Scott Hanselman

Secure and Private Browsing

September 6, '06 Comments [10] Posted in Tools
Sponsored By

TorparkSo, after the Browzar fiasco, I went looking for a simple, secure, private Portable Browser that I could use to surf the net in strange places with.

What I found is TorPark. It's a modification of Portable Firefox (a version of Firefox for running portably on USB sticks) with Tor built in. TorPark takes Portable Firefox and preconfigures a number of Privacy-related Extensions.

The more people who are using Tor at any one time, the more anonymous it is. It's basically a giant, distributed Proxy Server. Everyone gets pages for everyone else.

I tried it, and while it's slower of course than going directly, I saw that my traffic was routed through a number of countries, just by repeatedly visiting WhatIsMyIPAddress.com.

This seems like a much safer and reasonable alternative to Browzar if you're in the market for a portable, private browser.

Here's TCPView running while I run TorPark. Notice Firefox only talking to localhost while Tor.exe connects to random Tor proxies.

Tornetwork

I also run my installation of TorPark on a TrueCrypt encrypted Traveller Disk on my USB device. I talk about TrueCrypt in this post.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Wednesday, September 06, 2006 11:10:30 PM UTC
Yeah, TOR is nifty. You can configure FoxyProxy to work with it. In fact, the first time you run FoxyProxy after installing it, it asks you if you'd like to configure it to work with TOR.

So using TOR with Privoxy gets you about as close to invisible on the internet as you can get. I've also heard of people tunneling SSH to their home proxy using TOR and using Squid at home to pre-fetch pages and download their email if they are using a public hot spot. I can't think of anything more secure than that other than using a Sneakernet to transport the packets.
Wednesday, September 06, 2006 11:17:18 PM UTC
As I understand TOR, it's not exactly an "everyone gets pages for everyone else" setup. Everyone using TOR is part of the routing chain, but the unencrypted access to the actual content happens on edge (gateway) servers. I think that's a better setup anyways - I might want to use TOR to protect my own privacy, but not at the cost of donating having my internet connection used to access illegal content. I wouldn't want my IP showing up on a server log as part of some terrorist plot, kiddie porn ring, etc.
Wednesday, September 06, 2006 11:30:52 PM UTC
Yep, I looked into it a bit more. TOR Clients just route traffic, TOR Servers acquire the content. It looks like they allow you to enforce policies to limit your abuse and exposure if you run a TOR Server, but I don't think I'd want to mess with it. http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#RunAServerBut
Wednesday, September 06, 2006 11:52:39 PM UTC
I went whatismyIPaddress.com and got plastered with 3 popups one after another. back to IPCONFIG
John A. Davis
Thursday, September 07, 2006 12:26:36 AM UTC
@John A. Davis: IPCONFIG will only show your computers IP address - not the public Internet IP address being used to get traffic from servers for you.

[)amien
Thursday, September 07, 2006 1:19:28 AM UTC
If you don't like the popups on WHATISMYIP, you can use http://www.dnsstuff.com/ - it shows your public IP in the upper right hand corner. Sorry for the comment barrage - I'll shut up now.
Thursday, September 07, 2006 2:20:32 AM UTC
Also try http://checkip.dyndns.org - This is what a lot of the various automatic DynDNS updaters use.
Thursday, September 07, 2006 2:36:55 AM UTC
The big problem I see with Tor is that they rely on volunteers to donate bandwidth. If I want to contribute to the network, I can run a server. I run μTorrent 24/7 so I can help pass along the Hanselminutes and DotNetNuke goodness. I totally support and agree with the ideals of the EFF, so why shouldn't I want to run a Tor server?

This is all well and good, until, as chance would have it, my connection is used for some pervert to deal in child porn. Or plot a terrorist attack. Now, I don't rightly care what you use my connection for in theory. That's why I'm donating the bandwidth to Tor. But, as we've seen in a lot of DMCA/RIAA John Doe cases, I might actually be held responsible for the content accessed from my IP address.

IANAL, but I worry about the liability of operating a Tor server. At the very least, it gives the fuzz a good excuse to kick your door down and confiscate all of your hardware (thank you, Patriot Act).

People should not fear their government. Their government should fear them. This is my ideal, and I'm sticking to it. That said, I really have no desire to stand tall before the man. Am I totally wrong in my thinking here? Is there any case precedent to help me feel safer about hosting a Tor server in the US? Or is this something for which I will have to rely on my freedom-loving overseas brethren?
Thursday, September 07, 2006 2:51:19 AM UTC
Looks like it's my turn to spam Scott's blog tonight.

Of course, I posted my last comment before I read what Jon Galloway recommended:

<quote>
5.2. I'd run a server, but I don't want to deal with abuse issues.

Great. That's exactly why we implemented exit policies.

Each Tor server has an exit policy that specifies what sort of outbound connections he will allow from his server, and what sort he will refuse. The exit policies are propagated to the client in the directory, so clients will avoid picking exit nodes that would refuse to exit to their intended destination.

By default, your server allows access to many popular services, but restricts some (such as port 25) due to abuse potential. You can edit your torrc to make your exit policy more or less restrictive. If you want to avoid most if not all abuse potential, set it to "reject *:*". This setting forces a "non-exit" operation. Nobody exits through your node, only direct connections to other nodes will be established.
</quote>

Okay... So I can block individual ports. That's helpful, since it keeps spammers out. Still doesn't explain how I might prevent being used for behavior that could make me criminally liable short of setting a non-exit policy. Truthfully, I realize that it's not really a realistic expectation, and certainly is not in the spirit of Tor. Guess my options are:

1) Run a server and run a risk of showing up in subpoenaed IP logs for something I didn't do

2) Run a server and set it a non-exit policy

3) Don't run a server and just leech bandwidth from the Tor network
Thursday, September 07, 2006 4:32:54 PM UTC
Looks like Tor requieres a public IP address in my computer :-(
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.