I used Tor as a small part of one of the capabilities of a supply chain integrity startup. I built a fancy scraper/crawler to discreetly monitor a major international marketplace (mainstream, not darknet), including selecting appropriate Tor exit nodes for each regional site, to try to ensure that we were seeing the same site content that people from those regions were seeing.
Tor somehow worked perfectly for those needs. So my only big concern was making sure everyone in the startup knew not to go bragging about this unusually good data we had. Since we were one C&D letter away from not being able to get the data at all.
(Unfortunately, this had to be a little adversarial with the marketplace, not done as a data-sharing partnership, since the marketplace benefited from a cut of all the counterfeit and graymarket sales that we were trying to fight. But I made sure the scraper was gentle yet effective, both to not be a jerk, and also to not attract attention.)
(I can talk about it now, since the startup ran out of runway during Covid investor skittishness.)
The right way to do this would be through a VPN/tor + Residential proxy to hide your intentions from everyone involved.
Spot checks checked out. And it was a perfectly fine way to do it.
You are correct that Tor exit nodes often get special handling (at the moment, including by Cloudflare, and by Google Recaptcha). And the idea of poisoning of data is starting to propagate, due do anti-AI-scraper sentiment.
We found on several occasions that some shady retailers would find the CIDR of the manufacturers corp networks and comply with the MAP policies on pricing if traffic came from them. Then when our bot went through with obviously generic AWS / Proxy ips we would see a much lower price that broke their agreement. That one was a fun realization for the manufacturers as to the level of shadiness some retailers would go through.
On the other side, this is the approach that I'm currently using, without any problem for my particular case.
I'm not sure what trust you need--HTTPS gives you the confidence that your connection hasn't been read or modified as it passed through the VPN provider, and frankly, I trust Mullvad more than I trust AWS.
The difference is that the ratio of abusive to legitimate traffic tends to be much lures with VPNs. Because a VPN isn’t 100% anonymous and just shifts the trust boundary to the VPN provider, most hard-core criminals won’t use them. So your traffic tends to be mixed in with folks who just want to pirate movies, watch Netflix shows that are only available in other countries, avoid geo-pricing surcharges, or who just care about privacy in the abstract. And then they use their VPN for all their web browsing, since they already paid for it. Tor is used by all sorts of folks who are trading kiddie porn, hacking into systems, scraping large quantities of data, buying & selling drugs, and doing other outright criminal things. Most abuse-detection systems care a lot about the legit:malicious ratio. An IP that is 95% legit but 5% malicious traffic will usually go through, as long as the malicious traffic doesn’t crash the system. An IP that is 80% malicious usually won’t.
When I browse through Tor, big websites like Reddit, Google, or anything protected by climate Cloudflare will 429 me, even if I’m just innocuously viewing a page or making a search in a regular browser. In a VPN, it almost always goes through, except for rare transient moments when somebody else is running a scraper through that endpoint.
Counterintuitively, it can often be better to use a system that is less secure, because lots of other people use the system with less security and so your actions get lost in theirs. Systems that are more secure are used by more hardcore criminals, and so they have more eyes on them. In these days of stochastic guilt, it’s often better to be doing naughty things in a law-abiding population than to be a legit user in a criminal population.
For this reason a large part of Mullvad's infrastructure is hosted by M247 Ltd. If you simply block that ASN you will block quite a large part of Mullvad. You can block the ASN by using one of the myriad services that allow you to query all the IP blocks assigned to an ASN.
It's also possible to simply enumerate all their servers. They have an API.
You might not get it all, but you can block a significant percent.
I've done it at work, this is on a blacklist of ASNs that require "extra" authentication
Sites know about them though. If you need to be even sneakier there's residential proxy networks.
So, a proxy? Onion routing doesn't really play a role for this use case.
The onion routing obscured our identity from the "proxy" exit nodes.
Separately, Tor was also a convenient way to get a lot of arbitrary country-specific "proxies", without dealing with the sometimes sketchy businesses that are behind residential IP proxies.
(Counterfeiting/graymarket operations can be organized crime. I'd rather just fire up Tor, and trust math a little, than to try to vet the legitimacy and intentions of a residential IP broker.)
https://www.vice.com/en/article/badonion-honeypot-malicious-...
https://www.princeton.edu/~pmittal/publications/raptor-USENI...
(Strange coincidence: We also had different key tech with the codename of Raptor, but it had nothing to do with Tor nor Web scraping. It was for discreet smartphone-based field auditing of physical product, in global physical retail and other locations. The codename was the result of a great morale-boosting impromptu brainstorming session between engineering and marketing people ("can you help think of a cool codename for this..."), and the resulting name highly apt, at least for the movie velociraptors. I built it, and, until Covid disrupted our F500 customers and investors, I was looking forward to hiring engineers to do further work on something cool-sounding like "Raptor", rather than "internal-app" or whatever first came to mind when creating the Git repo. :)
Where an AS level entity MITMs all outbound connections from a region in automated fashion for collection, before that traffic ever makes it to TOR or its destination.
It works for TOR, TLS, pretty much any protocol out there where key exchange or trust occurs; so long as the protocol is known and has distinct classifiable characteristics allowing computation to automatically do this.
There have been instances where public certs issued by a CA with the same domain names, but are issued from a root CA that is other than the legitimate site's root CA which are used for attacks. CT logs don't stop this either.
There is a lot of ephemeral content, and private information that can be both collected, and injected on a targeted basis if one has access to such junctions which the industry (Telecom) has proven time and again that they can't secure following basic practice; largely because mandates to backwards compatibility at the regulatory level.
Social credit, where invisible factors people don't control force those same people into poverty through targeted denial of service (communications for job hunting/social contacts), zersetzung, etc; that all would be a breeze to set up without any external indicator, or remedy using that attack.
What the target sees vs what everyone else sees would be quite different, and of course there would be people that gaslight and torture on top of it all (as a natural psychological defense mechanism of denial).
Compromised communications under such type of attacks are madness inducing.
I'm letting my imagination fill in the color on the specifics here and I'm working up a little grin.
A hat tip to you
One of the purposes was cold sales outreaches to an exec at a brand, maybe something like, "Here's a report about graymarket/counterfeit of your brand online, using data you probably haven't seen before; we have a solution we'd like to tell you about".
I think you have a valid general question (and you'll note I said "appropriate kind, IMHO" at the top of the original comment, acknowledging others might disagree that it was appropriate), but I'd like to contrast two distinct situations:
* A collegial forum, where people might go to share information, sometimes with discretion about what can and can't be said (or just comfort levels).
* A large corporation that was profiting off of illegal businesses (e.g., contract-violating, IP-violating, defrauding buyers, possibly fencing), and we wanted to gather evidence of that on behalf of some of the harmed parties, to try to stop it. And we did that in a technologically gentle, non-disruptive way. And (as I mentioned in the original comment) we had a conscious policy to immediately cease if we were ever told to.
They amount to the same thing as stating "we don't like if you do X and we'll probably ban you" but written in legalese so people take it more seriously.
Get the advice of an actual lawyer before relying on this of course.
To the parent, please do not try to lure info out of people it is just not cool online or in real life when people obviously are being generic for a reason.
though there are commercial residential-proxy services available
Plus I learned a lot -- it came out of some academic research that pursued a unique angle: finding and talking to the Tor exit node operators about their experiences, rather than just say the developers, the executives, or the funders.
I've met law enforcement people who talked about using Tor for anonymity during investigations, but in context they were looking for anonymity on the exit side rather than the entry side (so, a traditional VPN would have worked too). The original proposal about onion routing is focused on the security provided on the entry side (preventing local telecommunications operators from knowing whom you're communicating with).
Here’s my torrc:
SocksPort 0
ExitRelay 0
ORPort NNNN
DirPort NNNN
Nickname X
ContactInfo X@X.com
RelayBandwidthRate 80 megabits
RelayBandwidthBurst 120 megabits
MaxMemInQueues 384 megabytes
AvoidDiskWrites 1
HardwareAccel 1
NoExec 1
NumCPUs 1
$ sudo systemctl edit tor@default
[Service]
Nice=15
CPUAffinity=0
CPUWeight=60
StartupCPUWeight=6
IOWeight=60
TimerSlackNSec=100us
MemoryMax=896M
MemoryHigh=800M
OOMScoreAdjust=1000
LimitAS=2G
LimitNPROC=512
LimitNOFILE=10240
PrivateDevices=true
ProtectSystem=true
ProtectHome=trueWith the porn block in the UK though, the "New Private Window with Tor" in Brave is very convenient.
Maybe not for long, or maybe not. I guess websites don't need to comply beyond a certain point.
There are tons of "residential proxy" and whatnot type services available, IP being a source of truth doesn't seem to matter much in 2025. The Perplexity 'bot' recent topic being an example of that.
Basically if you want to access any resource on the web for a dollar a GB or so you can use millions of IPs.
Has someone interested in seeing privacy secured into the future, I’ve been happy that governments are accelerating their censorship for this reason.
The way to fight these draconian laws is via democratic means - even if it takes long and arduous. For example, enshrining privacy into constitutional guarantees etc.
TL;DR: Too much focus on laws, too little focus on trustworthy government?
The more consolidated the power, the less I trust. Governments are at the top.
That's what i was trying to get at, rather than any vagueness that is proposed in your comment about 'something floats your boat'.
That's why term limits in constitutions are a must, for example. And rights enshrined in it are immutable and forever.
Of course, you could argue that it's just a piece of paper, and without pre-existing trust, whatever is written there is meaningless. But the bootstrap, and continuation, of this trust, needs to be there, and i argue that it is from this piece of paper that other forms of trust are built.
I'd also say that what the people want should eventually trump any written text. Society changes, the rules that are the foundation need to be able to adapt over time. To me, that serves the people better than adherence to some supposedly forever-immutable scripture which, as a concept, bears too much resemblence to regligious holy text. In my taste.
That's the point. It's a politico-technological arms race. They make their silly laws. We make technology that works around them. With every cycle, we increase the tyranny required to maintain the same level of control over the population.
Either we win and become uncontrollable, uncensorable and free, or they win by becoming tyrannical totalitarian states nobody can escape from. Those are the only possible outcomes.
I assume there's a limit to how tyrannical the government is willing to become in order to control encryption and anonymization technologies. Governments are presumably founded on principles which serve as counterweights against boundless tyranny. It remains to be proven whether such principles will hold over time though.
there are VPNs that are proxied out of local residential IP because these gateways are running off users' machines; these VPNs are "free" (they make money by making you run their gateway, and then sell your IP to botnets for example).
i would want to envision a true p2p vpn network not too dissimilar to bittorrent (but without the spyware/malware).
(The most popular residential endpoint VPN… and botnet).
As an illustration of how bad things are on just the browser extension front: https://sponsor.ajay.app/emails/
For literature on this kind of thing, look into “PETS” (privacy enhancing technology) research. Incidentally, Tor spends a lot of time plugging these holes in their browser…
It doesn't need a highly skilled+funded state actor to avoid those mistakes.
To understand how, you should review the Princeton Report's Raptor attack, and understand how it works (2015).
I have not yet had time to find a suitable replacement machine. But running a bridge is a cheap, safe low network volume method people can help out from home. I had it going to help people in 'bad' countries to get out to the rest of the world.
A lifetime ago, I ran bridges from RAM only distros. But early versions of the Dan list (1st in wide use) killed that.
DL didn't try hard to differentiate between bridge IPs and exit IPs. Server hosts just grabbed the first list they saw and blocked with it.
It was years before the notion of Exit != Bridge became understood but everyone had moved on. We're at the entropic 'No One Cares Anymore' phase now.
Good question. I was probably running Tor-ramdisk. I just looked around can't find any reference that it could serve as a bridge.
From that I infer I was running as a relay.
- https://github.com/mikeperry-tor/vanguards/blob/master/READM...
- https://github.com/mikeperry-tor/vanguards/blob/master/READM...
- https://spec.torproject.org/proposals/344-protocol-info-leak...
Don't install addons in this browser. Don't resize the browser window. All tor browsers instances have the same default window size, which prevents websites from tracking you. Obviously don't login into websites with your regular email or provide websites with your PII.
If you are in a country or on a network that blocks the basic Tor network, the FAQ explains how to get around this by using Tor bridges or other techniques [2].
That's pretty much all you need to know.
A good overview is available at https://www.whonix.org/wiki/Tor_Browser#Unsafe_Tor_Browser_H...
Depends on the level of anonymity the end-user desires. That rabbit hole is deep, but not that deep: https://www.ivpn.net/privacy-guides/advanced-privacy-and-ano... / https://archive.today/9DhtT (by u/mirmir)
Wouldn't that in and of itself be a possible clue that someone was using Tor?
This mitigation helps protect the individual Tor user (e.g. with a unique 1726x907 px window) being fingerprinted across multiple sessions / sites.
> To prevent fingerprinting based on screen dimensions, Tor Browser starts with a content window rounded to a multiple of 200px x 100px. The strategy here is to put all users in a couple of buckets to make it harder to single them out.
Moreover, even if you resize your window, the browser tries to protect you
> by adding margins to a browser window so that the window is as close as possible to the desired size while users are still in a couple of screen size buckets that prevent singling them out with the help of screen dimensions.
[1] https://tb-manual.torproject.org/anti-fingerprinting/#letter...
I haven't kept up with the space much since then, so am unaware if there is more recent work.
In any case, there are valid threat models where you want to mitigate website fingerprinting but aren't necessarily concerned with AS-level adversaries.
In fairness, most of big tech are AS-level adversaries at this point.
Active attack through BGP-hijacking may be partially mitigated, but this isn't really needed for the most pernicious attacks which are interception/injection from a regional entity that's routing to the broader internet (outbound connections).
The same entities can do early transparent encryption termination for outbound connections (to the general web) since they have their own private signing keys tied to root trust CAs (just not the one the valid cert was issued to), and that lets them collect a treasure trove of forensic artifacts to improve their citizen dossier for advertisers/highest-bidder, or inject content that is ephemeral in nature.
Oh I had missed that, thank you btw! Need more of those BGP monitoring systems...
(and they performed an actual live BGP attack (not just simulation), neat)
You have to explicitly switch to "Safest" mode to turn it off completely.
>Why does Tor Browser ship with JavaScript enabled?
We configure NoScript to allow JavaScript by default in Tor Browser because many websites will not work with JavaScript disabled. Most users would give up on Tor entirely if we disabled JavaScript by default because it would cause so many problems for them. Ultimately, we want to make Tor Browser as secure as possible while also making it usable for the majority of people, so for now, that means leaving JavaScript enabled by default.
@media (min-width: 1000px) {
#tester-1000 {
background-image: url("1000.png");
}
}
Is that true?
If there are a million servers, and I control ten of them, and everyone else who has control of servers controls only nine each (so I have the largest number of servers, as you say), surely I will be missing out on almost all the traffic?
Do you suppose all entities able and willing to do this would cooperate with each other?
If you want to avoid global passive adversaries, a mixnet like Nym can work. I'm also working on a related project which takes a different approach of building your own circuit of proxy servers manually with lots of traffic padding: https://github.com/markasoftware/i405-tunnel
Onion endpoint sites use encrypted traffic and the padding strategy, too and are still susceptible to the correlation attack.
There's a security blog that publishes research papers on different attack models. It's a total PITA to find but I'll see if I can locate it.
edit: JFC... finally found it: https://www.freehaven.net/anonbib/
Correlation attack concept: https://www.ndss-symposium.org/wp-content/uploads/2024-337-p...
Attack against Mixnet and Nym: https://petsymposium.org/popets/2024/popets-2024-0050.pdf
Nym/Loopix (and I405, though it's so experimental I feel bad even talking about it) completely defeat end-to-end correlation attacks, where an attacker tries to find statistical similarities between the encrypted traffic on the first hop (from the user's home network to some proxy), and the final hop (from some proxy to the final destination clearnet site).
Tor is trivially vulnerable to end-to-end correlation attacks. In addition to the paper you posted, my favorite is http://petworkshop.org/2007/papers/PET2007_preproc_Sampled_t... , which describes how an adversary monitoring just a small fraction (<0.1%) of traffic at key internet exchanges could deanonymize many Tor users.
Nym/Loopix and I405 defeat end-to-end correlation attacks with the same basic idea: Send fixed-rate traffic on the first hop, regardless of whether the user is actually trying to send any tunneled traffic. Both sample from a statistical distribution to decide when to send the next packet, and they send an empty packet if there is no actual data to send. In this way, the traffic being sent on the first hop does not depend at all on the inner cleartext data the user is sending/receiving.
The Mixmatch paper, which AFAIK is the only published attack against Nym/Loopix, is NOT an end-to-end correlation attack. It relies on the attacker controlling one or more Nym "gateways" (equivalent of guard nodes in Tor) and therefore being able to decrypt traffic from users whose first hop goes through that gateway. Further, I believe that the attack described in this paper becomes increasingly difficult as the number of users increases, and the authors of the paper include Nym developers who are actively making changes to make this attack harder. It's not a fundamental weakness in Nym/Loopix, the way that E2E correlations are for Tor.
That being said, yes, feds can de-anonymize traffic, probably reliably at this point. There are only about 7-8000 active nodes, most in data centers. The less nodes you hop through, the more likely that traffic can be traced back to the entry point (guard node), and combined with timing can be reasonably traced back to the user. Tor works best with many, many nodes, and a minimum of three. There's not as many nodes as there needs to be so quite often it's only 3 you are going through (guard node/entry point, middle node, exit node)
Plus browsing habits can also be revealing. Just because someone is using Tor doesn't mean they also have disabled javascript, blocked cookies, aren't logging into accounts, etc.
There have been some cases where some consider the "other lapses in OpSec" to be parallel construction to disguise a Tor vulnerability/breach, and others where the government has declined to prosecute because they'd have to reveal how they know.
If Tor were compromised, we'd likely not know. It's highly likely that it's fine for "normal people" things.
... now my back hurts and I want the damn kids off my lawn.
I can't find a link, but I think people have done simulations and the privacy benefits of more hops are not as great as one might think. If you control the guard and exit, then traffic confirmation is relatively easy by just looking at timing and volume of traffic no matter how many hops are in between.
The tor project has network stats on their website: https://metrics.torproject.org/networksize.html
Looks like about 8,000 relays, inclusive of entry and exit nodes. Looks like about 2,500 exit nodes, and ~5,000 guard nodes. With that few I'd say it's reasonable to assume that a large number of both entry and exit are controlled by government agencies, at least enough to reliable to conduct timing attacks against a specific target they are interested in.
It's a little ambiguous.
Section 230 (which continues to be under attack) provides some legal immunity, along with the DMCA is a safe harbor against copyright infringement claims for the Tor relay operator. Running a middle relay is generally fine and safe.
But, running an exit relay is risky. Even if you can't be held legally liable for the traffic coming from the exit, you could still get raided, and it has happened before where exit node operators have been raided after the traffic coming out of it was attributed to the node owner.
That being said, it's legal to run an exit node (for now). The problem is more so dealing with the inevitable law enforcement subpoenas or seizures, and having the money and resources to prove you are innocent.
Tor was always a government tool.
Ulbricht wasn't caught because of flaws in Tor, but he made other mistakes. He posted stuff on LinkedIn alluding to his activities, he used a real photo on his fake IDs to rent servers, he used his real name, posting a question on stack over flow about running a Tor service, he posted his personal gmail, looked for couriers on Google+, and lastly paid an undercover cop for a hit.
As for getting his location, once the feds gained acccess to silk road, they matched up activity logs, his posting habits were consistent with being in the pacific time zone, and they matched up his user name between his posts on silk road as altoid and he reused the same screenname, associated with his gmail address and full name, on other websites.
A series of stupid opsec mistakes got him caught, not Tor.
Unless, of course, they want everybody, which even they don't have the resources to handle.
When did he sell drugs?
He facilitated drug sales. If you setup ‘clucks brick and mortar Silk Road’ you’d be just as guilty.
I don’t think that was ever rosses ethical objective though, I’m pretty sure he felt that drugs should be less illegal and safe. I’m under the impression that Silk Road had rules on what could be sold, and that post SR markets do allow those things, but I could be wrong.
Not defending him, but clarifying that it's not proven "he directly did that"
In a world where Tor is not a honeypot of some three letter agency, there are implementations of projects like Jim Bell's Assassination Politics. In a world where Tor is not a honeypot its use would be banned, much like the use of Tornado Cash was banned and shut down until the secret services took control of it.
And we obviously don't live in such world.
There are many places in the world where direct access to Tor is blocked. There are many countries where use of a VPN is illegal, VPNs are required to log by law, etc. I disagree with this premise.
"VPN services may soon become a new target of EU lawmakers after being deemed a "key challenge"" https://www.techradar.com/vpn/vpn-privacy-security/vpn-servi...
There are generally two types of countries, those that seek agency, independence, and freedom of rational thought and action; which requires privacy, and there are those that seek ultimate control, imposing dependence, coercion and corruption of reason; from the top down.
The cultures that seek total control generally fall under totalism and are parasitic in nature. The ones that seek agency, freedom, and independence, Protean.
Many comments talk about exit nodes for surveillance, but there is a totally different vector of use and considerations that dint apply when you aren't trying to access clearnet
And even on darknet it depends on what you’re doing
Reading the NY Times’ darknet site or forum or even nuet browsing darknet markerplace from Tor Browser, whereas I would use a Tor OS like Tails or dual gated VM like Whonix for doing something illicit
Arpanet: How a military project gutted personal privacy, destabilized self esteem and strangled attention spans
Just setup a vpn.