TorBrowser becomes less and less usable for me, and for likely most normal users

RTFM :wink:

and…

3 Likes

Generally speaking, we don’t recommend using a VPN with Tor unless you’re an advanced user who knows how to configure both in a way that doesn’t compromise your privacy.

However, you can’t readily do this without using virtual machines. And you’ll need to use TCP mode for the VPNs (to route through Tor). In our experience, establishing VPN connections through Tor is chancy, and requires much tweaking.

So, I think using virtual machines like Whonix which route all the traffic through Tor is safer than using Tor Browser Bundle on top of a host physical machine. There are more anonymity threats when you use Tor Browser on a host machine rather than you use virtual machine.

The main problem is that using

ISP → Tor → OpenVPN (TCP)/Proxy (Socks) → Website

scheme is very inconvenient and moreover it is very difficult to find a free of charge VPN/Proxy server which supports “double routing” technology. It is better to implement Tor “exit bridges” approach as I suggested before. Anyway, these “exit bridges” should not be set up on hosting providers. Instead of it, they should be located within autonomous systems of municipal ISPs.

1 Like

It can’t. At least not given the current policy on publishing exit lists. That was my point. The technical part is already solved.

Yes. Even if we did away with the exit lists, and every exit had a separate exit address which was hidden from the consensus, many exits very well may still be discovered and blocked by other means. We just don’t know for sure because we haven’t tried it (and can’t, because Tor Project doesn’t allow it).

Using hidden services to replace exit nodes (aka. “exit bridges”) could potentially allow us to test the concept of unlisted exit addresses and see if it makes Tor more usable in the real world.

1 Like

But this is the main problem which is being discussed in this thread.

That’s great! I have read the scientific paper about Tor exit bridges. Sounds nice.

I doubt it. Most of website administrators use DNSBL blocklists + Tor exit nodes list in order to block IP addresses which belong to hosting providers or VPN services or Tor. You can check https://dronebl.org/activity_log and you will see that 90% of all IP blocks belong to class 8, 9 or 19 (Open SOCKS proxy, Open HTTP Proxy and Abused VPN service). So, if the IP addresses are hidden from the consensus and have not been published yet, there will be no reason to put them into IP blocklists. Only published IP addresses are being blocked.

So, I guess this is the REAL reason why we still don’t have Tor exit bridges.

2 Likes

No, it’s why regular exits can’t prevent their exit addresses from being published in the exit list. Which is what you proposed originally.

Exit bridges are a whole different thing. Exit bridges aren’t regular exits. From the Tor network’s perspective, they’re not exits at all, they’re hidden services. Since they’re not technically exits, their addresses aren’t required to be published in the exit list.

It doesn’t matter though. HebTor (the implementation described in the paper) seems to be abandoned. The domain is for sale and the browser extension is nowhere to be found.

1 Like

We can use the same announcement scheme like bridges. Bridges are announced using their fingerprint hashes and nicknames but the IP addresses are still hidden from public. We can perform an announcement of Tor exit bridges the same way. Why not?

1 Like

I suspect that the implementation of this would be tricky. Cataloging exit bridges would be fairly easy, unlike cataloging entry bridges since there would very few who operate as an exit bride. Their IP addresses would become known fairly quickly. How would you prevent this?

1 Like

I suppose you could if you patched Tor and BridgeDB. Depending on the specifics, your patch may or may not have a chance of being accepted. Remember, Tor Project made the decision to publish exit addresses in the first place.

I think the premise here is that most site admins are importing the exits list into their block list and calling it a day. We’re assuming most of them won’t actually go to the effort of requesting lots of exit bridges and harvesting their addresses unless they have a strong reason to.