Re: Do not use tor with browsers other than tor browser

[Mike Gerwitz <mtg@gnu.org>]

[-- Attachment #1: Type: text/plain, Size: 5481 bytes --]

Alex:

On Sat, May 25, 2019 at 19:56:28 +0800, Alex Vong wrote:
> I've seen recommendations on this list of using tor with browsers other
> than tor browser,
> e.g. <https://lists.gnu.org/archive/html/help-guix/2019-04/msg00063.html>,
> <https://lists.gnu.org/archive/html/help-guix/2019-05/msg00024.html> and
> <https://lists.gnu.org/archive/html/help-guix/2019-05/msg00046.html>.
>
> It is a really bad idea, the tor project faq recommends against it:
> <https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser>.
>
> The reason is as followed: Tor allows you to browse the internet
> anonymously. It works by making users using the same version of tor
> browser indistinguishable (i.e. in the same anonymity set[0]). This only
> works if all the browsers have the same fingerprint. Using browsers
> other than tor browser makes you distinguishable from that anonymity
> set.
>
> Another reason is that modern browsers allows loads of way for
> fingerprinting: user agent string, screen resolution, canvas
> fingerprinting, webgl fingerprinting...

Using Tor Browser is a good idea.  But this isn't a binary
decision---it's far more nuanced than that.

First: Tor is used for more than web browsing.  Some people use it to
do one-off things like download files, e.g. using `torify wget`, or via
their package managers.  Some people use it for setting up onion
services for private use.  Some people use it to hide their location
when SSHing into a server.  Others use it to hide their internet traffic
from e.g. hotspot providers, hotel rooms, their ISP, and so on.  Etc.

There's also the issue of defining your threat model (which is the case
for both web browsing and all of the above).  Do I just want to stop my
hotel's Wifi provider from snooping on me?  Do I just want to hide my
location when SSHing or pushing code to a Git host?  Am I using it in
place of a VPN to prevent metadata collection from my ISP?  Am I
trying to prevent tracking from advertisers and other malicious
companies?  Am I a dissident under an oppressive regime, risking my life
to leak information?

On top of all of that, you have to actually change your habits; using
Tor alone is not enough.[0]  Using Tor Browser alone may not be enough.

I personally use Tor for all of my Internet traffic, using Icecat with
NoScript, Privacy Badger, uBlock Origin, HTTPS Everywhere, Cookie
AutoDelete, Third-Party Request Blocker, and FoxyProxy (to easily allow
me to disable Tor for my home webserver).  My browsing is generally
burdensome, though I am able to work around most issues, sometimes with
substantial effort (I'm a professional web developer).  For some sites,
I'll visit via the Internet Archive or other caches (still over Tor).  I
run Icecat within a container to control what it can see on the
filesystem, ensure caches are wiped out, and to help defend against
exploits.  I don't log into any websites, and if I do, then I understand
the consequences of doing so and how to mitigate that.  And so on.

If I want a higher level of privacy, maybe I'll boot Tails and use Tor
Browser on entirely different hardware.  Maybe I wouldn't be comfortable just
using Tor Browser on my normal OS because a browser bug could still
allow it to access my operating system or persist data.

The point I'm trying to make here is: Tor Browser is good, but you still
need to have some level of understanding of the problem and that Tor
Browser does and does not solve.  And once you have a certain level of
understanding, you can decide whether you want to use Tor Browser.  For
most users, yes, it's easier to tell them to stick with Tails and Tor
Browser.  If your life depends on it, then you want a hardened,
ephemeral system.

But if you're just an average person fed up with corporate surveillance,
you're not going to jump through a lot of hoops.  You're going to stop
using a system when it's inconvenient for you.  So telling someone to
use Tor with their existing browser and a handful of addons may be good
enough, as long as that person understands that they may not be fully
anonymous in that scenario.

This is a complex topic, and I've just thrown some thoughts together in
what little time I have.  I would like still like to see it packaged for
Guix at some point.  Also note that Tor has been working with Firefox to
upstream many of their changes.[1]


[0]: I don't have time to dig up links right now, but for example:
     https://www.whonix.org/wiki/DoNot

[1]: https://wiki.mozilla.org/Security/Fusion


>
> This page:
> <https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-fingerprinting>
> should give you an idea how many fingerprinting issues exist in modern
> browsers.
>
> This page:
> <https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs>
> shows bugs specific to chromium-based browsers.
>
> My recommendation for now is to download tor browser from the tor
> project website. AFAIK, tor browser for GNU/Linux are built with free
> software only. In the future, we may want to build it ourselves, but of
> course we need to be careful not to introduce fingerprinting bugs.
>
> [0]: https://privacypatterns.org/patterns/Anonymity-set
>
> Thanks,
> Alex
>

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]