Updated: July 1st at 6:30PM to add information about traffic correlation attacks.
We posted last week about the Tor Challenge and why everyone should use Tor. Since we started our Tor Challenge two weeks ago we have signed up over 1000 new Tor relays. But it appears that there are still some popular misconceptions about Tor. We would like to take this opportunity to dispel some of these common myths and misconceptions.
1. Tor Still Works
One of the many things that we learned from the NSA leaks is that Tor still works. According to the NSA "Tor Stinks" slides revealed by the Guardian last year, the NSA is still not able to completely circumvent the anonymity provided by Tor. They have been able to compromise certain Tor users in specific situations. Historically this has been done by finding an exploit for the Tor Browser Bundle or by exploiting a user that has misconfigured Tor. The FBI—possibly in conjunction with the NSA—was able to find one serious exploit for Firefox that lead to the takedown of Freedom Hosting and exploit of its users. Firefox was patched quickly, and no major exploits for Firefox affecting Tor users appear to have been found since.
As the Tor developers noted in 2004, if someone is actively monitoring both your network traffic and the network traffic of the Internet service you're communicating with, Tor can't prevent them from deducing that you're talking to that service. Its design does assume that at least one side of the connection isn't being monitored by whomever you're trying to stay private from.
We can conclude from this that Tor has probably not been broken at a cryptographic level. The best attacks on Tor are side-channel attacks on browser bugs or user misconfiguration and traffic correlation attacks.
2. Tor is Not Only Used by Criminals
One of the most common misconceptions we hear is that Tor is only used by criminals and pedophiles. This is simply not true! There are many types of people that use Tor. Activists use it to circumvent censorship and provide anonymity. The military uses it for secure communications and planning. Families use Tor to protect their children and preserve their privacy. Journalists use it to do research on stories and communicate securely with sources. The Tor Project website has an excellent explanation of why Tor doesn't help criminals very much. To paraphrase: Criminals can already do bad things since they will break laws they have much better tools at their disposal than what Tor offers, such as botnets made with malware, stolen devices, identity theft, etc. In fact using Tor may help you protect yourself against some of these tactics that criminals use such as identity theft or online stalking.
You are not helping criminals by using Tor any more than you are helping criminals by using the Internet.
3. Tor Does Not Have a Military Backdoor
Another common opinion that we hear is that Tor was created by the military and so it must have a military backdoor. There is no backdoor in the Tor software. It is true that initial development of Tor was funded by the US Navy. However, it has been audited by several very smart cryptographers and security professionals who have confirmed that there is no backdoor. Tor is open source, so any programmer can take a look at the code and verify that there is nothing fishy going on. It is worked on by a team of activists who are extremely dedicated to privacy and anonymity.
4. No One in the US Has Been Prosecuted For Running a Tor Relay
As far as EFF is aware, no one in the US has been sued or prosecuted for running a Tor relay. Furthermore we do not believe that running a Tor relay is illegal under US law. This is, of course, no guarantee that you won't be contacted by law enforcement, especially if you are running an exit relay. However EFF believes this fact so strongly that we are running our own Tor relay. You can find out more about the legalities of running a Tor relay at the Tor Challenge Legal FAQ. However, if you are going to use Tor for criminal activity (which the Tor project asks that you not do) you can create more problems for yourself if you get prosecuted. Criminal activity also brings more scrutiny on to Tor making it worse for the public as a whole.
5. Tor is Easy to Use
You might think that because it is privacy software Tor must be hard to use. This is simply not true. The easiest way to get started with Tor is to download the Tor Browser Bundle. This is a browser that comes pre-configured to use Tor in a secure manner. It is easy to use and is all you need to start browsing with Tor. Another easy way to use Tor is with Tails. Tails is a live operating system that runs on a DVD or thumb drive. Tails routes your entire Internet connection through Tor. And when you shut it down, Tails “forgets” everything that was done while it was running.
6. Tor is Not as Slow as You Think
It is true that Tor is slower than a regular Internet connection. However, the Tor developers have been doing a lot of hard work to make the Tor network faster. And it is faster today than ever before. One of the best things that can be done to speed up the Tor network is to create more relays. If you would like to contribute to making the Tor network faster, you can check out our Tor Challenge
7. Tor is Not Foolproof
Tor is not perfect; you can destroy your own anonymity with Tor if you use it incorrectly. That's why it is important to always use Tor Browser Bundle or Tails and make sure that you keep your software up to date. It is also important to remember that if you log into services like Google and Facebook over Tor, those services will still be able to see your communications within their systems. Additionally Tor users should be mindful of the fact that an adversary who can see both sides of their connection may be able to perform a statistical analysis to confirm that the traffic belongs to you.
Tor is some of the strongest anonymity software that exists. We think that it is important to dispel misconceptions about it so that the public can be more informed and confident in its usefulness. There are many great reasons to use Tor and very few reasons not to. So get started with Tor, and take back your privacy online.