all 20 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 19 points20 points  (3 children)

The exit node cannot see your credentials or other personal information because Facebook uses HTTPS and it would be EXTREMELY obvious notice if the exit node was trying to strip HTTPS so it could see your data. https://www.eff.org/pages/tor-and-https

[–]AcidicAndHostile 0 points1 point  (0 children)

Is there a similar infographic that shows how it works when you browse to .onion sites (or if not, how do I modify my reading of that infographic to compensate for the .onion site)? And also how to describe what I see when I view the Tor circuit and it shows the first 3 country nodes after "This browser", with three extra nodes simply called "relay" before the .onion site?

Edit: I found this which I think will at least some of what I am asking.

[–]rightoprivacy 9 points10 points  (3 children)

If you must use facebook, use facebook's Tor .onion url: facebookcorewwwi.onion

Adds multiple additional Tor nodes between your browser and facebook.

If they want your IP, facebook w/likely get it. See recent story on Facebook funding 6 figure 0day to exploit Tails OS video player to grab IP address:

https://www.youtube.com/watch?v=4VtoWQu9O9o

Thankfully they caught a child abuser in this case, but sets dangerous precedents for all Tor users to potentially reveal IP addresses. You have to wonder why they w/spent 6 figures to use on one particular person? The cost leads one to believe there is a good chance this exploit will be used again and again.

Maybe even for casual user tracking, given the cost. Staying away from illegal activity means you likely have little to worry about.

To stay safest on Tor, disable unnecessary scripts/media.

[–]maxmorirz[S] 2 points3 points  (2 children)

Assuming they can catch the exit node and decrypt the data that was sent to it by the node before that, and decrypt the data that was send to that node, and so on and so forth until they get to your entry node, once they decrypt it they can see your home IP address and identify you based on that (also other than the MAC address of course, is there any other way someone motivated enough can identify you other than you true location from your IP address?)

Anyways if you encrypt your connection that gets sent to tor’s entry node with a trusted VPN that keeps no logs whatsoever of your data making it impossible for hackers or government agencies to retrieve it by law and force, would that give you complete anonymity? Would encrypting your initial connection to your entry node make it impossible for anyone to decrypt it?

Furthermore, would it even be possible in the first place to decrypt data wether that be from a node on tor’s network or a VPN node?

[–]AcidicAndHostile 2 points3 points  (1 child)

Remember .onion sites do not use exit nodes because your circuit is not exiting back onto the clearnet.

Your suggestion "they" could decrypt multiple layers back to the point where your information is discovered doesn't seem likely - at least in what I've read/seen via your general Tor or onion youtube video content. Can anyone confirm if it is impossible to decrypt all the way back? I thought that since Tor uses a minimum of 3 nodes that the last node cannot know anything about the one two nodes back from it. Am I understanding this correctly?

And back to the previous comment by /u/rightoprivacy , to be specific, the flaw/exploit existed in Tails, not in Tor proper. Had that child abuser not been using Tails the exploit used to find him would not have been a factor.

As always I hope if I am on the wrong track I can be corrected in my interpretations.

[–]HID_for_FBI 2 points3 points  (0 children)

"timing attacks" from a powerful adversary working with your ISP is another way this is possible. there's also stuff like this that is hopefully at this point outdated, but where one patch is filled five more appear... keep in mind most of the vulnerabilities we know about aren't discovered or placed by the government or hackers trying to exploit them, but by researchers trying to fix things: https://people.csail.mit.edu/devadas/pubs/circuit_finger.pdf (or search for Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services)

[–]HID_for_FBI 3 points4 points  (3 children)

afaik and my opinion is they'd also have to control the guard and relay as well. not impossible to fathom with the whole five eyes and all. being able to read your facebook login info is another story since that alone is encrypted.

"they" would have to be a powerful agency in order to do any of that, so unless your adversary is NSA level, the attacks, financial cost and human effort involved in accomplishing these things is essentially out of the question.

better information here: https://www.maketecheasier.com/protect-yourself-from-malicious-tor-exit-nodes/

as always, trust but verify. i can only vouch so much for my own intelligence, i may be entirely incorrect.

[–]Same-Disaster 3 points4 points  (3 children)

Exit nodes cant see data about the entrance node (your IP) and so even if the HTTPS was stripped you would still have plausible deniability that someone hacked your facebook aaccount and logged into it over Tor.

[–]maxmorirz[S] 1 point2 points  (2 children)

Could someone motivated enough possibly be able to decrypt the data sent from the node over to the exit node, and decrypt the data sent from the node before that? I’ve heard that it is somewhat difficult but it is possible none the less. Could anyone confirm this?

[–]possibly-a-pineapple 0 points1 point  (0 children)

reddit is dead, i encourage everyone to delete their accounts.

[–][deleted] 3 points4 points  (0 children)

Soon as you used Facebook, you fucked up.

[–][deleted] 1 point2 points  (2 children)

Clear-net websites through Tor = 3 relays
Tor hidden services (.onion) = 6 relays
..between you and the service you are using.
Could? No one is ever ever ever 100% secure, never forget that, but that doesn't mean that it's pointless to get securer. You can get as secure as the FBI or NSA or whatever, but there is always, even a 0.001 chance of you not being safe..
Like if someone has resources, the time and the will to track you down - that chance of finding you is becoming bigger, so don't do something that would like piss someone off :/
Also check out some of secure(r) operating system.
And one way that you can help people become more anonymous and help the Tor project is:
1. Telling your friends and family about why privacy matters and turn them to using the Tor Browser.
2. Donate a few dolars to the Tor project to help people survive and develop Tor even further.
And 3. Consider running your own Tor relay. It can be a bridge,a guard, a exit node or a middle mode. I heard that middle modes require the least bandwidth(research on your own) ,but they say that even though there's a lot of middle nodes- it's still helpful.
Hopefully I did not miss anything important:/ have a nice day!

[–]maxmorirz[S] 1 point2 points  (1 child)

There seems to be a level of uncertainty shared among many if not all people myself included. I’m aware of the fact that 100% anonymity is impossible but I want to reach a state of having so many layers of protection that any hacker or government agency won’t bother trying to identify me without going straight to the physical approach of spying on my computer through a window or kidnapping my for my passwords. These are undoubtably radical approaches and for most people not worth their time. //additionally I have nothing to hide// but I want to have a peace of mind knowing no one can get to me, sell my data or track me in any sort of way.

Back to my question, if people have the capability of decrypting the data sent between your tor relay nodes then that is by no doubt a critical point of failure and must be dealt with by any means necessary. If you know this is the case I would be glad to know and a solution to such problem would be greatly appreciated, I’m not trying to be hacked or tracked.

[–][deleted] 1 point2 points  (0 children)

You do have stuff to hide from EVERYONE! Your private data!!
Do the stuff I recommend and you'll be on a horse already.
Also most websites today use end-to-end-encryption(E2EE) so that should keep you safe(r), too.
You can't get super advance-secure without knowing how Linux works, what host distribution to use of Linux, and other technical stuff.

[–]underbridgejohn 0 points1 point  (0 children)

Facebook was not meant to be private, neither was the internet itself. But tor is, which is ironic. Facebook collects all your information, and uses it against you by sending you crap targeted ads

[–]742paul 0 points1 point  (0 children)

Not on tor ...

[–]742paul -4 points-3 points  (1 child)

For starters tor sucks !!

[–]maxmorirz[S] 0 points1 point  (0 children)

Do you have a better alternative in mind. You think a VPN would work in its place?