{{Header}}
{{title|title=
Anonymity Network
}}
{{#seo:
|description=Comparison of anonymizers considered for the implementation of the Anonymous Operating System {{project_name_long}}.
}}
{{intro|
Comparison of anonymizers considered for the implementation of the Anonymous Operating System {{project_name_short}}.
}}
== Introduction ==
This page describes why [[Tor]] was chosen for the ''{{project_name_short}} Example Implementation'' as the anonymity network and also discusses alternatives that were considered. See also [[Why does Whonix use Tor]].
== Tor ==
Tor was chosen for the ''{{project_name_short}} Example Implementation'' because it is the best-researched and most widely used network. {{project_name_short}} developer Patrick believes Tor is currently the most secure anonymity network legally available to most users. See [https://www.freehaven.net/anonbib/ anonbib] for a collection of research papers about Tor and other anonymity networks.
Many users are important because you can only be anonymous within a large group of people. More secure networks exist in theory, such as the Mixminion high latency network, but without enough users, they are less secure in practice. See [https://www.mail-archive.com/liberationtech@lists.stanford.edu/msg00022.html Roger Dingledine's explanation] for details.
On the [[Warning]] page, some shortcomings of Tor are listed.
== {{project_name_short}} and other Anonymity Networks ==
The ''{{project_name_short}} Framework'' is agnostic regarding the anonymity network being used. In theory, Tor could be completely replaced with any other suitable anonymizing network, see [[Dev/Technical_Introduction#{{project_name_short}}_Framework|Technical Introduction, chapter {{project_name_short}} Framework]]. Development in this area has stalled due to lack of interest from users, upstream developers, and {{project_name_short}} developers. However, there has been some research and practical work done toward such integration; see [[Dev/Inspiration|Inspiration]] if you are interested.
== Security considerations ==
Any successful attacks against Tor also affect {{project_name_short}} and will compromise location/identity. 1
{{project_name_short}} does not attempt to defend against network attacks such as a large number of malicious Tor nodes, end-to-end correlation attacks, and so on. The Tor software package from the Debian repository is installed in {{project_name_short}} without modifications. This is left to the Tor developers and Debian packagers.
If TransPort, DnsPort, or SocksPort, which {{project_name_short}} heavily relies on, can be exploited, then it is also game over.
There is no known bug (or "feature") that reveals the user's real IP address through either SocksPort, TransPort, or DnsPort. If such a bug were found in the future, which is possible, it would be a major issue in Tor. We would hope that the Tor developers fix it.
Other conceivable attacks cannot be defended against. For example, if an adversary controls your entry node or can observe your ISP and has access to the {{project_name_workstation_long}}, they could use a pattern (e.g., 5 seconds of heavy traffic, 10 seconds of no traffic...) (similar to [https://en.wikipedia.org/wiki/Morse_code morse code]) and then observe incoming connections. That would also result in compromise.
1 Unless Tor is combined with other means of anonymization (available as an optional feature).
== Other Anonymity Networks reviewed for {{project_name_short}} ==
=== High latency networks ===
In theory, high latency networks would be safer than Tor. Unfortunately, there is no high latency network with enough users that is well-designed, developed, and maintained.
=== AdvOR ===
Not suited for {{project_name_short}} at all.
[https://sourceforge.net/projects/advtor/ AdvOR],
the "Advanced" Onion Router, is not suited for {{project_name_short}}. Reasons:
* No interest from the research community.
* No source control (e.g., git).
* Licensing issues (See Nick Mathewson's (Tor's Chief Architect) analysis below.)
* Absence in the Tor community.
* No Linux support.
* {{project_name_short}} developer believes the Tails and Tor developers are modest and genuine. They generally work thoroughly and come to, in Patrick's opinion, clever conclusions. A Tails developer and a Tor developer wrote about AdvOR. Patrick believes it is best not to summarize their writings. Please read them yourself if interested.
** [https://web.archive.org/web/20130625055229/https://tails.boum.org/forum/Facebook_doesn__39__t_block_a_profile_if_logged_into_thru_AdvOR/ Answer from a Tails developer about AdvOR].
** [https://archives.seul.org/or/talk/Oct-2010/msg00026.html Nick Mathewson's (Tor's Chief Architect) analysis] recommends against it.
* In Patrick's opinion: less safe than Tor.
=== I2P ===
==== Review ====
It may not be possible to reliably replace the Tor network with the [https://geti2p.net/en/ I2P network] for {{project_name_gateway_long}}. The I2P network is mainly designed to host all services within the I2P network. We need to update the {{project_name_workstation_short}} operating system and software packages, which is not possible with I2P. Outproxies existed in the past (http, https, and socks), but were too few? They were also not suited for use with {{project_name_short}}. Too unreliable (often offline). As of March 2012, when the I2P chapter was written, there were no working https or socks outproxies usable for apt. (Still the case today?)
I2P can only be used in addition to {{project_name_short}} (tunnel I2P over Tor). See [[I2P]].
Even if there were enough reliable outproxies, the question remains: Is I2P designed to withhold the external IP from a Workstation? For instance, does the I2P web interface expose the external IP, and if so, can it be configured not to? → We could configure I2P to listen only on {{project_name_gateway_short}} localhost, and have services such as the outproxy listen only on the internal interface accessible by {{project_name_workstation_short}}(s).
There was a [[Dev/Inspiration#I2P|I2P development idea]] to install Tor and optionally I2P on {{project_name_gateway_short}}, but this stalled due to lack of interest from {{project_name_short}} developers and the I2P community.
That I2P is not in the Debian package sources would also complicate integration.
* [https://i2pgit.org/i2p-hackers/i2p.www/-/issues/5 I2P users can be deanonymized using browser fingerprinting].
* [https://web.archive.org/web/20210418224735/https://lists.randombit.net/pipermail/cryptography/2013-June/004580.html About I2P insecurity].
==== Summary ====
Not suited for {{project_name_short}} for the Default-Download-Version.
* No outproxies at the moment. (Cannot connect to any servers outside the I2P network. I2P is much different than Tor.) Clearnet websites could not be reached, APT wouldn't work, etc. Still up to date as of today?
* Less interest from the research community.
* No interest from the I2P community.
* In Patrick's opinion: less safe than Tor.
=== VPN ===
Not suited for {{project_name_short}} for the Default-Download-Version. For details, see [[Whonix versus VPNs]].
=== Freenet ===
Not suited for {{project_name_short}} for the Default-Download-Version.
Replacing Tor with Freenet is impossible, as Freenet is a separate network, not designed to exit to the clearnet; clearnet websites could not be reached, APT wouldn't work, etc.
There was a [[Dev/Inspiration#Freenet|Freenet development idea]] to install Tor and optionally Freenet on {{project_name_gateway_short}}. This raises the question: Is Freenet designed to withhold the external IP from a Workstation, i.e., does the Freenet web interface leak the external IP, and if so, can it be configured not to?
=== RetroShare ===
Not suited for {{project_name_short}} for the Default-Download-Version.
In fact, [https://retroshare.cc/index.html RetroShare] is not an [https://en.wikipedia.org/wiki/Anonymous_proxy anonymizing network]; it is a [https://en.wikipedia.org/wiki/Friend-to-friend friend-to-friend] (F2F) network or optionally a [https://en.wikipedia.org/wiki/Dark_web darknet]. RetroShare serves a different audience and threat model. RetroShare does not yet support outproxy usage; thus, it cannot replace Tor on the {{project_name_gateway_short}}.
=== Proxies / Proxy Chains ===
This is a summary of [[Whonix_versus_Proxies|Whonix versus Proxies]].
"(High) Anonymous" Proxies or even "Elite" Proxy Chains are not suited for {{project_name_short}} for the Default-Download-Version. The reasons are as follows:
* Inferior to Onion Routing (Tor). Just two strong points (many more exist): no encryption between the user and the proxy is possible (only end-to-end encryption); no onion routing (i.e., changing circuits).
* Difficult (or impossible?) to find a free, stable proxy legally usable as a proxy and capable of handling enough Default-Download-Version users.
* In Patrick's opinion: less safe than Tor.
=== Combinations of Anonymity Networks ===
Not suited for {{project_name_short}} for the Default-Download-Version.
There is too much controversy; see [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN Tor Plus VPN or Proxy].
Controversy is avoided as a political project strategy to protect the project:
Quoted from the [FAQ]: ''"{{project_name_short}} tries to be as less special as possible to ease security auditing of {{project_name_short}}. Any changes to the Tor routing algorithm should be proposed, discussed and eventually implemented upstream in Tor on torproject.org. And if discussion fails, a Tor fork could be created. Tor has already been forked at least once. Doing such changes directly in {{project_name_short}} would limit discussions about {{project_name_short}} to the security of the modified routing algorithm. To allow further exploration of {{project_name_short}} security, it is required to be as agnostic as possible about all parts of {{project_name_short}}."''
The user is able to tunnel other anonymizing networks over Tor (see [[Other_Anonymizing_Networks|Other Anonymizing Networks]] if interested).
== Tunneling other Other Anonymizing Networks over Tor ==
It is possible with {{project_name_short}}. ([[Other_Anonymizing_Networks|Other Anonymizing Networks]]).
= See Also =
{{tor_mininav}}
{{other_networks_mininav}}
{{Footer}}
[[Category:Design]]