Added three FAQ entries; fixed a typo.
Matt Pagan

Matt Pagan commited on 2013-12-20 01:42:12
Zeige 1 geänderte Dateien mit 140 Einfügungen und 6 Löschungen.

... ...
@@ -90,6 +90,11 @@ tells
90 90
     been compromised.</a></li>
91 91
     <li><a href="#NeedToUseAProxy">My internet connection requires an HTTP 
92 92
     or SOCKS Proxy</a></li>
93
+    <li><a href="#CantSetProxy">What should I do if I can't set a proxy 
94
+    with my application?</a></li>
95
+    <li><a href="#WarningsAboutSOCKSandDNSInformationLeaks">I keep seeing 
96
+    these warnings about SOCKS and DNS information leaks. Should I 
97
+    worry?</a></li>
93 98
     </ul>
94 99
 
95 100
     <p>Advanced Tor usage:</p>
... ...
@@ -180,6 +185,8 @@ relay.</a></li>
180 185
     provide?</a></li>
181 186
     <li><a href="#CanExitNodesEavesdrop">Can exit nodes eavesdrop on 
182 187
     communications? Isn't that bad? </a></li>
188
+    <li><a href="#AmITotallyAnonymous">So I'm totally anonymous if I use 
189
+    Tor?</a></li>
183 190
     <li><a href="#ExitEnclaving">What is Exit Enclaving?</a></li>
184 191
     <li><a href="#KeyManagement">Tell me about all the keys Tor
185 192
 uses.</a></li>
... ...
@@ -1402,8 +1409,8 @@ recent logins and wondering if you actually logged in at those times.
1402 1409
 <hr>
1403 1410
 
1404 1411
 <a id="NeedToUseAProxy"></a>
1405
-<h3><a class="anchor" href="#NeedToUseAProxy">My internet connection requires an HTTP 
1406
-    or SOCKS Proxy</a></h3>
1412
+<h3><a class="anchor" href="#NeedToUseAProxy">My internet connection 
1413
+requires an HTTP or SOCKS Proxy</a></h3>
1407 1414
 
1408 1415
 <p>
1409 1416
 You can set Proxy IP address, port, and authentication information in 
... ...
@@ -1417,9 +1424,9 @@ if they're the same proxy.) Tor also recognizes the torrc options
1417 1424
 Socks4Proxy and Socks5Proxy. 
1418 1425
 </p>
1419 1426
 <p>
1420
-Also check out HTTPProxyAuthenticator and HTTPSProxyAuthenticator if your 
1421
-proxy requires auth. We only support basic auth currently, but if you need 
1422
-NTLM authentication, you find <a 
1427
+Also read up on the HTTPProxyAuthenticator and HTTPSProxyAuthenticator 
1428
+options if your proxy requires auth. We only support basic auth currently, 
1429
+but if you need NTLM authentication, you may find <a 
1423 1430
 href="http://archives.seul.org/or/talk/Jun-2005/msg00223.html">this post 
1424 1431
 in the archives</a> useful. 
1425 1432
 </p>
... ...
@@ -1431,6 +1438,70 @@ to restrict what ports your Tor will try to access.
1431 1438
 
1432 1439
 <hr>
1433 1440
 
1441
+<a id="CantSetProxy"></a>
1442
+<h3><a class="anchor" href="#CantSetProxy">What should I do if I can't 
1443
+set a proxy with my application?</a></h3>
1444
+
1445
+<p>
1446
+On Unix, we recommend you give <a 
1447
+href="https://github.com/dgoulet/torsocks/">torsocks</a> a try. 
1448
+Alternative proxifying tools like <a 
1449
+href="http://www.dest-unreach.org/socat/">socat</a> and <a 
1450
+href="http://proxychains.sourceforge.net/">proxychains</a> are also 
1451
+available.</p>
1452
+<p> 
1453
+The Windows way to force applications through Tor is less clear. <a 
1454
+href="http://freecap.ru/eng/">Some</a> <a 
1455
+href="http://www.freehaven.net/~aphex/torcap/">tools</a> have been <a 
1456
+href="http://www.crowdstrike.com/community-tools/index.html#tool-79">proposed
1457
+</a>, but we'd also like to see further testing done here. 
1458
+</p>
1459
+
1460
+<hr>
1461
+
1462
+<a id="WarningsAboutSOCKSandDNSInformationLeaks"></a>
1463
+<h3><a class="anchor" href="#WarningsAboutSOCKSandDNSInformationLeaks">I 
1464
+keep seeing these warnings about SOCKS and DNS information leaks. 
1465
+Should I worry?</a></h3>
1466
+<p>
1467
+The warning is: 
1468
+</p>
1469
+<p>
1470
+Your application (using socks5 on port %d) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via Polipo or socat) instead. 
1471
+</p>
1472
+<p>
1473
+If you are running Tor to get anonymity, and you are worried about an attacker who is even slightly clever, then yes, you should worry. Here's why. 
1474
+</p>
1475
+<p>
1476
+<b>The Problem.</b> When your applications connect to servers on the Internet, they need to resolve hostnames that you can read (like www.torproject.org) into IP addresses that the Internet can use (like 209.237.230.66). To do this, your application sends a request to a DNS server, telling it the hostname it wants to resolve. The DNS server replies by telling your application the IP address. 
1477
+</p>
1478
+<p>
1479
+Clearly, this is a bad idea if you plan to connect to the remote host anonymously: when your application sends the request to the DNS server, the DNS server (and anybody else who might be watching) can see what hostname you are asking for. Even if your application then uses Tor to connect to the IP anonymously, it will be pretty obvious that the user making the anonymous connection is probably the same person who made the DNS request. 
1480
+</p>
1481
+<p>
1482
+<b>Where SOCKS comes in.</b> Your application uses the SOCKS protocol to connect to your local Tor client. There are 3 versions of SOCKS you are likely to run into: SOCKS 4 (which only uses IP addresses), SOCKS 5 (which usually uses IP addresses in practice), and SOCKS 4a (which uses hostnames). 
1483
+</p>
1484
+<p>
1485
+When your application uses SOCKS 4 or SOCKS 5 to give Tor an IP address, Tor guesses that it 'probably' got the IP address non-anonymously from a DNS server. That's why it gives you a warning message: you probably aren't as anonymous as you think. 
1486
+</p>
1487
+<p>
1488
+<b>So what can I do?</b> We describe a few solutions below. 
1489
+</p>
1490
+<ul>
1491
+<li>If your application speaks SOCKS 4a, use it. </li>
1492
+<li>If you only need one or two hosts, or you are good at programming, you may be able to get a socks-based port-forwarder like socat to work for you; see <a href="https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO">the Torify HOWTO</a> for examples. </li>
1493
+<li>Tor ships with a program called tor-resolve that can use the Tor network to look up hostnames remotely; if you resolve hostnames to IPs with tor-resolve, then pass the IPs to your applications, you'll be fine. (Tor will still give the warning, but now you know what it means.) </li>
1494
+<!-- I'm not sure if this project is still maintained or not
1495
+
1496
+<li>You can use TorDNS as a local DNS server to rectify the DNS leakage. See the Torify HOWTO for info on how to run particular applications anonymously. </li>
1497
+!-->
1498
+</ul>
1499
+<p>
1500
+ If you think that you applied one of the solutions properly but still experience DNS leaks please verify there is no third-party application using DNS independently of Tor. Please see <a href="#AmITotallyAnonymous">the FAQ entry on whether you're really absolutely anonymous using Tor</a> for some examples. 
1501
+</p>
1502
+
1503
+<hr>
1504
+
1434 1505
 <a id="torrc"></a>
1435 1506
 <h3><a class="anchor" href="#torrc">I'm supposed to "edit my torrc".
1436 1507
 What does that mean?</a></h3>
... ...
@@ -3085,8 +3156,71 @@ diversity,
3085 3156
             
3086 3157
     <hr>
3087 3158
     
3159
+    <a id="AmITotallyAnonymous"></a>
3160
+    <h3><a class="anchor" href="#AmITotallyAnonymous">So I'm totally anonymous 
3161
+    if I use Tor?</a></h3>
3162
+
3163
+    <p>
3164
+    <b>No.</b>
3165
+    </p>
3166
+    <p>
3167
+    First, Tor protects the network communications. It separates where you 
3168
+    are from where you are going on the Internet. What content and data you 
3169
+    transmit over Tor is controlled by you. If you login to Google or 
3170
+    Facebook via Tor, the local ISP or network provider doesn't know you 
3171
+    are visiting Google or Facebook. Google and Facebook don't know where 
3172
+    you are in the world. However, since you have logged into their sites, 
3173
+    they know who you are. If you don't want to share information, you are 
3174
+    in control. 
3175
+    </p>
3176
+
3177
+    <p>
3178
+    Second, active content, such as Java, Javascript, Adobe Flash, Adobe 
3179
+    Shockwave, QuickTime, RealAudio, ActiveX controls, and VBScript, are 
3180
+    binary applications. These binary applications run as your user account 
3181
+    with your permissions in your operating system. This means these 
3182
+    applications can access anything that your user account can access. Some 
3183
+    of these technologies, such as Java and Adobe Flash for instance, run in 
3184
+    what is known as a virtual machine. This virtual machine may have the 
3185
+    ability to ignore your configured proxy settings, and therefore bypass 
3186
+    Tor and share information directly to other sites on the Internet. The 
3187
+    virtual machine may be able to store data, such as cookies, completely 
3188
+    separate from your browser or operating system data stores. Therefore, 
3189
+    these technologies must be disabled in your browser to use Tor safely.
3190
+    </p>
3191
+    <p>
3192
+    That's where the <a 
3193
+    href="https://torproject.org/projects/torbrowser.html.en">Tor Browser 
3194
+    Bundle</a> comes in. We produce a web browser that is preconfigured to 
3195
+    help you control the risks to your privacy and anonymity while browsing 
3196
+    the Internet. Not only are the above technologies disabled to prevent 
3197
+    identity leaks, the Tor Browser also includes browser extensions like 
3198
+    NoScript and Torbutton, as well as patches to the Firefox source
3199
+    code. The full design of the Tor Browser can be read <a 
3200
+    href="https://www.torproject.org/projects/torbrowser/design/">here</a>. 
3201
+    In designing a safe, secure solution for browsing the web with Tor, 
3202
+    we've discovered that configuring any other browser for use with Tor <a 
3203
+    href="#TBBOtherBrowser">is not safe</a>.
3204
+    </p>
3205
+
3206
+    <p>
3207
+    Alternatively, you may find a Live CD or USB operating system more to 
3208
+    your liking. The Tails team has created an <a 
3209
+    href="https://tails.boum.org/">entire bootable operating system</a> 
3210
+    configured for anonymity and privacy on the Internet. 
3211
+    </p>
3212
+
3213
+    <p>
3214
+    Tor is a work in progress. There is still <a 
3215
+    href="https://www.torproject.org/getinvolved/volunteer">plenty of work 
3216
+    left to do</a> for a strong, secure, and complete solution. 
3217
+    </p>
3218
+
3219
+    <hr>
3220
+
3088 3221
     <a id="ExitEnclaving"></a>
3089
-    <h3><a class="anchor" href="#ExitEnclaving">What is Exit Enclaving?</a></h3>
3222
+    <h3><a class="anchor" href="#ExitEnclaving">What is Exit Enclaving?</a>
3223
+    </h3>
3090 3224
 
3091 3225
     <p>
3092 3226
     When a machine that runs a Tor relay also runs a public service, such as 
3093 3227