A very interesting report on how the big telecommunication companies allow(ed) the government and themselves to identify Tor users for years. If you really wanted to protect yourself for whistleblowing or journalism with a real threat to your life or freedom, you’d really need to look into maybe running your own private bridge entry server that wouldn’t be on their radar, which you can verify you’re actually on. And doing so without it being traceable back to your identity. If you read between the lines, governments and cooperating megacorps are dragging their feet on fixing this attack vector so they can continue to expose whistleblowers and other threats to their system of control. And I’m reminded of the Boeing whistleblowers who committed suicide, or did they
So as a test I installed a Tor Bridge on DigitalOcean ($4/mo Debian server), and DigitalOcean has joined MANRS which sounds like a good solution until network routing equipment is upgraded with more software and processing ability where they can do 100% validation.
You need to have the fingerprint and cert to access the Tor Bridge, so you’ll have a secure connection to the first hop in the three hop Tor circuit. Even if they could implement the BGR attack, they couldn’t do a man in the middle attack and forward your traffic, and each hop is encrypted protecting the other layers of the onion network. Consequently, running my own dedicated bridge is much faster with better performance. I’d often have issues with some sites and guards, having to change circuits on occasion. And I had noticed that there were far too many German servers which is a problematic country given how they’re trying to outlaw a valid political party while also taking away supporters gun rights with no legitimate justification, all because this party wants to reign in the unlimited immigration making their society so unsafe.
Consequently, I just use Tor to access certain news sites around the world and to add noise to the Tor network for people actually trying to have anonymity when exposing political or corporate malfeasance or do real journalism. I’m not sure if diplomats and spooks are really using Tor, or they’d steer the project to lock down these vulnerabilities more fervently. And you’d have to wonder how compromised the board is and who’s giving money, getting board seats?
Also, I’ve come to trust Mullvad VPN because of their documentation and stance on privacy, and they have a multihop feature to go through two servers, with quantum resistance and DAITA, Defense against AI Traffic Analysis, with good clients for Windows, macOS and Debian Linux (AUR for Arch too). And that might be a good option with more control of what countries you route through. And Mullvad VPN accepts Monero cryptocurrency so there is no connection to your identity (use public wifi with Tails). Mullvad VPN also has a locked down Firefox based browser that Tor devs helped them with.
Anyway, if you can find my email address and contact me, I’ll give you my Tor Bridge information if you’d like to use it.
[Update] Having used my own Tor Bridge today, all the websites worked much better even though I have javascript off for security. As using regular guard relays I’d have problems loading certain sites, images, and would have to switch to a new circuit of three servers to get things working properly (still too many Germany servers). I don’t think Tor is doing an adequate job with finding bad actors running guard (entry) servers perhaps beyond the vulnerability to the network routing protocol above. I also use a VPN, so they can’t identify me or my IP, but they did seem to be interfering with traffic. And it seems to rule out a bad exit server operator interfering with traffic. I wouldn’t count on Tor for whistleblowing and leaking information without full trust of the guard (entry) server, and encrypting material I shared to only the recipient.