@7:00 "...if there were ever a situation where a group of bad actors controlled all three nodes..." I thought that Tor nodes are designed to detect when their counterparts have been compromised, and such compromised nodes are flagged to be taken out of the available pool of nodes? When the Tor browser starts, and chooses an entry guard, does your Tor browser perform some type of check to ensure that the connection to the guard has not been comprimised? Does the Tor browser or other Tor nodes check for modified code on other nodes before trusting the other node? Even if one person controlled all three of the nodes you happen to be using, everything is encrypted. And each node is getting data from multiple sources. So how would they see what you are doing?
> I thought that Tor nodes are designed to detect when their counterparts have been compromised, Not to my knowledge > and such compromised nodes are flagged to be taken out of the available pool of nodes? There are other things done to check for bad nodes, and yes they are removed. blog.torproject.org/how-report-bad-relays > does your Tor browser perform some type of check to ensure that the connection to the guard has not been comprimised? I'm not sure what could be done. If the node has been compromised, there isn't anything to do, but hope that it get's caught. If someone can break the encryption, well, you got bigger problems. > Does the Tor browser or other Tor nodes check for modified code on other nodes before trusting the other node? That is also a rather hard thing to do. How should it be done? You can't exactly ask "hey are you good", and if the source code functions perfectly as any other, you can't use that either. You would also loose any other implementation of tor, probably none right now, but you never know, maybe there is a good rust implementation coming along in the future. > Even if one person controlled all three of the nodes you happen to be using, everything is encrypted. Yes, but you would know that (this is not a real world example) at 00:00:01 entry node X got Y bytes from Z and at 00:00:02 exit node A got B bytes that was sent to C. And probably more information that could be used to link it up.
This might be a stupid question, but is it okay to use Tor for things like yt videos (without an active account) and such things or is it just a huge waste of traffic for the servers?
I'd guess. Though there are always down sides, yes, Tor is not always the fastest and sometimes youtube will block you. But otherwise you should be free to use it. There is quite a bit of traffic not used, and Tor needs normal users doing normal thing to work. metrics.torproject.org/bandwidth-flags.html
It would be better to have a set of standard packet sizes that incrementally increase in size. 1kb 10kb 1mb 10mb etc. All traffic would have to pad the packets to match one of the sizes whatever is closest to make it more difficult to track. Adding random data doesn't make it any safer since it is still a distinct size from other traffic. It's all about anonymization.
this video explains clearnet servers, not onion servers. in terms of what was explained in the video, the response is bassed back using the same relays
As far as I know, the problem with javascript isn't that it's javascript. Rather that it's used within the webpage that is mounted on your browser (ie. on your machine), as such scripts have direct access to run within it. Anything server-side that uses javascript doesn't have this problem.
I have not gotten the process of stripping some machines down and installing a Linux based system. Microsoft owns a lot of my stuff. Google has lots and lots of my stuff on their servers. Apple too! I know all three of these system pretty well. Ever since the nineties anyway. TOR has limitations. It even denied that certain websites I visit existed. How do you live your life on the internet? What machines and Operating Systems and Browsers do you use frequently? Thank you!
OS: Any FOSS OS is fine. I don't know much about non-Linux OSs, but the best Linux distro about this I know that doesn't use TOR for everything is Qubes OS. However, it's quite a pain to install and isn't available for many hardware. Browser: If you don't want TOR I personally think the best is Ungoogled Chromium. If you prefer Firefox, you can use it with the tips Mental Outlaw has in its channel, but Mozilla has had some “mistakes” in the past and it isn't the best out of the box. There're also privacy forks of Firefox, but I don't know them very well. Many people now talk about Brave, but it's a very new browser and it already has had a privacy related polemic. And Brave doesn't block cookies by default, tough they always say that they follow the philosophy of “Everything already configured around privacy, so you don't have to worry”.
@@Jorge-xf9gs Thank you Jorge. As you might know, TOR was just discovered to have security issues by CISA of the U.S. I have had Brave at several points of seeking privacy. It is a pesty browser in that he tries to get people to engage and participate in giving companies rewards for being respectful to the online community. Just too much work. The results are not the best either. DDG comes up with terrible results. Webcrawler offers some good results sometimes. I had Authentic8, a protecting gateway of a sort. There is an annual feel. Not a problem with a feel. It just a bit more work than TOR. So I had Ubuntu preloaded on a machine I bought from a pawn shop. There were password issues because I did not know all the pre-setup information. I am tempted to try Linux Mint just to get familiar with the tools in Linux based equipment. My bigger problem is that all the guys that have been using Linux for years leaves my head spinning when I try to follow directions. Are you aware of anyone that has the ability to slow it down and make the installation very simple to understand? Thanks, if you have time Jorge!
How does the reply from the destination server correctly reach the client? As in, how do the relays know the route back to the client from the destination, given the exit and middle relays know nothing of the clients IP?
They're all acting like one layer proxies id assume. They don't know the clients IP, but they know the last locations IP, so it just goes in reverse id assume. All the nodes work like proxies.
How would the tor browser send the server the user's IP using javascript? I've been trying to look it up and it seems like that isn't possible. Couldn't the tor browser just unset the relevant http headers?
This is confusing to me. How do you get the keys to decrypt all 3 layers? And if you generate the key locally how do you send it to the relays without anyone finding out what the key is? Unless you decrypt the key too but then you have another key that needs to be encrypted going to infinity
Your client encrypts the traffic with all three public keys (I'm not sure how the client gets all three keys). And the traffic is decrypted at each step using the nodes private key. The exit node has the original traffic but does not have enough information to know where the source of the traffic comes from.
Dude i was using it today and I didn’t know how it works, and I didn’t know they could see that, so i think im uninstalling it. If anyone else has feedback please do reply, i need to know more about how networking works on tor
At one point I had an app that TOR Project recommended I get to help confuse the tracking. Is that what you are getting at? Could they have hundreds of these relays. TOR uses DDG. I like them better than Brave, Firefox and Vivaldi. Thank you.
So you can hide some of the info leaked through Java script by running Tor through a virtual machine. This should then hide the true type of device you're using, the true OS you are actually using and the true peripherals you use. As of browser it should say something like: "some weird old firefox with some weird plugins called 'no script'". IP should be hidable if you use tor on a VM running on a VPS, which is getting remote controlled through your VM, which is connecting to your neighbors WiFi or so. Make sure to not use Tor in full screen so you dont leak your true resolution (or disable JS in the first place).
At first glance I thought this was “How The Onion Works”
please make this a future video.
7:00 "If there was ever a situation where a group of bad actors controlled all three nodes in a Tor communication" KAX17 has entered the chat
imagine all the NSFW furry stuff that they got bombarded with
The real question is how do get such clear audio?
Yes, please explain!
thats the power of gentoo
install gentoo
Good mic
With the power of noise reduction with funny yeti snowball microphone.
Tor was the most useful tool that I could browse Japanese porn website safely, which banned the IP address of where I'm living.
Degenerate.
@@folksurvival cultured
@@horushours9443 t. coomer
@@twl148 t. based
link?
Great explaination, you know your stuff.
One question: how do you prevent being exposed, while negotiating/ creating the keys with the relay nodes?
@Dio Brando thanks 👍
@@tubbalcain what was he’s response ?
@@Bruh-hd4rj This is like going on a tech forum and someone DMed the explanation...
Lookup hidden service directory and introduction points
@@Bruh-hd4rj what a dickhead bro dropped a gem and picked it back up
TH-cam automatically unsubed from your channel bro. Keep up w the good work!
Watching this video on TOR feels like trying to explain a magic trick to a magician!
@7:00
"...if there were ever a situation where a group of bad actors controlled all three nodes..."
I thought that Tor nodes are designed to detect when their counterparts have been compromised, and such compromised nodes are flagged to be taken out of the available pool of nodes?
When the Tor browser starts, and chooses an entry guard, does your Tor browser perform some type of check to ensure that the connection to the guard has not been comprimised?
Does the Tor browser or other Tor nodes check for modified code on other nodes before trusting the other node?
Even if one person controlled all three of the nodes you happen to be using, everything is encrypted.
And each node is getting data from multiple sources. So how would they see what you are doing?
> I thought that Tor nodes are designed to detect when their counterparts have been compromised,
Not to my knowledge
> and such compromised nodes are flagged to be taken out of the available pool of nodes?
There are other things done to check for bad nodes, and yes they are removed. blog.torproject.org/how-report-bad-relays
> does your Tor browser perform some type of check to ensure that the connection to the guard has not been comprimised?
I'm not sure what could be done. If the node has been compromised, there isn't anything to do, but hope that it get's caught. If someone can break the encryption, well, you got bigger problems.
> Does the Tor browser or other Tor nodes check for modified code on other nodes before trusting the other node?
That is also a rather hard thing to do. How should it be done? You can't exactly ask "hey are you good", and if the source code functions perfectly as any other, you can't use that either. You would also loose any other implementation of tor, probably none right now, but you never know, maybe there is a good rust implementation coming along in the future.
> Even if one person controlled all three of the nodes you happen to be using, everything is encrypted.
Yes, but you would know that (this is not a real world example) at 00:00:01 entry node X got Y bytes from Z and at 00:00:02 exit node A got B bytes that was sent to C. And probably more information that could be used to link it up.
This deserves way more views.
Always wondered this
This video is not as popular as the other ones you have... does TH-cam censor Tor related content?
thank you for the easy to understand presentation
This might be a stupid question, but is it okay to use Tor for things like yt videos (without an active account) and such things or is it just a huge waste of traffic for the servers?
You could do that, but streaming through tor is incredibly slow so it would be a pretty bad experience
@@uwuifyingransomware thank you. That is a good point.
I'd guess. Though there are always down sides, yes, Tor is not always the fastest and sometimes youtube will block you. But otherwise you should be free to use it. There is quite a bit of traffic not used, and Tor needs normal users doing normal thing to work. metrics.torproject.org/bandwidth-flags.html
Live your work!
Okay so there is an attack based on packet size BUT couldn’t that be defended by padding with a random amount of redundant data?
And then sending some packets that are just self terminating at one of the proxies?
It would be better to have a set of standard packet sizes that incrementally increase in size. 1kb 10kb 1mb 10mb etc. All traffic would have to pad the packets to match one of the sizes whatever is closest to make it more difficult to track.
Adding random data doesn't make it any safer since it is still a distinct size from other traffic. It's all about anonymization.
@@ImperiumLibertas this is a good idea.
When the onion website server responds to the request sent by the client, does the response traverse via same relays or different?
this video explains clearnet servers, not onion servers. in terms of what was explained in the video, the response is bassed back using the same relays
idk exactly much about this, but what about server side javascript? Would that be safe?
As far as I know, the problem with javascript isn't that it's javascript. Rather that it's used within the webpage that is mounted on your browser (ie. on your machine), as such scripts have direct access to run within it. Anything server-side that uses javascript doesn't have this problem.
How does the middle relay and exit relay get their keys?
I have not gotten the process of stripping some machines down and installing a Linux based system. Microsoft owns a lot of my stuff. Google has lots and lots of my stuff on their servers. Apple too! I know all three of these system pretty well. Ever since the nineties anyway. TOR has limitations. It even denied that certain websites I visit existed. How do you live your life on the internet? What machines and Operating Systems and Browsers do you use frequently? Thank you!
OS: Any FOSS OS is fine. I don't know much about non-Linux OSs, but the best Linux distro about this I know that doesn't use TOR for everything is Qubes OS. However, it's quite a pain to install and isn't available for many hardware.
Browser: If you don't want TOR I personally think the best is Ungoogled Chromium. If you prefer Firefox, you can use it with the tips Mental Outlaw has in its channel, but Mozilla has had some “mistakes” in the past and it isn't the best out of the box. There're also privacy forks of Firefox, but I don't know them very well. Many people now talk about Brave, but it's a very new browser and it already has had a privacy related polemic. And Brave doesn't block cookies by default, tough they always say that they follow the philosophy of “Everything already configured around privacy, so you don't have to worry”.
@@Jorge-xf9gs Thank you Jorge. As you might know, TOR was just discovered to have security issues by CISA of the U.S. I have had Brave at several points of seeking privacy. It is a pesty browser in that he tries to get people to engage and participate in giving companies rewards for being respectful to the online community. Just too much work. The results are not the best either. DDG comes up with terrible results. Webcrawler offers some good results sometimes. I had Authentic8, a protecting gateway of a sort. There is an annual feel. Not a problem with a feel. It just a bit more work than TOR. So I had Ubuntu preloaded on a machine I bought from a pawn shop. There were password issues because I did not know all the pre-setup information. I am tempted to try Linux Mint just to get familiar with the tools in Linux based equipment. My bigger problem is that all the guys that have been using Linux for years leaves my head spinning when I try to follow directions. Are you aware of anyone that has the ability to slow it down and make the installation very simple to understand? Thanks, if you have time Jorge!
@@ArtOfHealth I don't know the perfect one, but I think the Chris Titus Tech's Switching to Linux Mint from Windows TH-cam series could help.
You also want to setup Libreboot or Coreboot or your own firmware, as firmware can be backdoored. Eg. Intel ME & amd PSP.
How does the reply from the destination server correctly reach the client? As in, how do the relays know the route back to the client from the destination, given the exit and middle relays know nothing of the clients IP?
They're all acting like one layer proxies id assume. They don't know the clients IP, but they know the last locations IP, so it just goes in reverse id assume. All the nodes work like proxies.
@@travistarp7466 That makes sense. Thanks for the explanation.
You glowie you glow you are glowing you are a glowie
Commenting for the algorithm.
Use full disk encryption on your computer's operating system (OS) just to be extremely safe, if you happen to use Tor.
4:20. Over 9,000 connections!
How would the tor browser send the server the user's IP using javascript? I've been trying to look it up and it seems like that isn't possible. Couldn't the tor browser just unset the relevant http headers?
This is confusing to me. How do you get the keys to decrypt all 3 layers? And if you generate the key locally how do you send it to the relays without anyone finding out what the key is? Unless you decrypt the key too but then you have another key that needs to be encrypted going to infinity
Your client encrypts the traffic with all three public keys (I'm not sure how the client gets all three keys). And the traffic is decrypted at each step using the nodes private key. The exit node has the original traffic but does not have enough information to know where the source of the traffic comes from.
But if you are smart like me you use a Extra proxy your basically invisible to the tor proxys as well
And how does that make you anymore anonymous? lol
@@kynanverwimp847 In the extremely unlikely case that all three relays are compromised (although this has never happened as far as I know)
He explains this in the video, no? This is the bridge.
VPN?
Kinda yes. But a random proxy does not exactly work like a tor bridge
commenting for the alg
I wonder what you guys are using Tor for?
Talking with your mom
People use it to access news, uncensored news, and freedom of speech and some bad guys use it for bad activities
1k likes against 6 dislikes. Now you know ratio.
Dude i was using it today and I didn’t know how it works, and I didn’t know they could see that, so i think im uninstalling it. If anyone else has feedback please do reply, i need to know more about how networking works on tor
At one point I had an app that TOR Project recommended I get to help confuse the tracking. Is that what you are getting at? Could they have hundreds of these relays. TOR uses DDG. I like them better than Brave, Firefox and Vivaldi. Thank you.
So you can hide some of the info leaked through Java script by running Tor through a virtual machine. This should then hide the true type of device you're using, the true OS you are actually using and the true peripherals you use. As of browser it should say something like: "some weird old firefox with some weird plugins called 'no script'". IP should be hidable if you use tor on a VM running on a VPS, which is getting remote controlled through your VM, which is connecting to your neighbors WiFi or so. Make sure to not use Tor in full screen so you dont leak your true resolution (or disable JS in the first place).
how would ip be able to be leaked with javascript in the 1st place? I've been looking into it and haven't found anything.
Nice
🔥
👏 🙂
Very little views on this. Kinda sus if you ask me.
It's actually **Tor
What you’re referring to as Tor is actually GNU/Tor or as I have taken to calling it GNU+Tor
4:20 😏
nice
Tor not TOR. Evidence you did not read the Tor FAQ even once!
lol
I can already suspect what alot of dumbasses are using Tor for. I think they should expect a visit from you-know-whom.
LOL good luck with that, I’m very armed