I'm guessing that Amazon knows who you are. And I'm sure that they keep logs, for accounting and debugging. So being "one of a million EC2 nodes" doesn't hide you, in any way. That EC2 node has an IP address. While you're using it, it's your IP address.
When you "share a single egress point with hundreds of thousands of other people", determining whether some activity at some time was yours takes substantive analysis of logs. And often, those logs will be long-gone by the time anyone wants to crunch them.
But it depends on your goals, really. If you want security from local threats for doing real-name stuff (business, banking, etc) then you're better off with a private VPN. If you want a little casual anonymity, for torrenting or social media or whatever, then a VPN service is better. And if you want stronger anonymity, use Tor through VPN(s).
> I'm guessing that Amazon knows who you are. And I'm sure that they keep logs, for accounting and debugging. So being "one of a million EC2 nodes" doesn't hide you, in any way. That EC2 node has an IP address. While you're using it, it's your IP address.
I'm not as concerned with law enforcement as I am with hackers and surveillance.
> And if you want stronger anonymity, use Tor through VPN(s).
Tor is basically a honey-trap for law enforcement and others. It's trivial to get your own exit node and sniff or modify traffic (proven in practice!), hidden services are a hack that don't adequately protect your privacy, and it's trivial to identify tor users from non-tor users. I like tor the technology, I don't like tor the network.
As with my guidance on VPNs, if you want to use tor right then setup your own network of routing nodes. Don't use the horribly insecure public one.
Saying that Tor is just a LEA honey-trap is just plain FUD.
Evil exit nodes are a risk. And websites are increasingly blocking Tor IPs. So run a VPN server as an onion service. You look like a simple VPS. And the VPN protects your traffic from evil exit nodes. And you're hitting that VPN server through seven-relay circuits.
> Saying that Tor is just a LEA honey-trap is just plain FUD.
Explain why the FBI has been able to unmask nearly every high profile hidden service operator they go after then? Each time it's a different strategy, and they have all been incredibly effective. Some relied on bugs in Tor, others on broken tools used to access it, others on poor UX that encourages operational security failures. Russian intelligence ran their own set of exit nodes for a period and replaced all executable downloads with malware! You are objectively less safe using the public Tor network.
I don't think the concept of "crowding" is a recognized security property of a system. At least, I've never seen it used before. The way that single-hop commercial VPN services "crowd" people together creates a massive liability. The way that Tor allows anyone on their public network creates a free-for-all where you're exposed to more surveillance and more malicious code (entry/exit node manipulation). Each of these offer straightforward targets for a slow, lumbering, resourced attacker to eventually completely compromise with users none the wiser.
Well, it is the FBI. And it get's help from the NSA, for sure. There are public understandings for each of the large takedowns. Maybe some of that was parallel construction. But the point is that the public Tor network is the best that we have for anonymity. Whatever its weaknesses, creating your private Tor network is no better than a private VPN. Or maybe a chain of them. But you can't have an anonymity system without lots of users. That's what I mean by crowding.
If the NSA can help deanonymize Tor hidden services, people shouldn't stand up Tor hidden services. The point of cryptography isn't simply to make it more difficult to attack something; it's to make it intractable.
My intuitions are generally with you, but Tor developers have claimed that low-latency anonymity against a pervasive network adversary may be impossible, and formally excluded it from their threat model back in 2004. In that case, the best that can be done may be to defend successfully against some weaker adversaries (although a better move in many ways is to switch to high-latency anonymity).
Maybe successfully defending against the weaker adversaries is useful to many people, although it raises a serious challenge of how to clearly disclose the risks and limitations, which I see as a very important challenge for Tor on both the browser and hidden service sides.
(Hidden services might have categorically worse problems so that there's almost no realistic threat model in which their current design is safe; maybe that's what you're getting at?)
Yes. I share Dan Guido's take on Tor. It's an interesting and important research project that is in no way appropriate for the problems to which most of its users apply it.
Like everything else in cryptography, users don't care if things are insecure: things must be secure, because users want them to be! Ignore the Tor users getting zorched by governments; they're all outliers!
> My intuitions are generally with you, but Tor developers have claimed that low-latency anonymity against a pervasive network adversary may be impossible, and formally excluded it from their threat model back in 2004.
This is a point that I wish more people were familiar with. Tor has been oversold as the privacy project to protect from everything. The Snowden docs leaked out and privacy activists ruffled around their pockets asking, "what do we have to rally behind?" They found Tor and stuck with it, despite it certainly not being built for that task.
They're all going to be "isolated incidents". That's the nature of a honey trap. It's not much of a trap if it springs just because you look at it funny.
If you're really paranoid, you VPS through the same node that's running a web crawler. It combines obfuscation of where and what you are looking at, along with plausible deniability for some web activity.
Like, this won't save you if you're engaging in evil shenanigans. It will make you much harder to surveil.
I'm guessing that Amazon knows who you are. And I'm sure that they keep logs, for accounting and debugging. So being "one of a million EC2 nodes" doesn't hide you, in any way. That EC2 node has an IP address. While you're using it, it's your IP address.
When you "share a single egress point with hundreds of thousands of other people", determining whether some activity at some time was yours takes substantive analysis of logs. And often, those logs will be long-gone by the time anyone wants to crunch them.
But it depends on your goals, really. If you want security from local threats for doing real-name stuff (business, banking, etc) then you're better off with a private VPN. If you want a little casual anonymity, for torrenting or social media or whatever, then a VPN service is better. And if you want stronger anonymity, use Tor through VPN(s).