Use Tor in Standard tabs?


#1

I am enjoying the support for Tor in private tabs, is there a way this could be expanded upon to support standard tabs as well? For example when I’m on censored networks such as school or public wifi?


#2

Hi @lunorian,
Thanks for the feedback! :slight_smile:

It seems your feedback started the discussions here


#3

It’s something we’ll definitely consider. No promises at the moment, though!


#4

I left a comment on GitHub that goes into how I achieved my current desires with Tor on Firefox and how it’d be awesome if my complicated setup got integrated into Brave Browser without the need for several browser extensions.

I’ve seen some arguments against including Tor in third party web browsers, which I’ll go into detail on why I disagree with those arguments:

  • Only Tor Browser is “safe” from browser-fingerprinting: That may be true but protection againist tracking through browser fingerprinting is only ONE of the many benefits of Tor Browser. Has anyone making that arguement considered the fact that even if you use Tor with no other protections you still gain location privacy + privacy from your ISP spying on you.
  • Cookie Tracking is possible: Of course it is and that still depends on your threat model. The majority of tracking can be blocked off with an ad/tracker blocker and the location privacy benefits of Tor. If you are very paranoid disable third party cookies and/or clear your cookies/caches regularly. Threat modeling is extremely important when deciding what to give up for stronger privacy and security protections.
  • Work/School will get mad at me for using Tor: One don’t install software on computers you don’t own without permission. Two if you are on a work/school network maybe avoid using Tor. I got reprimanded by my high school’s IT Dept a few years ago for storing a copy of Tor Browser on their network drives - they asked that I only use Tor on the public network and not the internal network due to access to printers and other important stuff. It’s hard for IT to detect the usage of Tor to begin with though checks on computers they own is a good way for them to start. Bridges and plugable transports make it more difficult. They generally have good intentions though. If using Tor is against network policy then don’t use Tor.
  • Accounts break anonymity of Tor: That’s very true, accounts made or accessed without Tor are no longer “anonymous” that said using your day to day accounts with Tor provides location privacy

Look forward to seeing more discussion on Tor in Brave Browser :smiley:


#5

I’m rather against it, using TOR everywhere increases the risk that you forget that you use it and then:

One can not emphasize this too much! The exit node of the TOR network merely replaces your PC/Laptop/smartphone towards the internet, which means that the exit node sees all the addresses you access. When the connection is encrypted between you and the site you want to log in, your account ID and password are still not easy to see, but the exit node could run a “man in the middle” attack, decrypt your data stream and encrypt it anew to access the site you want to go to. In doing so, the exit node would see all data in clear text, everything that is transferred, including account name and password.

Last time I checked, a lot of TOR nodes (more than half of all, worldwide) were run by the NSA, even in such a way that they had a high probability (to be able) to follow the whole chain: Exit node (who knows where you want to go) – intermediate node (who knows the entry node and the exit node) – entry node (who knows your real IP address). Go figure…

With an unencrypted connection, that is, every time you use HTTP://… the TOR network hides exactly one thing, from the web servers you access and (provided that not all 3 nodes you use are under control of a single organization e.g. the NSA) from the exit node: Your real IP address. Nothing else. In exchange for that, the exit node can see the whole communication including passwords and can record it.

With an end-to-end encrypted connection between you and the server in the internet (behind the exit node) and no MitM-Attack running on the exit node, the exit node cannot see your account name and password but can still see where you go to. And even then, while the server where you log in doesn’t learn your real IP address it can still uniquely identify you, by the login you just used.

Fingerprinting and tracking:

  • The TOR network itself provides zero protection against that. None at all.
  • If everybody uses the TOR browser, everybody gets a little bit of additional protection just because everybody seems to use the same browser, but (last time I checked, a few years ago) the TOR browser has JavaScript enabled by default and doesn’t allow to install add-ons (for a good reason: The list of add-ons a user uses can be used for fingerprinting), so you have little control over what scripts are running in your browser and JavaScript is under certain circumstances able to “navigate around the TOR network” and thereby expose your real IP address, thus making the TOR network worse than useless. And of course, cookies, HTML5-cookies and whatnot can still be used for recognizing you next time and for tracking.
    I do not know if and to what amount a web server anywhere on the internet can learn about the built in “add-ons” of the brave browser but as long as it’s not more widely in use than the TOR browser (for using TOR), browser-fingerpringing is an issue.

Tl;dr: There are also good reasons to not use TOR and because of that I’d like to have a very clear indication of whether I use it ATM or not.


#6

We are not planning to turn Tor on by default in standard tabs in Brave or trick anyone into using Tor without their consent, nor do I think anyone has asked for that or proposed that.

What we’re discussing is giving users the option of browsing through Tor in standard tabs. This can provide users location privacy from the site and conceal their browsing from their ISP even if they don’t need anonymity from the site, e.g. when logging into social media web site — different users have different threat models, and Tor is helpful for many of them.

Brave already blocks many trackers and protects against many kinds of fingerprinting. It’s not perfect, but we’re always working on improving it, and if you know of ways to fingerprint or track Brave users we’d be happy to hear bug reports.

We at Brave are running our own Tor relays to contribute back to the Tor network, and you can run your own too to keep the network healthy and diverse. But if you would rather not browse through Tor, you will always be able to not browse through Tor.


#7

Just to clarify (no offense taken whatsoever), that’s not what I meant. I have used TOR myself years ago, merely for fun, but you really need to remember to NEVER EVER login into anything while using TOR (back then it was less usual to use HTTPS for everything).

The problem I see is (or would be) that you could easily forget that you use TOR, log in somewhere and - bang, identity exposed. It’s not a problem of consent or getting tricked or switching into TOR mode by accident, it’s a problem of not seeing it and/or forgetting it.
So if you find a way to indicate “this tab uses TOR now” in a way that is easy to see, then all is fine.

Wow, that’s great! Kudos!!


#8

Tor is not a privacy tool, it’s an anonymity tool HTTPS/TLS exist for a reason - don’t use sensitive passwords on websites without it.

Can you cite a source of that statistic? That’s a very serious claim for you to be making.

Again this goes back to Tor being an anonymity network not a privacy tool. For the love of god please use HTTPS.

Tor provides TCP packet source anonymization - nothing more.

The idea of Tor Browser is to make all Tor Users have the same fingerprint so its impossible or difficult to dinguish them.

Check out https://browserleaks.com/features then

To be clear I am asking for the ability to turn it on by default if I choose to do so of course keeping it off by default.

Was just about to say that location privacy is also important!

Are you, or will you consider running Tor Exit Nodes?

I disagree. That determines on your threat model. I might use Tor to access Twitter because I need to hide my location but not my identity from Twitter. I might just be on a censored network and want to bypass a content filter. Anonymity isn’t a priority then.

Security is its weakest link and that’s you :confused:

That’s already done in private tabs it’s clearly labeled with Tor.
37%20AM


Going to add on Tor support in Brave isn’t perfect. We need the ability to use Bridges, OBFS4 Brides and pluggable transports. On many networks Tor is blocked or throttled.


#9

Indeed - But aren’t all passwords sensitive? :stuck_out_tongue:

No, I can’t, I just tried but the info is several years old and didn’t show up in a search. Also, the situation has probably changed, to the disadvantage of large 3-or-4-letter-organizations. But a search for “TOR nodes NSA” may give you a taste anyway. And I remember having read one thing: They set up virtual PCs within one machine, entry node, intermediate node, exit node. Now, when the TOR network tries to find the fastest route from one of these nodes to another node, there is a high probability that it will find all 3 nodes within one physical machine, there can hardly be a faster connection between entry- intermediate- and exit-nodes. I also remember that in the time following such discoveries/revelations, a lot of TOR nodes that were run by the NSA were blacklisted. Then I stopped using TOR and didn’t follow the scene closely anymore.

I do whenever I can, but it’s not my choice if the server doesn’t support it.

Thank you - I just did. Hmm, that’s already a lot and it doesn’t cover the detection of add-ons.

Very true! Thus I want all the aid from the browser I can get. I missed the little “Tor” on the tab but I guess it’s a matter of getting used to look at the point where it is or should be. Otherwise - OK, I understand that I don’t need to use it.


#10

Sure - I use a password manager and have separate credentials for every website. Not everyone does this.

I say this so you’ll be taken seriously, not to insult you. Tor is spelled Tor not TOR the o and r are not capitalized. I blame this largely on media discussing Tor. Spelling it as TOR makes you look like someone who only knows about Tor from whatever the media has published about it.

That said until you have clear evidence backing those claims please do not say Tor is controlled by the NSA - that’s blatantly false and prevents people who might benefit from Tor from using the network. Tor has a few protections from what you are talking about. It won’t allow two nodes from the same /24 from being in the same circuit. A few community leaders have been tracking down nodes run by the same operating and having them adjust for myfamily to prevent them from being in the same circuit. When bad exit operators are found the tor project takes action.

One of two things happen when a website refuses to use HTTPS - first I email the owner on WHOIS my concerns. If it’s not implemented I stop using that website and use an alternative which takes security seriously.

Look around that site - it has multiple tests available :slight_smile:

Security tools are there to guide you not do every little thing for you. Mistakes tend to happen once people start being lazy or try to take shortcuts.


#11

We are discussing it. No promises one way or another right now, though!