You don’t necessarily need to use it to visit obscure onion services, you can also just use it to post on Lemmy, i.e. like a VPN, except without a VPN provider that can know which domains you connect to.
But if you’ve logged in to an account before on the regular web, then you can still be tracked because theres that connection between clearnet you and Tor you right? Or am I making stuff up
But the big thing about using Tor for normal things is that doing so helps to obfuscate traffic that governments want to track by surrounding it with “legitimate” traffic
Yes, you’re correct. If you want to be hidden you need to only log into accounts that you’ve only accessed through TOR. IIRC, TOR actually tells you this when you open it for the first time, or at least it used to. It also tells you things like to not resize the window, because window size is a fingerprint that can be used to identify you. You shouldn’t full-screen or resize it. There’s a lot of ways to identify people that they don’t even think about.
Sort of, as in, the site you’re logging into will know that you’re the same person. Obviously if it’s something like Lemmy, if you post public comments then everybody else will see that it’s the same person posting them. It used to be the case that your exit node could also see quite a bit of what you were viewing, which can indeed often be linked to things you did outside of Tor, unless the website you’re connecting to was using HTTPS. Nowadays, practically every website does that, so you should be good.
That said, I am not a security person, so if you’re a journalist protecting their sources or otherwise have a serious threat model, seek expert advice.
Presumably, if you log in to a site, you want it to know who you are, so I think that’s fine. (Where “who you are” means “that whatever you do while logged in is being done by the same person as who did other things when logged in outside of Tor”.) So no, I don’t think you need to limit it to stuff you don’t have logins for. I’d only make sure to not login/visit a site if Tor browser actively tells you that it’s insecure (which it does when a site doesn’t use HTTPS), which is pretty obvious.
I’ve read that there are more effective ways to deanonymize tor traffic that goes through exit nodes, as opposed to accessing onion services which is more secure
Yeah it’s a spectrum, which basically runs from regular browsing -> VPN -> Tor browser for regular sites -> Tor browser for .onion sites. (And note that even .onion sites don’t need to be obscure Silk Road type sites - for example, this is DuckDuckGo. That’s still a legal privacy use case.)
You don’t necessarily need to use it to visit obscure onion services, you can also just use it to post on Lemmy, i.e. like a VPN, except without a VPN provider that can know which domains you connect to.
But if you’ve logged in to an account before on the regular web, then you can still be tracked because theres that connection between clearnet you and Tor you right? Or am I making stuff up
For that particular site.
But the big thing about using Tor for normal things is that doing so helps to obfuscate traffic that governments want to track by surrounding it with “legitimate” traffic
Yes, you’re correct. If you want to be hidden you need to only log into accounts that you’ve only accessed through TOR. IIRC, TOR actually tells you this when you open it for the first time, or at least it used to. It also tells you things like to not resize the window, because window size is a fingerprint that can be used to identify you. You shouldn’t full-screen or resize it. There’s a lot of ways to identify people that they don’t even think about.
Hmm alright, thanks
Sort of, as in, the site you’re logging into will know that you’re the same person. Obviously if it’s something like Lemmy, if you post public comments then everybody else will see that it’s the same person posting them. It used to be the case that your exit node could also see quite a bit of what you were viewing, which can indeed often be linked to things you did outside of Tor, unless the website you’re connecting to was using HTTPS. Nowadays, practically every website does that, so you should be good.
That said, I am not a security person, so if you’re a journalist protecting their sources or otherwise have a serious threat model, seek expert advice.
Hmm. So I’d have to limit it to stuff that I don’t have logins for?
Presumably, if you log in to a site, you want it to know who you are, so I think that’s fine. (Where “who you are” means “that whatever you do while logged in is being done by the same person as who did other things when logged in outside of Tor”.) So no, I don’t think you need to limit it to stuff you don’t have logins for. I’d only make sure to not login/visit a site if Tor browser actively tells you that it’s insecure (which it does when a site doesn’t use HTTPS), which is pretty obvious.
And for free!
I’ve read that there are more effective ways to deanonymize tor traffic that goes through exit nodes, as opposed to accessing onion services which is more secure
Yeah it’s a spectrum, which basically runs from regular browsing -> VPN -> Tor browser for regular sites -> Tor browser for
.onionsites. (And note that even.onionsites don’t need to be obscure Silk Road type sites - for example, this is DuckDuckGo. That’s still a legal privacy use case.)