[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

Tor Myths and Misconceptions page

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/w/index.php?title=Tor_Myths_and_Misconceptions&stable=0&redirect=no

@Patrick I gathered you don’t like these two small edits on the Tor Myths and Misconceptions page. I don’t think the first one is contentious:

Tor is the best solution for people in oppressive regimes. [7]

It is certainly debatable whether people living in oppressive regimes should utilize Tor. Aggressive censors and state authorities are highly likely to monitor connections to the Tor network and target those people for more intensive investigation since they are assessed as actively evading state authorities. Therefore, despite the many risks this may be one situation where it is safer to utilize a VPN in isolation, or first connect to a VPN before Tor (although this provides very weak protection against advanced adversaries).

That is, those of us who don’t risk having the door kicked in just because we’re using Tor are probably okay, but if you live in sketchy countries in Asia, South America, Eastern Europe etc. Tor is not your friend. I think that is borne out by evidence.

This second one you may not like, but it is backed up by a couple of people who seem to know what they’re talking about 1. grugq & 2. @madaidan who knows a thing or two :wink: They both make a strong case i.e. Since Tor Browser is based on Firefox and it lags the competitor browsers in a number of security features, it is not the uber-strong browser a lot of people think it is (although good with respect to privacy features) e.g. I see they’re still working on ‘Project Fission’ which Chrome has had for some time and a million other things.

Tell me what you don’t like or we can cut anything particularly contentious.

Tor Browser is highly secure. [7] [8]

Some security experts have opined that it is a risky proposition to run Tor Browser because state-level targets are reduced a relatively small set of Firefox versions. While Tor Browser is good for anonymity – since it creates a large group of homogeneous users – this is also a security risk, since any critical bugs will affect the entire population.

It is notable that Tor Browser is a modified version of the “extended support release” (ESR) browser. In contrast to release builds that are available approximately every month which patch all identified and resolvable bugs, ESR versions are usually earlier release builds that only patch critical and high security bugs. This means the code base may have publicly patched critical/high bugs that are months old, and medium/low bugs are never patched at all (“forever bugs”; that is until ESR is rebased on a later Firefox build every year or so).

Although The Tor Project is considering basing Tor Browser on the latest Firefox release in the future, the wait might be lengthy. In the meantime, state-level adversaries are highly likely to attack Tor Browser by:

  • Monitoring critical/high patched vulnerabilities in less stable channels (Nightly, Beta etc.) and checking whether it is still exploitable in Tor Browser; this exposure might last many weeks.
  • Chaining medium/low vulnerabilities together to achieve an exploit like remote code execution; this provides a permanent window of opportunity.
  • Attacking other unknown or unpatched Firefox vulnerabilities (since it relies on a huge number of libraries) which may exist for an extended period.

Whonix ™ developer madaidan has also noted that Firefox lacks many security features that are available in other browsers like Chromium. Firstly the sandbox is relatively weak, for example:

  • The seccomp filter is weaker.
  • The sandbox lacks site isolation.
  • Dangerous system calls are available in Windows.
  • X11 sandbox escapes in Linux are relatively easy and there is no GPU process sandboxing.

In addition, many exploit mitigations are missing in Firefox:

  • There is no hardened memory allocator.
  • Control-Flow Integrity (CFI) has not yet been implemented to prevent code reuse attacks like ROP or JOP.
  • JIT hardening techniques have far less mitigations than other browsers.
  • Arbitrary Code Guard (ACG) and Code Integrity Guard (CIG) are not yet available to prevent execution of malicious code.
1 Like

I guess you mean this:

https://medium.com/@thegrugq/tor-and-its-discontents-ef5164845908

Arguments made on https://www.whonix.org/wiki/Tunnels/Introduction aren’t addressed.

Currently (I edited this once again):

Tor is the best solution for people in oppressive regimes. [7]

It is certainly debatable whether people living in oppressive regimes should utilize Tor. Aggressive censors and state authorities are highly likely to monitor connections to the Tor network and target those people for more intensive investigation since they are assessed as actively evading state authorities. Therefore, despite the many risks this may be one situation where it may be safer to utilize a VPN in isolation, or first connect to a VPN before Tor (although this provides very weak protection against advanced adversaries).


, or first connect to a VPN before Tor (although this provides very weak protection against advanced adversaries).

Is it realistic that more than a hand full of users worldwide would manage how to setup a VPN before Tor with a fail closed mechanism before ending up on a watch list or worse?

and target those people for more intensive investigation

This could use some citations / references.

I am not aware of related statements. Reference please.

Actually seems like the opposite opinion to me. See:
https://madaidans-insecurities.github.io/vpns.html

Ignoring above two bullet points:
How realistic is it that users set up that VPN using a fail closed mechanism?


This is later somewhat contradicted…?

While it is true that encrypted, VPN, and Tor-related traffic are particularly interesting to the IC,


  1. a user residing in a oppressive regime
  2. visited a oppressive regime website
  3. learned about VPNs
  4. setup a VPN
  5. re-visits oppressive regime website

User can still be tracked due to trivial cookies based tracking.


  1. a user residing in a oppressive regime using a VPN
  2. ISP level adversary can see the IP of the VPN the user is connecting to
  3. a user visits website where oppressive regime is logging

If the oppressive regime can correlate the IP logged on the website with ISP logs knowing which VPN IP was used, then there’s no anonymity at all.


Advice couldn’t really be “use a VPN”. That’s making huge implicit assumptions. Undocumented further steps required.

Under various assumptions…

  1. user clears cookies, supercookies, and whatnot
  2. installs a VPN
  3. uses a fail closed mechanism
  4. adversary doesn’t use VPN fingerprinting
  5. picked a trustworthy VPN provider sharing data with adversary which is difficult ( https://www.whonix.org/wiki/Tunnels/Introduction#VPN_Tunnel_Risks )
  6. not sure what I’ve forgotten, what else
  7. VPN either doesn’t lead to being added to watch list or less severe watch list if that exists
  8. at the same time not advanced enough to perform above rather simple correlation attacks

…then yes, I can see a VPN might make sense. The problem is, I don’t think these assumptions are realistic.

Good points - not going to argue with any of that. Instead of this:

Therefore, despite the many risks this may be one situation where it may be safer to utilize a VPN in isolation, or first connect to a VPN before Tor (although this provides very weak protection against advanced adversaries).

Maybe replace with:

Therefore, this may be one situation where it is safer to use Tails on a USB and never from a home/work address or any other familiar location that can be linked to the user. This would require Tails being downloaded, installed and used from suitably random and distant locations; this is itself a difficult proposition beyond the scope of this entry. [ref] For instance, if PC cafes or public libraries were used for this purpose, risks include the method of payment, possible CCTV monitoring, website monitoring, and detection of (attempted) connections to the Tor network by the local network administrator.[/ref]

1 Like

On second thought - let’s just delete this section completely. Too speculative.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]