Circumvention and Anonymity

We've always argued that safe circumvention requires anonymity, even from the circumvention service itself. There are many people wanting to record your Internet traffic and browsing patterns; from governments to commercial advertising networks. There are many ways to defeat the threat of traffic analysis; from simple proxy providers, virtual private networks, and distributed peer to peer solutions. Only some of these offer anonymity along with circumvention. Tor's open design and anonymity properties provide protections for the user from those watching the traffic and from us as an organization.

Our architecture and design don't force the user to assume trust in us. Our code is accessible and licensed under an open license. Our specifications are clearly detailed and published. Our packages follow a defined build process so the user can create the same binaries we do. Independent researchers can and do test the properties Tor provides [and help us to improve]. Moreover, The Tor software runs on a distributed network, where a single operator cannot capture or be forced to capture all users' traffic information, even under legal or coercive threat.

All of these should allow the user to trust The Tor Project as a not-for-profit company and to trust that Tor isn't surreptitiously watching the very information you're trying to protect and isn't gathering information we could be forced to disclose.

We're always willing to work with other organizations who understand that anonymity provides stronger circumvention protections than the alternatives.…

"Three of the circumvention tools — DynaWeb FreeGate, GPass, and FirePhoenix — used most widely to get around China’s Great Firewall are tracking and selling the individual web browsing histories of their users."

Even if they're not selling, and only tracking, that still seems to be a problematic
design. It would be great to have some details on exactly what they track, where
they track it, how they make sure to keep it safe, etc.


January 13, 2009


Why do we not need to trust you? If you want to use tor (not theoretically with an own net, but in a way that enables me NOW to surf anonymous), i have to trust the keys of your directory server. If you give your keys out, somebody can fake the server and publish only malicious tor-nodes. if done properly nobody will suspect.

That's why the directory design is distributed. There are currently
six directory authorities, and a majority of them (four) need to agree
about what nodes are in the network before your Tor client believes
it. Specifically, the six are run by me (moria1), a cypherpunk in
Amsterdam (dizum), the German CCC (dannenberg), our Debian packager
who lives in Austria (tor26), a Tor developer in Germany (gabelmoo), and a
Tor developer in San Francisco (ides).

You do have to trust this group as a whole not to work together to try
to trick you, but I think that's a better situation than having a central
place that could trick you but promises not to.

Another big aspect of trust that we feel is important is transparency. We
try to tell you all the details of how Tor works, and be up-front about
pros and cons. You can read more about the v3 directory protocol here:
and a more general explanation of Tor's various layers of keys here:

there's an option in gmail to force all connections over ssl. if you haven't enabled this option, perhaps that's why. Another option is to start the Tamper Data plugin and see what is going plaintext to gmail.

I know with the option in gmail set to all ssl, firefox doesn't warn about mixed content.


November 25, 2009


Really nice blog, very informative.Looking forward to more stuff


October 07, 2010


If I download a file such as a pdf using tor will my ip address be exposed? Maybe a dumb question I just want to be sure.