Dmitri wrote:Even with something like Tor, if you think you're 100% secure and anonymous -- think again. Much more so with something like duckduckgo or similar sites.
The moment your computer connects to anything on the network (not using https), you've potentially given up your privacy.
HTTPS is important for security and a tool like HTTPS Everywhere is an essential add-on for browsers: https://www.eff.org/https-everywhere
However, as a separate and general comment, it is also important to know what HTTPS does and does not do. Fundamentally it will do two things:
1. Enforce an encryption layer for your data in transit. The encryption layer might not be any good, for example there are still some websites using old versions of SSL, but it will make the effort to get you some level of encryption.
2. Offer you an opportunity to validate the identity/ownership of the website you are connecting to. In practice this is most useful when companies have gone through Extended Validation with a reputable CA.
In both cases it is down to the user to ensure the encryption is sufficient for the purpose, the company on the certificate is as expected, and the CA is reputable. Modern browsers are pretty good at warning users if there is an obvious deficiency. HTTPS is also widely believe to be no obstacle to state-level agencies, if you are already on their radar.
HTTPS will not obfuscate your IP or protect you from tracking through browser fingerprinting, both of which Tor will attempt to do. Browser fingerprinting is much more prevalent these days than people realise. There are several companies that provide browser fingerprinting services to third parties, for example Iovation (https://www.iovation.com
With the use of HTTPS on Tor .onion sites there is some debate. Traffic within the Tor network is always encrypted and since accessing a .onion site means you don't use an exit node, the enforced encryption layer provided by HTTPS is redundant. There is the issue of identifying the legitimacy of the site which users will simply have to do their best with.
Steve James wrote: resistance is human, but probably futile.
It is a futile endeavour. For those who are interested in protecting their privacy, the adversaries are authoritarian governments and amoral international megacorps. Not only do they have enormous resources, they actually own the infrastructure. Only a few individuals are going to possess the education and discipline to use the tools and techniques available to them to preserve what little remains of their private lives. Not only will these tools and techniques be gradually outlawed through legislation, the devices we use to access the internet will become increasingly closed and subject to back-doors and constant monitoring. This is already well underway.