"...makes it much harder for bad guys to"

I prefer the term "evildoers" myself.

Using TOR it is possible to also access content which is only available in certain countries such Pandora, and maybe even BBC iPlayer (Pandora definitely works, haven't tried iPlayer yet).

Unless the "bad guys" are operating the exit nodes...

http://arstechnica.com/news.ars/post/20070910-security-expert-used-tor-to-collect-government-e-mail-passwords.html

ok, that exit node issue is enough to turn me off from using this. thanks for posting.

#3: "Unless the "bad guys" are operating the exit nodes..."

Yikes, that's pretty huge! I mean, I guess it should be obvious to anyone who really thinks about it, that since anyone can operate a Tor node, your data could be sniffed by anyone from a government agent to a corporate front to some black-hat hacker.
This idea makes Tor a definite no-go for me.

Does anyone know anything about Steganos' anonymizer? It's $15 a month which sucks. (Free is good! But, I guess in some cases you do get what you pay for,)
https://www.steganos.com/us/products/home-office/internet-anonym-vpn/overview/

#4: I don't think you really understood the exit node problem. What was disclosed was information that can be sniffed anyway by your ISP or any other intervening node (in the case of email because your password is sent in plaintext unless you connect using SSL or tunnel the connection via another secure protocol).

The problem that was exposed in TOR is that due to the traffic being routed via other, arbitrary hosts an eavesdropper can serendipitously (for them) be between you and your email server (for example).

#5: If you were worried about being sniffed that product from steganos has the same problem. Your connection to them is encrypted, but from there them to the website it would not be, so steganos (more importantly some amoral employee) could spy on the same data you were worried about with TOR.

Also, their website is slightly misleading and scaremongering. Most tracking is done with cookies which their service would forward to you anyway and you are still tracked as eventually you have to identify yourself to buy anything. They state you should protect yourself when shopping online, but you would be an idiot to buy something from a non-SSL enabled website so their service adds no value there either (and I know SSL does not provide as solid a guarantee as one would like). As for "private email" if you are not using SSL along the whole path then you have to encrypt yourself anyway.

Steganos sound just like the "man-in-the-middle" that you are trying to avoid.

The primary problem is that people confuse 'security' with a number of other things. In this case for Internet communications, there are three things that people are assuming a 'secure' connection affords them:

1) Encryption : No one can read my words.

2) Anonymity : No one knows who sent my words.

3) In-traceability : No one can trace my words back to me.

TOR was never meant to do anything other than #3. #1 is done through SSL, SSH, or some other encrypting tool. #2 is done through remailers, or configuration of the messaging.

TOR works great for what it was meant for. But calling it a 'secure' connection is misleading.

I know not of these packets or nodes or what have you... what i do know is that tor slowed my connection to that of cold molasses...

nuff said

rosso: Thanks for the reality check. Good advice!

But I also agree with Candules: Tor does make the connection crawl to the point unusability.

...Can anyone clarify how this works with regards to Wikipedia? I can actually see this breaking the tyranny of several power-tripping underage admins(*) who're more interested in bullying Wikians than making sure articles are accurate, up-to-date, and above all else complete. Add to this the chance to constantly override the bullshit about "no trivia sections", and Wikipedia will begin to be useful once again.

(*) Will "Sceptre" Noble and his ilk, for starters!

I was expecting something a lot more informative than this.

For one thing, nobody should be encouraged to use Tor without being told that an exit node can inject hostile code into their browser. You must make (proper) use of SSL and/or script-blocking in order to prevent this from happening.

Also, your anonymity will be limited anyway if you use a unique/unpopular browser, or if you don't clear private data (such as cache and cookies) rather frequently.

Om, I'm not sure if I understood this correctly, basically you're asking if Tor can be used to spoof your IP, so on Wikipedia people won't connect your edits with other edits that you previously made with a different IP? If that's the question: Yes, Tor can be used to achieve this.

About the exit node problem ... to me the largest issue there is that when the identity of the server isn't authenticated (and who really makes proper use of certificates on the web?), using Tor could potentially dramatically increase the likelyhood of a MITM attack. Tor is not at all meant to help with authentication, of course, but it's somewhat important to be aware of this issue.

@13: Actually, Wikipedia blocks pretty much all TOR nodes, specifically because of the abuse potential by vandals. A lot of popular spam-targets do this - for example Slashdot won't let you post from a TOR node either.

@the paranoid crowd at large: TOR is a solution for anonymizing a particular aspect of internet communication: TCP connections.

There are many tools available to anonymize other aspects of computer security, for example "cookie cleaners", SSL certificates, GPG keys, spyware scanners, browser spoofers, etc. Most anonymity leaks are ultimately under the control of the user, and can be secured by a user who is diligent and values their privacy enough. All the security threats that have been described here were solved before TOR even existed, and a diligent user can avoid them.

Anonymity in TCP communications, however, cannot be anonymized by an individual user no matter how much they need or value anonymity. It requires a large group of "co-conspirators", which wasn't easy to come by in the past. This is what the TOR network does - it coordinates a large network of people who agree to anonymize each other's TCP connections. That's about all it does, but it does it very well.

@13: Why the remark about SSL certificates? The user will be either sloppy or careful with the tools they have. If they don't heed cert warnings or check the domain name next to the lock, then they're probably going to misuse Tor as well.

I think the reason why newer tools like Tor are so problematic is that so many people haven't grasped the rudiments of Internet and computer use. What we need is a body like the W3C to publish a distilled two or three-page guide as part of a campaign for Internet literacy; push it through schools, libraries, corporations, public service announcements, and tech bloggers. You may think the last one is odd, but I find even most enthusiasts and trained pros are keyed to industry fads while lacking basic knowledge.

No anonymizer in the world will help you if you just use it to go to your usual haunts and behave in your usual patterns.