plaintext traffic, but if you use HTTPS with an anti-MITM plugin like Perspectives/Convergence, and assuming the government in question can't get free and easy access to the site's private key (big assumption, I know), then traffic sniffing isn't possible.

More importantly, it can make connections untraceable, and if you don't send any identifiable information through the connection, then it doesn't matter if the contents can be seen.

That said I think I2P is better both for darknet hosting and anonymization, it has a number of technical advantages over Tor.

Re:Is Tor even viable anymore?

[bonch]

Well, nothing on the internet is truly anonymous. At best, you can just throw up roadblocks.

Re:Is Tor even viable anymore?

[GameboyRMH]

Even if that were true (which it's not), an open wifi AP within driving distance of you is the mother of all roadblocks.

Re:Is Tor even viable anymore?

[CastrTroy]

Not only that, but I find that there's a lot of nefarious traffic going on over TOR. Last few times I've tried it, visited 4Chan, and found that the particular IP of my exit node had been banned for uploading child porn. Now i realize that every technology like this will have bad uses and good uses. but I'd think twice about hosting an exit node, unless you enjoy the SWAT team knocking down your door at 3 AM.

Re:Is Tor even viable anymore?

[spazdor]

Why would anyone access 4chan through Tor except to upload child porn?

Re:Is Tor even viable anymore?

[mmcuh]

That has always been possible. The only thing Tor tries to provide is anonymity, not protection against eavesdropping.

Re:has TOR addressed this yet?

[GameboyRMH]

Resident, no, that doesn't happen, it will pass through your system (fully encrypted) but not be stored on it. On Freenet it's a different matter.

And no, there's no way to run a darknet without facilitating the exchange of child porn. If you think the negatives of enabling child porn are worse than the positives of enabling free speech, then don't participate, It's an understandable and respectable decision.

Re:has TOR addressed this yet?

[CastrTroy]

Why does free speech have to be anonymous? The freedoms we have today are because people have stood up publicly and announced that they are not happy with the status quo. When all the people protesting are faceless anonymous people hiding behind computers, it doesn't really count as free speech. People should be free from prosecution from what they say not because they are good at hiding, but because it is a fundamental right. The people shouldn't require technological measures to protect themselves. Granted, there are some countries where people are truly denied free speech, but communicating over a covert private network will not get the laws changed.

Re:A small issue

[GameboyRMH]

Sounds like you had your browser pointed directly at the Tor proxy. You're supposed to point it at a caching proxy server which then goes through the Tor proxy, acting like a "download accelerator" by aggressively fetching data to produce a reliable output. Still not perfect, but hitting Refresh never killed anyone.

Re:great idea, useless execution

[GameboyRMH]

That's not so much a problem with Tor specifically as it is with the user's browser (although as I've said before, I2P addresses many of Tor's weaknesses).

It takes an expert to set up a truly untraceable browser (you think a fresh-booted LiveCD's standard Firefox install is untraceable? LOL!). Any one little slip up could ruin it all. Your average user is going to connect to Tor using a wide-open cache-laden stock browser, complete with Facebook cookie. Or if we're real lucky, they'll enable Private Browsing, and only have auxiliary cookie mechanisms (Flash cookies, HTML5 storage, Evercookies that use cache), HTTPS MITM attacks and the geolocation API to worry about.

Without the right browser, the means of connecting is meaningless.

Re:has TOR addressed this yet?

[icebraining]

I cite the SCOTUS:

Protections for anonymous speech are vital to democratic discourse. Allowing dissenters to shield their identities frees them to express critical minority views . . . Anonymity is a shield from the tyranny of the majority. . . . It thus exemplifies the purpose behind the Bill of Rights and of the First Amendment in particular: to protect unpopular individuals from retaliation . . . at the hand of an intolerant society.

Re:$2.99 price is a major FAIL

[666999]

Correct, you simply have to do a relatively quick factory restore before you hand it over, and even that is rarely enforced.