The Present and Future of Tor in a Healthy Internet

From DevSummit
Jump to: navigation, search

Facilitated by The Tor Project Team

Session Description

Tor supports a range of users who depend on anonymity to be effective in their online activism, from human rights practitioners to privacy advocates. This session will explore how Tor complements and supports other online activism resources, and invite discussion on how to better support and sustain the Tor Project moving forward.

Tor represents a challenge to common assumptions of information control, security through strong identity, privacy by policy, and the need to trust the infrastructure. Answering this challenge demands a realistic appraisal of the status quo in terms of IP-address-as-identifier, IP-address-as-scarce-resource, and IP-address-as-authenticator, as well as the efficacy and practicality of dragnet surveillance, and the feasibility of Internet censorship.

Depending on interest, the end of the session will be devoted to Q&A, or a brief installation training, or both.

Session Notes

Tor is:

  1. software (written in C, router and the client)
  2. network, 2000- 2500 volunteer relays
  3. TorProject non-profit directs development, funded by number of grants. 15 paid developers, and a number of volunteers beyond that.

Tor Browser Bundle is how it can get used. Can install it, put on a USB key, uses modified Firefox (TorButton firefox extension).

Works by tunneling traffic through 3 random relays, all encrypted. 1st relay doesn't know who last relay easy, last relay doesn't know who 1st relay is. So no one knows where you're coming from.

Other anonymizers are single hop system, so you have to trust them. With Tor, no one party is able to fully deanonymize you.

Can install TorButton plugin in your normal Firefox so you can toggle between using Tor and not using it.

It's both a tool to get around censorship and a tool to be anonymous. Since Tor relays are in a public list, Tor has "bridges" which are not publicized, so it's harder for governments to block. Friends can set up bridges for you.

How does Tor Project do advocacy in China? Tor has people in Hong Kong who do trainings regularly, and other advocacy groups educate people about Tor in China.

All of the Tor network relays are run by volunteers. Tor Project itself doesn't run any of the network, EFF advised against it.

Tor hasn't been blocked by fingerprint yet (as far as they know) because the protocol makes it look like Firefox connecting to random host name via SSL.

Estimated ~500,000 daily Tor users around the world. But only 2500 routers.

One of the problems with performance issues is congestion at specific routers, using BitTorrent over Tor causes this, making the network slower. Working on using UDP instead of TCP to improve performance.

Running a relay you have different levels of exposure (least to most risk):

  1. private bridge, just give it to a friend. only encrypted traffic coming in, going out, not getting reported
  2. running a bridge, your IP/port get distributed via gmail autoresponder
  3. non-exit relay. you're in the public list of tor relays, but you don't exit traffic. encrypted in/encrypted out.
  4. exit relay. you are an exit node, so people on the tor network leave in plaintext through your ip

Exit relays require special setup to run safely: https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment

QoS Scripts exist for Linux to prioritize Tor traffic below normal traffic, allowing you to devote spare capacity to Tor: https://gitweb.torproject.org/tor.git/blob/HEAD:/contrib/linux-tor-prio.sh (also in contrib directory in source tarball).


The more different groups that use an anonymity system, the more secure it is, so it's good if these people use it: human rights activists, governments, private citizens, businesses.