Nam Su writes: > 2012. 11. 8. AM 1:31 adrelanos <adrela...@riseup.net> wrote: > > > Nam Su: > >> Hello. I saw a blog post in Internet. It says the government > > > > Not only government. > Does ISP can track Tor users?
ISPs can tell which users are using Tor (unless the users use particular technologies that prevent this). They can't usually tell easily what the users are doing with Tor. If an ISP or government forbids the use of Tor, there is a risk that Tor users could be recognized as Tor users and punished, although I don't know of any particular case where this has happened. The reason that ISPs can identify Tor users in the basic Tor usage situation is that Tor users must connect to Tor entry nodes, and a list of all the public entry nodes' IP addresses is easily available from the directory servers. The same way that your Tor client chooses relays to connect to would allow someone else (like an ISP) to learn that those IP addresses are operating as Tor relays. This is one reason that the Tor project is interested in making sure that Tor is interesting and useful for many different kinds of users in many different situations, so that lots of people will use Tor for lots of different purposes. If this continues to happen, an ISP that notices that a user is using Tor won't be able to know for sure _why_ the user wanted to use Tor. However, the Tor project is also working on ways to let people connect to Tor without making it obvious to an ISP or government that the service being used is Tor. This is mostly being done for blocking-resistance purposes, because determining which network connections are related to Tor is a necessary step for blocking Tor (and makes blocking Tor quite easy). > >> can track Tor user with plugin like active-x and javascript. Is it true? > > > > Active-X / Flash: > > - Unless special setups are used, yes. It can establish direct > > connections and circumvent the proxy. > So, shouldn't I use active-x and flash? There is a risk when using them that a web site (or someone who can take over a web site) can figure out a Tor user's real IP address. Normally this is not supposed to be possible, but using ActiveX or Flash creates opportunities for sites to do so. > > Javascript: > > - Can not be directly used for deanonymization. Can be used for browser > > fingerprinting, linking all sessions to the same pseudonym and to > > collect loads of other data, see ip-check.info for example. > > - Risk for browser exploits and therefore leak the IP. > > Sorry. I have a poor English so I understand this JavaScript can't track my > ip but can track other information like timezone, macaddress, and windows > user name. I think there are some misunderstanding. Am I understand right? I don't think Javascript running inside the browser is supposed to be able to access MAC address or Windows user name. (This isn't a limitation of the Javascript language itself, but just a detail of the security sandbox policies that are supposed to be applied by browsers to restrict what web pages can do.) The time zone is normally available, although the Tor Browser in particular might apply extra restrictions to prevent sites from accessing information like this. > >> And what should I do not to be tracked? > > > > Use The Tor Browser Bundle and never stop learning. > > And I have one more question. Sometimes, I can't load Torcheck page *with > tor*. Can my government and my ISP can block torcheck page if I use Tor? They might be able to block Tor completely, but they should not be able to block particular pages or sites while allowing others. If you're able to use Tor at all, you should be able to access every web site via Tor. I'd like to recommend again a resource that I worked on with some of my colleagues: https://www.eff.org/pages/tor-and-https The original goal of this page is to help people understand why using both Tor and HTTPS is important (each one protects you against some things that the other doesn't). In particular, the graphic shows what information eavesdroppers at different locations within the network could see. The diagram might also help with some questions that have to do with the structure of the Internet or the design of Tor. One example is that our diagram shows that in all the cases we examine, the user's ISP recognizes that the user is using Tor, and the web site that the user connects to also recognizes that the user is using Tor. The particular value of Tor in this case is that the ISP doesn't know where the user is going, and the site doesn't know where the user is coming from. Instead of learning specific locations, both of these parties basically end up learning only "this person is using Tor"! Our diagram doesn't really address client-side tracking threats, like some of the threats you mentioned above in which a web site attempts to get your browser to turn over identifying information. In this diagram, we basically assume that your browser cannot be made to disclose information about your identity or location. A big concern for the Tor developers is that sometimes real browsers might be made to do this. Most of the work that has been done to address this kind of threat is described in the very detailed document by Mike Perry https://www.torproject.org/torbutton/en/design/ where he talks about particular details about ways that Firefox might reveal identifying or unique information about users or their locations, and ways that TorButton (now the Tor Browser) prevents those information flows. Since that document is a year and a half old, there might be several other information flows that Mike has managed to squash since then. :-) -- Seth Schoen <sch...@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107 _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
