- Limitations of the Tor network
- Tails makes it clear that you are using Tor and probably Tails
- Exit nodes can intercept traffic to the destination server
- Adversaries watching both ends of a Tor circuit could identify users
Tails makes it clear that you are using Tor and probably Tails
Everything you do on the Internet from Tails goes through the Tor network.
Tor and Tails don't protect you by making you look like any random Internetuser, but by making all Tor and Tails users look the same. It becomesimpossible to know who is who among them.
Your Internet service provider (ISP) and local network cansee that you connect to the Tor network. They still cannot know what sites you visit.To hide that you connect to Tor, you can use a Tor bridge.
The sites that you visit can know that you are using Tor, because thelist of exitnodes of the Tor network is public.
Parental controls, Internet service providers, and countrieswith heavy censorship can identify and block connections to the Tornetwork that don't use Tor bridges.
Many websites ask you to solve a CAPTCHA or block access from the Tornetwork.
Exit nodes can intercept traffic to the destination server
Tor hides your location from destination servers, but it does not encryptall your communication. The last relay of a Tor circuit, called the exit node,establishes the actual connection to the destination server. This last step canbe unencrypted, for example, if you connect to a website using HTTP instead ofHTTPS.
The exit node can:
Observe your traffic. That is why Tor Browser and Tails include tools,like HTTPS Everywhere, toencrypt the connection between the exit node and thedestination server, whenever possible.
Pretend to be the destination server, a technique known asmachine-in-the-middle attack (MitM). That is why you should pay evenmore attention to the security warnings in Tor Browser. If you get sucha warning, use the New Identity feature of Tor Browser tochange exit node.
To learn more about what information is available to someone observing the differentparts of a Tor circuit, see the interactive graphics atTor FAQ: Can exit nodeseavesdrop on communications?.
Tor exit nodes have been used in the past to collect sensitiveinformation from unencrypted connections. Malicious exit nodes are regularly identified and removed from the Tor network. For an example, seeArsTechnica: Security expert used Tor to collect government e-mailpasswords.
Adversaries watching both ends of a Tor circuit could identify users
An adversary, who could control the 3 relays in a circuit, could deanonymizeTor users.
Tor chooses 3 relays that belong to 3 different network operators for eachcircuit.
Tails takes extra measures to use different circuits for differentapplications.
The Tor network has more than 6 000 relays. Organizations running Torrelays include universities like the MIT, activist groups like Riseup,nonprofits like Derechos Digitales, Internet hosting companies like PrivateInternet Access, and so on. The huge diversity of people and organizations runningTor relays makes it more secure and more sustainable.
A powerful adversary, who could analyze the timing and shape of the trafficentering and exiting the Tor network, might be able to deanonymize Tor users.These attacks are called end-to-end correlation attacks, because the attackerhas to observe both ends of a Tor circuit at the same time.
No anonymity network used for rapid connections, like browsingthe web or instant messaging, can protect 100% from end-to-end correlationattacks. In this case, VPNs (Virtual Private Networks) are less secure than Tor,because they do not use 3 independent relays.
End-to-end correlation attacks have been studied in research papers,but we don't know of any actual use to deanonymize Tor users. For an example,see Murdochand Zieliński: Sampled Traffic Analysis by Internet-Exchange-Level Adversaries.