Dmitri wrote:Even with something like Tor, if you think you're 100% secure and anonymous -- think again. Much more so with something like duckduckgo or similar sites.
The moment your computer connects to anything on the network (not using https), you've potentially given up your privacy.
HTTPS is important for security and a tool like HTTPS Everywhere is an essential add-on for browsers:
https://www.eff.org/https-everywhereHowever, as a separate and general comment, it is also important to know what HTTPS does and does not do. Fundamentally it will do two things:
1. Enforce an encryption layer for your data in transit. The encryption layer might not be any good, for example there are still some websites using old versions of SSL, but it will make the effort to get you some level of encryption.
2. Offer you an opportunity to validate the identity/ownership of the website you are connecting to. In practice this is most useful when companies have gone through Extended Validation with a reputable CA.
In both cases it is down to the user to ensure the encryption is sufficient for the purpose, the company on the certificate is as expected, and the CA is reputable. Modern browsers are pretty good at warning users if there is an obvious deficiency. HTTPS is also widely believe to be no obstacle to state-level agencies, if you are already on their radar.
HTTPS will not obfuscate your IP or protect you from tracking through browser fingerprinting, both of which Tor will attempt to do. Browser fingerprinting is much more prevalent these days than people realise. There are several companies that provide browser fingerprinting services to third parties, for example Iovation (
https://www.iovation.com). A website runs Iovation's javascript which takes your browser fingerprint and logs your activity with Iovation. The website then pays Iovation for information about you based on your activities on the many other websites that also run Iovation's javascript. This information is usually in the form of a "reputation" score, so the website can quietly and immediately identify a potentially good customer, or a potentially fraudulent customer. Some people would be comfortable with this, others less so. Most people will have profiles with these reputation broker companies, whether or not they are aware of it. Of course correct use of browser add-ons like NoScript will help in frustrating this, but if you have a static IP address only a VPN or Tor will help you. If you have a smartphone you probably have very few countermeasures.
With the use of HTTPS on Tor .onion sites there is some debate. Traffic within the Tor network is always encrypted and since accessing a .onion site means you don't use an exit node, the enforced encryption layer provided by HTTPS is redundant. There is the issue of identifying the legitimacy of the site which users will simply have to do their best with.
Regarding the security of Tor, that depends entirely on who you are going up against. It is well known the FBI have some kind of Tor exploit they are refusing to divulge - probably javascript based. Wikileaks seems to have good information that NSA and GCHQ own large numbers of Tor relays and exit nodes, which greatly decreases the security. But if you're doing anything that merits their attention you're screwed anyway.
Steve James wrote: resistance is human, but probably futile.
It is a futile endeavour. For those who are interested in protecting their privacy, the adversaries are authoritarian governments and amoral international megacorps. Not only do they have enormous resources, they actually own the infrastructure. Only a few individuals are going to possess the education and discipline to use the tools and techniques available to them to preserve what little remains of their private lives. Not only will these tools and techniques be gradually outlawed through legislation, the devices we use to access the internet will become increasingly closed and subject to back-doors and constant monitoring. This is already well underway.