6604215
story
Comments: 109 +- Mobile: Anonymous Browsing On Android Phones Using Tor on Sunday October 25, @09:43AM
background: url(//a.fsdn.com/sd/topics/topiccellphone.gif); width:75px; height:74px;
cellphones
background: url(//a.fsdn.com/sd/topics/topicprivacy.gif); width:71px; height:53px;
privacy
ruphus13 writes "Privacy is becoming a scarce commodity, especially with geo-aware phones. Now, Android phone users can browse anonymously using Tor — a capability, until now, limited to the desktop. From the post: 'We have successfully ported the native C Tor app to Android and built an Android application bundle that installs, runs and provides the glue needed to make it useful to end users. Secure, anonymous access to the web via Tor on Android is now a reality,' writes Guardian Project team member Nathan Freitas. The Tor 0.2.2.6-alpha release uses toolchain wrapper scripts to run Tor without requiring root access."
Related Stories
Executive ability is prominent in your make-up.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
!secure (Score:5, Informative)
Secure, anonymous access to the web via Tor on Android is now a reality
People should really stop using the word secure with Tor. Anonymous, sure, but you actually forfeit some of your security and privacy when using Tor. Anyone can snoop your outgoing connections from Exit node, or if you're using https or other secure connection, change the certificates. On top of that there's a change the exit node changes your http pages in addition to stealing or just snooping for information. Implying "secure" in news likes this gives lots of false sense of security to users, like has been seen many times before.
Eavesdropping by exit nodes
In September 2007, Dan Egerstad, a Swedish security consultant, revealed that by operating and monitoring Tor exit nodes he had intercepted usernames and passwords for a large number of email accounts.[15] [wired.com] As Tor does not, and by design cannot, encrypt the traffic between an exit node and the target server, any exit node is in a position to capture any traffic passing through it which does not use end-to-end encryption, e.g. SSL. While this does not inherently violate the anonymity of the source, it affords added opportunities for data interception by self-selected third parties, greatly increasing the risk of exposure of sensitive data by users who are careless or who mistake Tor's anonymity for security.[16] [securityfocus.com]
Another thing is that you are still usually leaking DNS queries to your ISP, which may even return false results if you're being censored in China or something and they still see what sites you're visiting.
The summary also quickly mentions geo-aware phones. If you happen to be using that bad exit node, now your geo-location updates will be transmitted via it too. And goverments should be able to set up a lot different exit nodes all around the world easily.
So no, it's not secure. It's maybe anonymous, if you use it correctly and don't login to your banking, slashdot account or whatever with it.
Re: (Score:3, Insightful)
TL;DR : only use Tor if you know what the hell you are doing.
Re: (Score:2)
TL;DR : use Tor for what it was ment to do.
40 4
Re: (Score:2)
The Devil's in the details here and the OP provided sufficient details. Your summery doesn't. And furthermore, the "TL;DNR" meme is yet another example of willful ignorance in snarky packaging.
Relax guy. I was only trying to humourously point out that if you wan't to use programs like Tor you have to know about the details (like the OP) otherwise you're actually making things worse. Which excludes most of the population, who will probably understand more of my summary than of the OP's post. You can remove the rod from your backside now.
Re: (Score:2)
I understand the attempt at humor. However, your "summary" doesn't point out that you need to know the details. Someone may think they "know what they hell [the're] doing" simply because they know how to use TOR or even the basics of how TOR works. But without understanding the ramifications that the OP pointed out, they fall in to the same danger.
Yes - your "summary" is nice and easy to digest and I'm sure there's a lot of people who understand it (or at least, THINK they understand it) better than the
Re: (Score:2, Informative)
The count attacks got it wrong. Tor works in combination with privoxy and that routes DNS requests over Tor to avoid letting your ISP know what sites you are surfing. Stop spreading this FUD. Certainly users need to be educated about these issues- and not all will understand the implications. The problem is people here don't seem to understand Tor either and make false or missleading statments about it.
Re: (Score:3, Informative)
> or if you're using https or other secure
> connection, change the certificates.
Am I missing something here? I know about Tor MITM attacks from exit nodes, but how are they supposed to fake a cert? Seeing as proper certificates 'guarantee' identity as well as encryption.
Assuming they're not using that null in the name string attack. But let's assume they're using a secure browser to begin with :)
Re: (Score:2)
Just create self-signed certificate in the middle. It probably wouldn't work for people who always checks the certificate and it's validity, but I can bet there's enough stupid people who just click "OK, continue anyway".
Re: (Score:2)
So in other words, it's no more or less secure, and you were just blowing smoke?
Re: (Score:2)
Re: (Score:2, Informative)
THANK YOU!
Tor is only secure for doing anonymous things.
The instant you login to anything, you are really risking giving up that information and breaking the point of the system in the first place.
The creator really needs to put this in as a warning in big red letters.
Re: (Score:2)
Well, like any other security/anonymity tool it only works for users who know their stuff and use it carefully. Don't access sensitive information without end-to-end encryption, and for heaven's sake make sure DNS queries ar
Re: (Score:2)
Another thing is that you are still usually leaking DNS queries to your ISP, which may even return false results if you're being censored in China or something and they still see what sites you're visiting.
I believe you don't leak DNS queries if you use tor like a SOCKS proxy (therefore proxying the DNS queries). Although the exit note could mess with your DNS queries if you do so (a hard security trade-off, to be sure).
Re: (Score:3, Informative)
I have an HTC Magic/G2, and I've often been concerned about this when connecting to an open wifi ap. I only use wifi, so the fact that my cell phone company can see my usage over 3g is a non-issue (canceled my data plan when the free trial ran out). But it seems to me that my google password is probably not well protected from whoever owns the ap I'm connecting to.
I just dow
Not even anonymous in some situations! (Score:2)
>>Secure, anonymous access to the web via Tor on Android is now a reality
>
>People should really stop using the word secure with Tor. Anonymous, sure
Not even anonymous in some situations!
Let's think about China: they control the network so they can easily know *who* is using Tor (by monitor Tor's access gateways) and even though they don't know what you're doing with Tor, they know that you're trying to bypass the filtering..
Now it depends on the number of Tor users, if they are numerous, you're
Re: (Score:2)
In Tor network the traffic is routed encrypted like you->middle node->middle node->exit node. But since protocols like http, ftp, irc and many im networks dont support encryption, the exit node will always be able to monitor traffic. And those exit node's can be set up by anyone.
Re: (Score:3, Informative)
Right in principle, but it's fortunately not as bad as you think.
SSL is a transparent layer on top of TCP, which means any protocol can be tunneled through it, including HTTP and IRC. (Though for FTP, you'd tunnel through SSH instead.) Admittedly, few IRC networks support SSL at present, but that will hopefully change. Freenode says they're working on it. Either way, IRC traffic is generally semi-public and the most sensitive stuff is your NickServ password (enabling exit nodes to impersonate random people
Re: (Score:2)
I run an exit node, as can anyone. If I were sufficiently nosy, I could use Wireshark et al to listen in.
It would be impossible to target or identify a specific person due to the randomized infrastructure, but phishing for non-SSL access to random online accounts is very possible.
That's why you don't want to use Tor to log in anywhere that doesn't use SSL.
Re: (Score:2)
Less risk and something new everyday.
Re: (Score:2)
It's an issue of opportunity. If you want to sniff traffic, you have to put yourself in to a position to do so. Either you work for a large enough network that gives you access to the appropriate devices, convince those network owners that they should provide you with information, insert your own devices in someone else's network, or you build your own network large enough for sufficient targets. Setting up an exit node allows you to slip in your own device in a large network with very little cost.
Privacy is the next killer ap (Score:3, Interesting)
Re:Privacy is the next killer ap (Score:4, Insightful)
The company who figures out how to protect our privacy while using all the cool gadgets and online tools is going to make a boat load of money.
Because you know these days we need companies to do what the governments should be doing.
Parent
Re: (Score:2)
So goverment should disallow "all the cool gadgets and online tools" so stupid people who dont know how to use them can maintain their privacy?
No, they should regulate the companies based in their countries to respect people's privacy. Mind blowing concept, huh ? The EU actually has made some progress [wikipedia.org] towards this but not enough.
The whole reason we have this representative government thing is to make sure the rights of the many aren't violated for the good of a few. It'd be nice if governments grew a pair and started doing their job.
Re: (Score:2)
It'd be nice if voters grew some brains and started doing their jobs too.
Hopefully the US people get lucky with Obama...
Re: (Score:2)
In most of the "cool gadgets" cases, the problem is a security/convenience trade-off. You wouldn't be using them for entertainment if they were inconvenient enough to guarantee privacy.
However, in other respects you have a point - political dissenters are still using Facebook and Twitter to organize (eg. in Iran), and these users have to be provided either with a secure if inconvenient way to use them, or with a better (if inconvenient) alternative.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Funny)
Except you must still trust Tor (Score:2, Interesting)
You must still assume that the Tor nodes you are using are not hacked NSA or Chinese intelligence agency nodes, with a nice 'log traffic to disk' function added. If you really care, you need something like Opportunistic Encryption.
Re: (Score:3, Funny)
You must still assume that the Tor nodes you are using are not hacked NSA or Chinese intelligence agency nodes, with a nice 'log traffic to disk' function added. If you really care, you need something like Opportunistic Encryption.
So you shouldn't use it if you don't want to be a Tor-get of investigation? :>
Re: (Score:2)
So you shouldn't use it if you don't want to be a Tor-get of investigation? :>
That was torrible.
Re: (Score:2)
Re: (Score:2)
Too easily intercepted. The only way to keep it secure is to whisper it in someone's ear on a lonely beach.
Until you realize that there's a guy listening to your conversation under you in the sand.
Re: (Score:2)
If you have data that's so important that you don't want the Chinese or NSA looking at it, send it by snail mail on a disk!
Too easily intercepted. The only way to keep it secure is to whisper it in someone's ear on a lonely beach. Time was when crowded streets and shopping malls might have been good, but there seem to be cameras everywhere these days...
When I was a kid, Mr Blair's "1984" seemed a little improbable. Now it's just old hat.
Why not just encrypt the disk? Are you worried about the two generals problem [wikipedia.org]?
Re: (Score:2)
Re:Except you must still trust Tor (Score:4, Insightful)
You must still assume that the Tor nodes you are using are not hacked NSA or Chinese intelligence agency nodes, with a nice 'log traffic to disk' function added.
Tor is a service for browsing anonymously, not securely. Security is handled by SSL.
Parent
Re: (Score:3, Interesting)
The NSA could set up front companies ie telcos or cut out political rights groups, students, uni profs boxes and just connect the dots in the USA.
As the NSA is every telco, ips in the USA, getting a entry IP and tracing back to the exit ect. is not hard with their budget.
As the NSA now faces inward, TOR in the USA is now another fun computer project at best.
Sneaker net people or meet and greet with an understanding of one-time pads
cell co.s will be thrilled (Score:2, Insightful)
Re: (Score:2)
I'm pretty sure they dont really care, this isn't going to be in that widespread use anyway.
Re:cell co.s will be thrilled (Score:4, Insightful)
Parent
Re: (Score:3, Informative)
let me clarify: since a given tor node is not just handling its own demands, but is also relaying other nodes' traffic, (...)
That's where you're wrong. A Tor client isn't required to be a node, i.e., he is not required to relay traffic for others. It is basic etiquette to become a node if you use the client, but no one is forcing you. Why do you think Tor is so slow? Leechers!
So, if relaying traffic is turned of on the cell phone client (and it IS turned off by default on the desktop clients), the total bandwidth consumed is going to be the one of the direct connection plus the overheads of all the layers of encryption, which is
Use it for .onion only (Score:5, Interesting)
As a personal opinion, many of the
Just in case 3G isn't slow enough already... (Score:2)
Wonderful, now we can route our already-pokey 3G connections through a whole bunch of nodes to make them feel like old 2G connections.
Is retro back in style?
Re: (Score:2)
Wonderful, now we can route our already-pokey 3G connections through a whole bunch of nodes to make them feel like old 2G connections.
Is retro back in style?
I just spoke with kibo; he says yes.
Re: (Score:2)
Not to mention the localization issues. The one time I used tor, loading up google gave me a brief scare when it appeared in Cyrillic. For a split second I though I had somehow accessed some secret KGB google.
Subsequent split seconds were spent laughing at that first though.
Tor is useless (Score:2)
Tor is useless. It's a neat idea but doesn't work in practice due to bandwidth problems. Every time I have tried it, connections almost always time out without receiving data. The few times I do receive data it can take minutes for a web page to appear, say nothing of the images which would still need to load.
Speed (Score:4, Funny)
Re: (Score:2)
You.. are clueless.
Don't want your Android phone's data in the cloud? No problem. The gmail account that ties to your phone need not have any personal information in it. Don't want your phone's contacts to sync to the Google account? Turn off contact syncing. Its that simple.
Don't want Google Latitude to function with your phone? It'll ask when Google wants to know your location. Tell it to fuck off forever more. It does.
I know.. what an invasion of privacy. Those bastards. If this is the sort of behavior t
Re: (Score:2)
As mentioned, talk in the ocean, change phones every week, never use your home computer for anything but games and sport ect.
Re: (Score:2)