I have had Tor for a bit, I do not use it that often. But I am wondering if anyone knows if it is secure. How safe are onion connections?
Asked
Active
Viewed 377 times
-2
-
5Secure against what? – May 04 '21 at 11:54
-
"Is X secure?" is largely unanswerable. And we could answer both "yes" and "no". You need to explain what risks you are concerned about. – schroeder May 04 '21 at 11:58
-
@MechMK1 I am protecting myself against ISP, trackers, and other people such as hackers. – brrrrrrrt May 04 '21 at 12:00
-
@schroeder I want to know if my data is secure. – brrrrrrrt May 04 '21 at 12:00
-
3what data? secure from what? "I want to protect myself from hackers" is like saying "I never want a health problem". You need to be more specific. Nothing will "secure" you from what you've described. – schroeder May 04 '21 at 12:01
-
It seems to me like you need to show us your [Threat Model](https://security.stackexchange.com/questions/225012/what-is-a-threat-model-and-how-do-i-make-one) before we can give any meaningful answers. – May 04 '21 at 12:02
-
@schroeder Sorry, passwords, my cookies, and private data. – brrrrrrrt May 04 '21 at 12:03
-
2Tor doesn't protect you against threats against those things. TLS and your browser does. – schroeder May 04 '21 at 12:03
-
So, was your question simply "how does Tor work?"? I'm not seeing how the answer you accepted answers what you asked... – schroeder May 04 '21 at 19:20
2 Answers
1
There are different tools for different threats.
If you just want that neither your ISP nor any network admin and the flow to be able to read the exchanged data between your client machine and a server, HTTPS is enough.
If you want that neither your ISP nor any network admin (except TOR itself) can be able to know what servers you are connecting to, then TOR (or any VPN) makes sense.
If you want that the server admins cannot identify you even through a legal action involving your ISP (said differently if want you do can be forbidden by law either in your country or in the server country), then TOR is thing - this is just its initial and main goal.
You have just to be aware of the underlying trust question. If you have any good reason to trust more TOR (or any other VPN) that your ISP, then using them makes sense (provided you are in one of the above use cases). Else you have just exchanged one possible spying center for another one...
Serge Ballesta
- 25,636
- 4
- 42
- 84
-
1https://www.eff.org/pages/tor-and-https for an interactive graphical explanation. – A. Hersean May 04 '21 at 14:52
1
A big question in a short sentence.
What Tor offers is a very high level of Privacy, which necessarily requires significant Security, during Transport.
Note the fact you are using Tor is easily determined. In some locations, that alone may be a problem.
First of all, unless you really know what you're doing, you should use the Tor Browser Bundle (TBB). In addition to using the Tor network, the Browser is already default configured to high levels of privacy protections
Tor works by wrapping your communication packets in multiple levels of encryption where even the IP addresses are hidden in deeper layers of encryption. It's rather like writing a message in a sealed envelope that can only be opened by the recipient (encryption) and placing the address (IP) of the recipient on the envelope, then stuffing that envelope in another sealed envelope with a different address (IP), then doing it yet again.
The default Tor socket (number of envelopes) is 3. The logic is that the first node (envelope recipient) knows who you are (your IP) and can open the first envelope to determine the next node or Hop (IP) in order to send it on to the relay.
The second node knows the IP address of the first node but not your address as that was lost in the forward. The second node opens the envelope and forwards the third envelope to the IP address of the third node. So the second node only knows the first node and the third node. It does not know your IP, nor the destination IP (Web URL) you are going to.
The third node is typically the Exit Node out of Tor for connecting to a normal web page. I know you said onion, we'll get to that in a moment. The exit node establishes the final connection to the destination URL. The exit node knows where you connected, (all standard URL protocols and risks apply) but not who or where you are, only the second hop relay.
The Tor network is the current best privacy security option available, but nothing is perfect. Could the individual Tor nodes collude to supply out-of-band tracking? Could Nation States track all the nodes? Yes it's technically possible, but typically the nodes are different providers in different countries. Not impossible, but a very high bar.
It's important note: Tor provides Transport Privacy/Security. If at the end of your Tor socket chain you log into a web site, you've just told them who your are, negating Tor privacy. Similarly if you set up a VPN through Tor, you are authenticating with your VPN, negating Tor anonymity. Tor provides an anonymity transport service, it does not keep you from making mistakes.
.onion
When connecting to an onion site, the third node is not an exit node. Onions are within the Tor network so there is no exit.
Onions (leaving out much detail) also set up their own 3 Hop Tor socket. Both your third hop and their third hop connect to a middle Rendezvous node. This in turn connects both of you to each other. You don't know where they are, and they don't know where you are.
So is it safe?
It's not absolute, but it's used by many high profile high risk entities as the best available.
user10216038
- 7,552
- 2
- 16
- 19