Browse code

Added more FAQ entries

Matt Pagan authored on31/08/2013 14:41:22
Showing1 changed files
... ...
@@ -60,6 +60,7 @@ includes Tor?</a></li>
60 60
 
61 61
     <li><a href="#TBBFlash">Why can't I view videos on YouTube and other
62 62
     Flash-based sites?</a></li>
63
+    <li><a href="#Ubuntu">I'm using Ubuntu and I can't start Tor Browser</a></li>
63 64
     <li><a href="#TBBSocksPort">I want to
64 65
     run another application through the Tor launched by Tor Browser
65 66
     Bundle.</a></li>
... ...
@@ -103,10 +104,12 @@ country)
103 104
     <li><a href="#SocksAndDNS">How do I check if my application that uses SOCKS is leaking DNS requests?</a></li>
104 105
     <li><a href="#DifferentComputer">I want to run my Tor client on a different computer than my applications.</a></li>
105 106
     <li><a href="#ServerClient">Can I install Tor on a central server, and have my clients connect to it?</a></li>
107
+    <li><a href="#JoinTheNetwork">So I can just configure a nickname and ORPort and join the network?</a></li>
106 108
     </ul>
107 109
 
108 110
     <p>Running a Tor relay:</p>
109 111
     <ul>
112
+    
110 113
     <li><a href="#RelayFlexible">How stable does my relay need to
111 114
 be?</a></li>
112 115
     <li><a href="#ExitPolicies">I'd run a relay, but I don't want to
... ...
@@ -114,11 +117,15 @@ deal
114 117
     with abuse issues.</a></li>
115 118
     <li><a href="#RelayOrBridge">Should I be a normal relay or bridge
116 119
     relay?</a></li>
120
+    <li><a href="#UpgradeOrMove">I want to upgrade/move my relay. How do I keep the same key?</a></li>
117 121
     <li><a href="#MultipleRelays">I want to run more than one
118 122
 relay.</a></li>
119
-    <li><a href="#RelayMemory">Why is my Tor relay using so much
120
-memory?</a></li>
121
-    <li><a href="#WhyNotNamed">Why is my Tor relay not named?</a></li>
123
+    <li><a href="#NTService">How do I run my Tor relay as an NT service?</a></li>
124
+    <li><a href="#VirtualServer">Can I run a Tor relay from my virtual server account?</a></li>
125
+    <li><a href="#WrongIP">My relay is picking the wrong IP address.</a></li>
126
+    <li><a href="#BehindANAT">I'm behind a NAT/Firewall</a></li>
127
+    <li><a href="#RelayMemory">Why is my Tor relay using so much memory?</a></li>
128
+    <li><a href="#BetterAnonymity">Do I get better anonymity if I run a relay?</a></li>
122 129
     <li><a href="#RelayDonations">Can I donate for a relay rather than
123 130
     run my own?</a></li>
124 131
     </ul>
... ...
@@ -133,6 +140,9 @@ uses.</a></li>
133 140
     <li><a href="#ChangePaths">How often does Tor change its paths?</a></li>
134 141
     <li><a href="#CellSize">Tor uses hundreds of bytes for every IRC line. I can't afford that!</a></li>
135 142
     <li><a href="#OutboundConnections">Why does netstat show these outbound connections?</a></li>
143
+    <li><a href="#PowerfulBlockers">What about powerful blocking mechanisms</a></li>
144
+    <li><a href="#RemotePhysicalDeviceFingerprinting">Does Tor resist "remote physical device fingerprinting"?</a></li>
145
+    <li><a href="#AttacksOnOnionRouting">What attcks remain against onion routing?</a></li>
136 146
     </ul>
137 147
 
138 148
     <p>Alternate designs that we don't do (yet):</p>
... ...
@@ -997,6 +1007,20 @@ find HTML5 videos.
997 1007
 
998 1008
 <hr>
999 1009
 
1010
+<a id="Ubuntu"></a>
1011
+<h3><a class="anchor" href="#Ubuntu">
1012
+I'm using Ubuntu and I can't start Tor Browser</a></h3>
1013
+<p>
1014
+Ubuntu prevents its users from executing shell scripts by click-clicking them, even when the file permissions are set correctly. For now you need to start the Tor Browser from the command line by running </p>
1015
+<pre>
1016
+./start-tor-browser
1017
+</pre>
1018
+<p>
1019
+from inside the Tor Browser directory.
1020
+</p>
1021
+
1022
+<hr>
1023
+
1000 1024
 <a id="TBBSocksPort"></a>
1001 1025
 <h3><a class="anchor" href="#TBBSocksPort">
1002 1026
 I want to run another application through the Tor launched by Tor
... ...
@@ -1051,28 +1075,10 @@ configuration</a> of Tor and Privoxy.
1051 1075
 Firefox extensions?</a></h3>
1052 1076
 
1053 1077
 <p>
1054
-Yes. Just install them like normal. But be sure to avoid extensions like
1055
-Foxyproxy that screw up your proxy settings. Also, avoid
1056
-privacy-invasive
1057
-extensions (for example, pretty much anything with the word Toolbar in
1058
-its name).
1078
+The Tor Browser is free software, so there is nothing preventing you from modifying it any way you like. However, we do not recommend installing any additional Firefox add-ons with the Tor Browser Bundle. Add-ons can break your anonymity in a number of ways, including browser fingerprinting and bypassing proxy settings.
1059 1079
 </p>
1060
-
1061
-<p>
1062
-Generally, extensions that require registration, and/or provide
1063
-additional information about websites you are visiting, should be
1064
-suspect.
1065
-</p>
1066
-
1067 1080
 <p>
1068
-Extensions you might like include
1069
- <a href="https://addons.mozilla.org/firefox/addon/953">RefControl</a> (referer spoofing),
1070
- <a href="https://addons.mozilla.org/firefox/addon/1474">SafeCache</a>,
1071
- <a href="https://addons.mozilla.org/en-US/firefox/addon/6623">Better Privacy</a>,
1072
- <a href="https://addons.mozilla.org/firefox/addon/1865">AdBlock Plus</a> (EasyPrivacy+EasyList),
1073
- <a href="https://addons.mozilla.org/firefox/addon/82">Cookie Culler</a>,
1074
- <a href="https://addons.mozilla.org/en-US/firefox/addon/9727/">Request Policy</a> and
1075
- <a href="https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/">Certificate Patrol</a>.
1081
+Some people have suggested we include ad-blocking software or anti-tracking software with the Tor Browser Bundle. Right now, we do not think that's such a good idea. The Tor Browser Bundle aims to provide sufficient privacy that additional add-ons to stop ads and trackers are not necessary. Using add-ons like these may cause some sites to break, which <a href="https://www.torproject.org/projects/torbrowser/design/#philosophy">we don't want to do</a>. Additionally, maintaining a list of "bad" sites that should be black-listed provides another opportunity to uniquely fingerprint users. 
1076 1082
 </p>
1077 1083
 
1078 1084
 <hr>
... ...
@@ -1220,9 +1226,6 @@ If you really want to see Google in English you can click the link that provides
1220 1226
 Note that Google search URLs take name/value pairs as arguments and one of those names is "hl". If you set "hl" to "en" then Google will return search results in English regardless of what Google server you have been sent to. On a query this looks like: http://google.com/search?q=...&amp;hl=en&amp;..g
1221 1227
 </p>
1222 1228
 <p>
1223
-In Firefox you can search for the google.src file and add the line &lt;input name="hl" value="en"&gt;g to it. Then restart Firefox and it will automatically add the "hl=en" name/value pair to all queries made from the search bar so you will get English results regardless of which Google server you have been sent to. Note that this file is actually 'hidden' as part of the application container on Macs. To get to this file on a Mac you have to right click on the Firefox application icon and select "Show Package Contents" then navigate to Contents/MacOS/searchplugins.
1224
-</p>
1225
-<p>
1226 1229
 Another method is to simply use your  country code for accessing Google. This can be google.be, google.de, google.us and so on. You can also set your language by first selecting it in the Language Tools section, search for something simple. Then extract the language from the URL. In this example, we'll choose Hebrew:  <a>http://www.google.com/search?lr=lang_g'''iw</a>. Next, use that string in the url:  <a>http://google.com/intl/iw/</a>. This can obviously be set as your homepage or bookmarked if necessary. 
1227 1230
 </pb>
1228 1231
 
... ...
@@ -1536,7 +1539,7 @@ talk to the already running Tor. Vidalia generates a random password,
1536 1539
 but it is different than the saved password in the Tor service.
1537 1540
 <br />
1538 1541
 You need to reconfigure Tor to not be a service. See the FAQ entry on
1539
-<a href="<wikifaq>#HowdoIrunmyTorrelayasanNTservice">running Tor as a
1542
+<a href="#NTservice">running Tor as a
1540 1543
 Windows NT service</a>
1541 1544
 for more information on how to remove the Tor service.
1542 1545
 </li>
... ...
@@ -1814,6 +1817,41 @@ If you are interested in forcing all outgoing data through the central Tor clien
1814 1817
 
1815 1818
     <hr>
1816 1819
 
1820
+    <a id="JoinTheNetwork"></a>
1821
+    <h3><a class="anchor" href="#JoinTheNetwork">So I can just configure a nickname and ORPort and join the network?</a></h3>
1822
+
1823
+    <p>
1824
+     Yes. You can join the network and be a useful relay just by configuring your Tor to be a relay and making sure it's reachable from the outside.
1825
+    </p>
1826
+    <p>
1827
+30 Seconds to a Tor Relay:
1828
+    </p>
1829
+    <ul><li>
1830
+    Configure a Nickname: 
1831
+    </li></ul>
1832
+    <pre>
1833
+Nickname ididnteditheconfig
1834
+    </pre>
1835
+    <p>
1836
+    Configure !ORPort: 
1837
+    </p>
1838
+    <pre>
1839
+ORPort 9001
1840
+    </pre>
1841
+    <p>
1842
+    Configure Contact Info: 
1843
+    </p>
1844
+
1845
+    <pre>
1846
+ContactInfo human@…
1847
+    <pre>
1848
+    <p>
1849
+    Start Tor. Watch the log file for a log entry that states: 
1850
+    </p>
1851
+    <pre>
1852
+[notice] router_orport_found_reachable(): Self-testing indicates your !ORPort is reachable from the outside. Excellent. Publishing server descriptor.
1853
+    </pre>
1854
+
1817 1855
     <a id="RelayOrBridge"></a>
1818 1856
     <h3><a class="anchor" href="#RelayOrBridge">Should I be a normal
1819 1857
 relay or bridge relay?</a></h3>
... ...
@@ -1857,6 +1895,187 @@ lots
1857 1895
 
1858 1896
     <hr>
1859 1897
 
1898
+<a id="UpgradeOrMove"></a>
1899
+<h3><a class="anchor" href="#UpgradeOrMove">I want to upgrade/move my relay. How do I keep the same key?</a></h3>
1900
+
1901
+<p>
1902
+ When upgrading your Tor relay, or running it on a different computer, the important part is to keep the same nickname (defined in your torrc file) and the same identity key (stored in "keys/secret_BetterAnonymityid_key" in your DataDirectory).
1903
+</p>
1904
+<p>
1905
+This means that if you're upgrading your Tor relay and you keep the same torrc and the same DataDirectory, then the upgrade should just work and your relay will keep using the same key. If you need to pick a new DataDirectory, be sure to copy your old keys/secret_id_key over. 
1906
+</p>
1907
+
1908
+    <hr>
1909
+
1910
+<a id="NTService"></a>
1911
+<h3><a class="anchor" href="#NTService">How do I run my Tor relay as an NT service?</a></h3>
1912
+
1913
+<p>
1914
+ You can run Tor as a service on all versions of Windows except Windows 95/98/ME. This way you can run a Tor relay without needing to always have Vidalia running.
1915
+</p>
1916
+<p>
1917
+If you've already configured your Tor to be a relay, please note that when you enable Tor as a service, it will use a different DatagDirectory, and thus will generate a different key. If you want to keep using the old key, see the Upgrading your Tor relay FAQ entry for how to restore the old identity key.
1918
+</p>
1919
+<p>
1920
+To install Tor as a service, you can simply run:
1921
+</p>
1922
+<pre>
1923
+tor --service install
1924
+</pre>
1925
+<p>
1926
+A service called Tor Win32 Service will be installed and started. This service will also automatically start every time Windows boots, unless you change the Start-up type. An easy way to check the status of Tor, start or stop the service, and change the start-up type is by running services.msc and finding the Tor service in the list of currently installed services.
1927
+</p>
1928
+<p>
1929
+Optionally, you can specify additional options for the Tor service using the -options argument. For example, if you want Tor to use C:\tor\torrc, instead of the default torrc, and open a control port on port 9151, you would run:
1930
+</p>
1931
+<pre>
1932
+tor --service install -options -f C:\tor\torrc ControlPort 9151
1933
+</pre>
1934
+<p>
1935
+You can also start or stop the Tor service from the command line by typing:
1936
+</p>
1937
+<pre>
1938
+ tor --service start
1939
+</pre>
1940
+<p>
1941
+or
1942
+</p>
1943
+<pre>
1944
+ tor --service stop
1945
+</pre>
1946
+<p>
1947
+To remove the Tor service, you can run the following command:
1948
+</p>
1949
+<pre>
1950
+tor --service remove
1951
+</pre>
1952
+<p>
1953
+If you are running Tor as a service and you want to uninstall Tor entirely, be sure to run the service removal command (shown above) first before running the uninstaller from "Add/Remove Programs". The uninstaller is currently not capable of removing the active service.
1954
+</p>
1955
+
1956
+<hr>
1957
+
1958
+<a id="VirtualServer"></a>
1959
+<h3><a class="anchor" href="#VirtualServer">Can I run a Tor relay from my virtual server account?</a></h3>
1960
+
1961
+<p>
1962
+Some ISPs are selling "vserver" accounts that provide what they call a virtual server -- you can't actually interact with the hardware, and they can artificially limit certain resources such as the number of file descriptors you can open at once. Competent vserver admins are able to configure your server to not hit these limits. For example, in SWSoft's Virtuozzo, investigate /proc/user_beancounters. Look for "failcnt" in tcpsndbuf, tcprecvbuf, numothersock, and othersockbuf. Ask for these to be increased accordingly. Some users have seen settings work well as follows: 
1963
+<p>
1964
+<table border>
1965
+<tr>
1966
+<td>
1967
+<i>resource</i>
1968
+</td>
1969
+<td>
1970
+<i>held</i>
1971
+</td>
1972
+<td>
1973
+<i>maxheld</i>
1974
+</td>
1975
+<td>
1976
+<i>barrier</i>
1977
+</td>
1978
+<td>
1979
+<i>limit</i>
1980
+</td>
1981
+<td>
1982
+<i>failcnt</i>
1983
+</td>
1984
+</tr>
1985
+<tr>
1986
+<td>
1987
+tcpsndbuf
1988
+</td>
1989
+<td>
1990
+46620
1991
+</td>
1992
+<td>
1993
+48840
1994
+</td>
1995
+<td>
1996
+3440640
1997
+</td>
1998
+<td>
1999
+5406720
2000
+</td>
2001
+<td>
2002
+0
2003
+</td>
2004
+</tr>
2005
+<tr>
2006
+<td>
2007
+tcprcvbuf
2008
+</td>
2009
+<td>
2010
+0
2011
+</td>
2012
+<td>
2013
+2220
2014
+</td>
2015
+<td>
2016
+3440640
2017
+</td>
2018
+<td>
2019
+5406720
2020
+</td>
2021
+<td>
2022
+0
2023
+</td>
2024
+</tr>
2025
+<tr>
2026
+<td>
2027
+othersockbuf
2028
+</td>
2029
+<td>
2030
+243516
2031
+</td>
2032
+<td>
2033
+260072
2034
+</td>
2035
+<td>
2036
+2252160
2037
+</td>
2038
+<td>
2039
+4194304
2040
+</td>
2041
+<td>
2042
+0
2043
+</td>
2044
+</tr>
2045
+<tr>
2046
+<td>
2047
+numothersock
2048
+</td>
2049
+<td>
2050
+151
2051
+</td>
2052
+<td>
2053
+153
2054
+</td>
2055
+<td>
2056
+720
2057
+</td>
2058
+<td>
2059
+720
2060
+</td>
2061
+<td>
2062
+0
2063
+</td>
2064
+</tr>
2065
+</table>
2066
+<p>
2067
+ Xen, Virtual Box and VMware virtual servers have no such limits normally.
2068
+</p>
2069
+<p>
2070
+If the vserver admin will not increase system limits another option is to reduce the memory allocated to the send and receive buffers on TCP connections Tor uses. An experimental feature to constrain socket buffers has recently been added. If your version of Tor supports it, set "ConstrainedSockets 1" in your configuration. See the tor man page for additional details about this option.
2071
+</p>
2072
+<p>
2073
+Unfortunately, since Tor currently requires you to be able to connect to all the other Tor relays, we need you to be able to use at least 1024 file descriptors. This means we can't make use of Tor relays that are crippled in this way.
2074
+</p>
2075
+<p>
2076
+We hope to fix this in the future, once we know how to build a Tor network with restricted topologies -- that is, where each node connects to only a few other nodes. But this is still a long way off.
2077
+</p>
2078
+
1860 2079
 <a id="MultipleRelays"></a>
1861 2080
 <h3><a class="anchor" href="#MultipleRelays">I want to run more than one
1862 2081
 relay.</a></h3>
... ...
@@ -1895,6 +2114,40 @@ the same geographic location.
1895 2114
 
1896 2115
     <hr>
1897 2116
 
2117
+    <a id="WrongIP"></a>
2118
+    <h3><a class="anchor" href="#WrongIP">My relay is picking the wrong IP address.</a></h3>
2119
+    <p>
2120
+ Tor guesses its IP address by asking the computer for its hostname, and then resolving that hostname. Often people have old entries in their /etc/hosts file that point to old IP addresses.
2121
+    </p>
2122
+    <p>
2123
+If that doesn't fix it, you should use the "Address" config option to specify the IP you want it to pick. If your computer is behind a NAT and it only has an internal IP address, see the following FAQ entry on <a href="https://www.torproject.org/docs/faq.html.en#RelayFlexible">dynamic IP addresses</a>.
2124
+    </p>
2125
+    <p>
2126
+Also, if you have many addresses, you might also want to set "OutboundBindAddress" so external connections come from the IP you intend to present to the world. 
2127
+    </p>
2128
+
2129
+    <hr>
2130
+
2131
+    <a id="BehindANAT"></a>
2132
+    <h3><a class="anchor" href="#BehindANAT">I'm behind a NAT/Firewall.</a></h3>
2133
+
2134
+    <p>
2135
+See <a>​http://portforward.com/</a> for directions on how to port forward with your NAT/router device.
2136
+</p>
2137
+<p>
2138
+If your relay is running on a internal net you need to setup port forwarding. Forwarding TCP connections is system dependent but the firewalled-clients FAQ entry offers some examples on how to do this.
2139
+</p>
2140
+<p>
2141
+Also, here's an example of how you would do this on GNU/Linux if you're using iptables:
2142
+</p>
2143
+<pre>
2144
+/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 9001 -j ACCEPT
2145
+</pre>
2146
+<p>
2147
+You may have to change "eth0" if you have a different external interface (the one connected to the Internet). Chances are you have only one (except the loopback) so it shouldn't be too hard to figure out. 
2148
+    </p>
2149
+    <hr>
2150
+
1898 2151
     <a id="RelayMemory"></a>
1899 2152
     <h3><a class="anchor" href="#RelayMemory">Why is my Tor relay using
1900 2153
 so much memory?</a></h3>
... ...
@@ -1953,22 +2206,24 @@ unusual
1953 2206
 
1954 2207
     <hr>
1955 2208
 
1956
-    <a id="WhyNotNamed"></a>
1957
-    <h3><a class="anchor" href="#WhyNotNamed">Why is my Tor relay not
1958
-named?</a></h3>
2209
+    <a id="BetterAnonymity"></a>
2210
+    <h3><a class="anchor" href="#BetterAnonymity">Do I get better anonymity if I run a relay?</a></h3>
1959 2211
 
1960 2212
     <p>
1961
-    We currently use these metrics to determine if your relay should be
1962
-named:<br>
2213
+Yes, you do get better anonymity against some attacks.
2214
+    </p>
2215
+    <p>
2216
+The simplest example is an attacker who owns a small number of Tor relays. He will see a connection from you, but he won't be able to know whether the connection originated at your computer or was relayed from somebody else.
2217
+    </p>
2218
+    <p>
2219
+There are some cases where it doesn't seem to help: if an attacker can watch all of your incoming and outgoing traffic, then it's easy for him to learn which connections were relayed and which started at you. (In this case he still doesn't know your destinations unless he is watching them too, but you're no better off than if you were an ordinary client.)
2220
+    </p>
2221
+    <p>
2222
+There are also some downsides to running a Tor relay. First, while we only have a few hundred relays, the fact that you're running one might signal to an attacker that you place a high value on your anonymity. Second, there are some more esoteric attacks that are not as well-understood or well-tested that involve making use of the knowledge that you're running a relay -- for example, an attacker may be able to "observe" whether you're sending traffic even if he can't actually watch your network, by relaying traffic through your Tor relay and noticing changes in traffic timing.
2223
+    </p>
2224
+    <p>
2225
+It is an open research question whether the benefits outweigh the risks. A lot of that depends on the attacks you are most worried about. For most users, we think it's a smart move. 
1963 2226
     </p>
1964
-    <ul>
1965
-    <li>The name is not currently mapped to a different key. Existing
1966
-mappings
1967
-    are removed after 6 months of inactivity from a relay.</li>
1968
-    <li>The relay must have been around for at least two weeks.</li>
1969
-    <li>No other router may have wanted the same name in the past
1970
-month.</li>
1971
-    </ul>
1972 2227
 
1973 2228
     <hr>
1974 2229
 
... ...
@@ -2188,6 +2443,47 @@ But note that a single TCP stream (e.g. a long IRC connection) will stay on the
2188 2443
 
2189 2444
     <hr>
2190 2445
 
2446
+    <a id="PowerfulBlockers"></a>
2447
+    <h3><a class="anchor" href="#PowerfulBlockers">What about powerful blocking mechanisms?</a></h3>
2448
+    <p>
2449
+ An adversary with a great deal of manpower and money, and severe real-world penalties to discourage people from trying to evade detection, is a difficult test for an anonymity and anti-censorship system.
2450
+    </p>
2451
+    <p>
2452
+The original Tor design was easy to block if the attacker controls Alice's connection to the Tor network --- by blocking the directory authorities, by blocking all the relay IP addresses in the directory, or by filtering based on the fingerprint of the Tor TLS handshake. After seeing these attacks and others first-hand, more effort was put into researching new circumvention techniques. Pluggable transports are protocols designed to allow users behind government firewalls to access the Tor network.
2453
+    </p>
2454
+    <p>
2455
+We've made quite a bit of progress on this problem lately. You can read more details on the <a href="https://www.torproject.org/docs/pluggable-transports.html.en">pluggable transports page</a>. You may also be interested in <a href="https://www.youtube.com/watch?v=GwMr8Xl7JMQ">Roger and Jake's ​talk at 28C3</a>, or <a href="https://www.youtube.com/watch?v=JZg1nqs793M">​Runa's talk at 44con</a>.
2456
+    </p>
2457
+
2458
+    <hr>
2459
+ 
2460
+    <a id="RemotePhysicalDeviceFingerprinting"></a>
2461
+    <h3><a class="anchor" href="#RemotePhysicalDeviceFingerprinting">Does Tor resist "remote physical device fingerprinting"?</a></h3>
2462
+    <p>
2463
+ Yes, we resist all of these attacks as far as we know.
2464
+    </p>
2465
+    <p>
2466
+These attacks come from examining characteristics of the IP headers or TCP headers and looking for information leaks based on individual hardware signatures. One example is the ​<a href="http://www.caida.org/outreach/papers/2005/fingerprinting/">Oakland 2005 paper</a> that lets you learn if two packet streams originated from the same hardware, but only if you can see the original TCP timestamps.
2467
+</p>
2468
+<p>
2469
+Tor transports TCP streams, not IP packets, so we end up automatically scrubbing a lot of the potential information leaks. Because Tor relays use their own (new) IP and TCP headers at each hop, this information isn't relayed from hop to hop. Of course, this also means that we're limited in the protocols we can transport (only correctly-formed TCP, not all IP like ZKS's Freedom network could) -- but maybe that's a good thing at this stage. </p>
2470
+
2471
+    <hr>
2472
+
2473
+<a id="AttacksOnOnionRouting"></a>
2474
+    <h3><a class="anchor" href="#AttacksOnOnionRouting">What attacks remain against onion routing?</a></h3>
2475
+    <p>
2476
+As mentioned above, it is possible for an observer who can view both you and either the destination website or your Tor exit node to correlate timings of your traffic as it enters the Tor network and also as it exits. Tor does not defend against such a threat model.
2477
+    </p>
2478
+    <p>
2479
+In a more limited sense, note that if a censor or law enforcement agency has the ability to obtain specific observation of parts of the network, it is possible for them to verify a suspicion that you talk regularly to your friend by observing traffic at both ends and correlating the timing of only that traffic. Again, this is only useful to verify that parties already suspected of communicating with one another are doing so. In most countries, the suspicion required to obtain a warrant already carries more weight than timing correlation would provide.
2480
+    </p>
2481
+    <p>
2482
+Furthermore, since Tor reuses circuits for multiple TCP connections, it is possible to ​associate non anonymous and anonymous traffic at a given exit node, so be careful about what applications you run concurrently over Tor. Perhaps even run separate Tor clients for these applications. 
2483
+    </p>
2484
+
2485
+    <hr>
2486
+
2191 2487
     <a id="CellSize"></a>
2192 2488
     <h3><a class="anchor" href="#CellSize">Tor uses hundreds of bytes for every IRC line. I can't afford that!</a></h3>
2193 2489
     <p>