Jump to: navigation, search

不要

This page is a translated version of the page DoNot and the translation is 71% complete.

Other languages:
English • ‎中文

那些你不该去做的事

我想在我匿名的情况下看看自己的个人站点

"我想在我匿名的情况下看看自己的个人站点" [1]

你最好不要访问自己使用了真实姓名或假名(此时非Tor 连接/IP已经被记录下来)的个人站点。因为请你想一下,有多少人会访问你的个人站点呢?是90%以上的Tor 用户?还是只有你自己?还是仅仅很少一部分人?这是弱匿名。一旦你访问这样一个站点,你的Tor 回路就变脏了。Tor 的出口节点知道有某个人访问了你的网站而且如果那个网站不那么流行,就很可能推测出那个人就是你。而且也不难假设使用那个Tor出口节点进一步访问其他网站的链接来自你的设备。

Source: [2]

登录你现实生活中的脸书账户并以为自己是匿名的.

无论你账户用的是你的真实姓名还是假名,不要登录你的个人脸书账户。因为你很可能加过你的朋友并且他们知道这个账户属于谁。通过你的社交网络,脸书可以猜出你是谁。

没有完美的匿名解决方案。线上匿名软件也许可以可靠的隐匿你的IP/位置,但脸书不需要你的IP/位置,他们已经知道了你是谁,你的朋友都有谁,你们之间发送过什么私人消息等等。所有这些数据至少被存储在了脸书的服务器上,而又没有能够删除这些数据的软件。只有骇客和脸书自己可以删除这些数据。

因此,当你登录你的个人脸书账户时你只保护了自己的位置隐私,而非做到了匿名。

引用自 "To Toggle, or not to Toggle: The End of Torbutton"[3]:

麦克,请问当我登入自己的个人脸书账户时,我是完全匿名的吗? 我使用的是firefox 3.6 配合tor和no script在windows 7上。谢谢你!

永远不要登录那些你曾未通过Tor就登录的账户

永远应该假设,你每一次登入某个网站,网站就会记录下你的IP/位置、登录时间和你都干了些什么。

还应假设,你每一次上线,你的ISP(互联网服务提供商)都会记录下你的在线时间、IP/位置和通讯数据。你的ISP还可能记录下你都连接了那些IP/位置、你通讯了多少数据流量以及你都发送和接收了哪些数据。(除非这些数据是经过加密的,这样他们只能看到无意义的乱码。)下面的这个表格可以给你提供一个简单的概览,让你瞧瞧那些被记录的日志大概长啥样。

ISP 日志:

姓名 时间 IP/位置 数据流量
John Doe 16 pm to 17 pm 1.1.1.1 500 megabytes

Extended[4] ISP 日志:

姓名 时间 IP/位置 流量数据 访问目标 内容
John Doe 16 pm to 17 pm 1.1.1.1 1 megabytes google.com 搜索了XXX
John Doe 16 pm to 17 pm 1.1.1.1 490 megabytes youtube.com 看了视频1, 视频 2, ...
John Doe 16 pm to 17 pm 1.1.1.1 9 megabytes facebook.com 加密流量

网站日志:

姓名 时间 IP/位置 数据流量 内容
- 16.00 pm to 16.10 pm 1.1.1.1 1 megabytes 搜索了XXX

如你所见,如果网站和ISP 保存了日志,是个人都能看懂你都做了些什么。

只要你有一次搞错,使用了可以追溯到你的非Tor IP/位置,那么你的整个账户身份就会暴露。

不要登录你的银行账户、支付宝、淘宝或任何其他重要的个人账户,除非...

登录你的网银、支付宝、淘宝或其他你名下的涉及金钱的个人账户是有风险的,因为你的账户可能因为“可以活动”而被防欺诈系统暂停使用。这是因为骇客们有时会通过Tor来进行欺诈。而这大概是你不希望看到了。

而如前面已经解释过的,这样做也起不到匿名的作用。这样做只是起到化名、绕过审查和保护位置隐私的作用。化名与匿名间的差别在本页靠后的位置有所介绍。

通常情况下,你可以联系客服来解锁你的账户,或者要求客服放松防欺诈系统对你的账户的保护。

Whonix 的开发者adrelanos 并非反对使用Tor来规避审查和保护位置隐私,而是想要让你知道这么做可能存在账户被(暂时)停用的风险。因此如果你明白自己做做些什么的话,请自便。

不要用公共WiFi取代Tor

你也许会认为公共WiFi更快但又和Tor一样安全,因为IP/位置不会直接联系到您的真实姓名,对吧?

最好使用公共WiFi“和”Tor,而非公共WiFi“或”Tor。

IP地址提供的大致物理位置可以精确到一座城市,一个区域甚至是一条街道。即便你以离开那里,你仍泄露了自己的所在城市或大致位置,毕竟大多数人不会走的太远。

你并不知道是谁在提供这些开放的WIFI,或者他们的政策是什么。他们可能保存了你的MAC地址并将其与您通过该WIKI发送的明文数据关联起来。

即便这样并没有彻底打破您的匿名性,但怀疑圈已经从整个世界,某一大陆,或是某一国家缩小到了某一地区。这会极大地伤害到您的匿名性。请将透露给外界的身份信息降到最低。

Prevent Tor over Tor scenarios.

Whonix specific.

当使用透明代理(Whonix中就有一个)时,可能会发生在客户端和透明代理中各发起一个Tor会话的情况,这就造成了“Tor over Tor”的场景。

这可能发生在,在Whonix-Workstation中安装了Tor或者Tor Browser Bundle但没有设置其去使用SocksPort,而是让其使用了TransPort时。(在 Tor Browser 中有所涉及。)

Doing so produces undefined and potentially unsafe behavior. In theory, however, you can get six hops instead of three, but it is not guaranteed that you'll get three different hops - you could end up with the same hops, maybe in reverse or mixed order. It is not clear if this is safe. It has never been discussed.

你可以自己选择入口/出口节点[5],但只有让Tor客户端自己选择链路时你才会得到最佳的安全性;修改入口/出口节点可能会把你的匿名性以我们不了解的方式搞砸。因此“Tor over Tor”是被高度不建议的做法。

License of "Prevent Tor over Tor scenarios.": [6]

不要使用非端对端加密来发送敏感信息

正如在 Warning 页面已经解释过的,Tor出口节点有能力监视通讯和发起中间人攻击。将敏感数据由发送者传输到接受者,而不落于第三方之手的唯一办法就是使用端对端加密。

不要透露自己的身份信息

去匿名化不仅可能发生在网络层面(通过连接/IP地址),还可能发生在社会层面的威胁下。以下是一些一些又匿名人士收集的保持匿名的建议:

  • 不要在你的昵称中包含个人信息
  • 不要讨论自己的个人信息,比如你来自哪里等
  • 不要提及你的性别、纹身、耳洞和身体状况。
  • 不要提及你的职业、爱好或加入了哪些活动组。
  • 不要使用哪些仅在你的语言中才特有的符号。
  • 不要在你匿名时向日常网络提供信息。不要用Twitter或Facebook等社交网络。这是很容易被关联的。
  • 不要用匿名身份发布facebook images的链接。 该图片的连接中包含个人ID。
  • 不要让两个身份同时访问一个目标地址。
  • IRC,其他群聊,论坛, 邮箱列表等都是公开的,记住这一点。
  • 记住英雄只存在于漫画里!这里只有初生的英雄和死掉的英雄。

如果有非要透露你身份信息的地方,请将其作为上面提到的“敏感信息”对待。

License: From the JonDonym documentation (Permission).

如果使用Tor在你的国家是危险的/可疑的,请使用网桥

引用自 Bridges 页: "Bridges are important tools that work in many cases but they are not an absolute protection against the technical progress that an adversary could do to identify Tor users."

不要同时使用不同的网络身份

这些身份很容易被人关联起来。 Whonix doesn't magically separate your different contextual identities.

请阅读以下提示。

不要登入超过必要时间的 Twitter, Facebook, Google等等

请将你登入Twitter, Facebook, Google和任何其他需要帐号的网络服务(网络论坛等)的时间控制在你需要使用它们的时长。当你完成了阅读、发帖等行为,请登出帐户。至少要登出,关闭Tor 浏览器,使用 Tor Controller更换Tor链路,等上几秒钟直到链路已经改变,重启Tor 浏览器。想要获得更好的安全性,请看这里: Recommendation to use multiple VM Snapshots 和/或这里: use multiple Whonix-Workstations

这是因为许多网站包含了一个或多个整合装置,比如“我喜欢”、“发推文”和谷歌analytics, adsense等。这些装置能够告诉原始服务其你访问了这个网站,这是因为你仍处于登入状态。

也请留意上述“不要同时使用不同的网络身份”小节。

不要搞混匿名的模式

让我们从对不同匿名模式的概括开始:

模式(1): 用户对所有接受者匿名

  • 场景:在留言板/邮箱列表/评论区匿名地发布信息
  • 场景:揭秘者等
  • 你是匿名的
  • 你的真实IP/位置是隐匿的
  • 位置隐私:你的位置是保密的

模式(2): 用户知道接受者是谁,二者都使用Tor

  • 场景:发送者和接受者彼此认识且都使用Tor。
  • 他们之间的通讯内容或正在通讯的事实不被任何第三方所掌握。
  • 你不是匿名的。
  • 你的真实IP/位置是隐匿的。
  • 位置隐私:你的位置是保密的。

模式(3): 用户对任何接受者是非匿名的,但使用Tor

  • 场景:用你的真实姓名登入任何网络服务,比如:电子邮箱,Twitter, Facebook等
  • 你显然不是匿名的。一旦你用真实姓名登入了这些网络服务,这些网站就了解了你的身份。Tor无法在这类场景中把你“变成”匿名的。
  • 你的真实IP/位置是隐匿的。
  • 位置隐私:你的位置是保密的。

模式(4): 用户对任何接受者是非匿名的

  • 场景:日常网上冲浪,未使用Tor。
  • 你不是匿名的。
  • 你的真实IP/位置被泄露。
  • 你的位置被泄露。

结论

将模式(1)和模式(2)混合是不明智的。比如说:如果你有一个即时通讯或电子邮箱是作模式(1)使用,那你就不应该把它再用在模式(2)里面。我们之前已经解释过为什么这会是个问题。

“在同一个Tor会话中混合使用两种或多种模式同样是不明智的”,因为它们可能使用了同一个出口节点(身份关联攻击)。

将这些模式进行其他形式的混合同样可能是危险并导致个人信息(比如物理位置)泄露的。

许可证

"Do not mix Modes of Anonymity!"的许可证: [6]

如果你不知道其会带来何种后果,请不要更改设置

通常来说,更改程序的用户界面设置是安全的,只要不涉及到互联网。举个例子:在“不再显示每日小贴士”和“隐藏该菜单栏”的选项框上打勾不会对你的匿名性造成影响。

如果你对更改设置感兴趣,请先查看Whonix文档,如果其指出不建议这样做,那么请去适用默认设置。

当改变程序涉及到互联网的设定时,即使它只是一个用户界面设置,也请完整的考虑清楚。比如说:在Tor浏览器中移除一个菜单栏或使用全屏都是不被建议的。后者是在改变屏幕的大小,这会对网页指纹造成不好的影响。

你应该只在了解其可能造成的后果的情况下小心的更改网络设置。比如说:你应该不要去碰与有关“Firefox Tuning”的建议。如果你真的相信当前选项不是最好的,请将建议反映到上游,这样他们就可以在释出的下一版本的Tor浏览器中为所有用户都进行更改。

请不要在使用Tor的同时使用明网。

同时使用非Tor浏览器和Tor浏览器可能会让你有搞混二者,从而导致去匿名化的风险。

Using clearnet and Tor at the same time also risks that you connect to a server anonymously and non-anonymously at the same time, which is recommended against. The reason for this is explained in the point below. You never know when you visit the same page anonymously and non-anonymously at the same time, because you only see the url you're visiting, not how many resources are fetched in background. Many different websites are hosted in the same cloud. Services such as google analytics are on the majority of all websites and therefore see a lot anonymous and non-anonymous connections.

If you really want not to follow this recommendation, use at least two different desktops to prevent confusing one browser for another.

不要同时以匿名和非匿名的身份登录某个服务器!

It's highly recommended that you do not connect to any remote server in this manner. That is, do not create a Tor link and a non-Tor link to the same remote server at the same time. In the event your internet connection breaks down (and it will eventually), all your connections will break at the same time and it won't be hard for an adversary to put the pieces together and determine what public IP/location belongs to what Tor IP/connection, potentially identifying you directly.

License of "Do not connect to any server anonymously and non-anonymously at the same time!": [6]

不要把化名当成匿名

This chapter explains the difference between anonymity and pseudonymity. Word definitions are always a difficult topic because a majority of people has to agree with it.

An anonymous connection is defined as a connection to a destination server, where the destination server has no means to find out the origin (IP/location) of that connection nor to associate and an identifier [7] to it.

A pseudonymous connection is defined as a connection to a destination server, where the destination server has no means to find out the origin (IP/location) of a connection, but can associate it with an identifier [7].

In an ideal world, the Tor network, Tor Browser (and the underlying operating system, hardware, physical security, etc.) is perfect. For example the user could fetch a news website and neither the news website nor the website's ISP has any idea if that user has ever contacted the news website before. [8]

The opposite of this, when using software incorrectly, for example using Firefox instead of the Tor-safe browser Tor Browser, the original (IP/location) of a connection is still hidden, but an identifier (for example Cookies) can be used to make that connection pseudonymous. The destination website could log for example "user with id 111222333444 viewed video title a at time b on date c, video title d at time e at date f.". These information can be used for profiling. Over time these profiles become more and more comprehensive, which reduces anonymity, i.e. in worst case it could lead to de-anonymization.

As soon as someone logs into a website (for example into a forum or e-mail address) with a username the connection is by definition no longer anonymous, but pseudonymous. The origin of the connection (IP/location) is still hidden, but the connection can be associated with an identifier [7], i.e. in this case, an account name. Identifiers can be used to keep a log of various things. When a user wrote what, date and time of login and logout, what a user wrote, to whom the user wrote, IP address (useless, if it's a Tor exit relay), browser fingerprint etc.

Maxim Kammerer, developer of Liberté Linux [9], has a interesting different opinion. [10] I don't want to withhold from you:

I have not seen a compelling argument for anonymity, as opposed to pseudonymity. Enlarging anonymity sets is something that Tor developers do in order to publish incremental papers and justify funding. Most users only need to be pseudonymous, where their location is hidden. Having a unique browser does not magically uncover user's location, if that user does not use that browser for non-pseudonymous activities. Having good browser header results on anonymity checkers equally does not mean much, because there are many ways to uncover more client details (e.g., via Javascript oddities).

不要做第一个传播你自己链接的人

You created an anonymous blog or hidden service? Great. You have a twitter account with lots of followers, run a big clearnet news page or similar? Great. Do not be tempted to be one of the first ones to advertise your new anonymous project! The more you separate identities, the better. Of course, at some point you may or even must be "naturally" aware of it, but be very careful at this point.

不要随便打开文件或链接

Someone sent you an pdf by mail or gave you a link to a pdf? That sender/mailbox/account/key could be compromised and the pdf could be prepared to infect your system. Don't open it with the default tool you were expected use with by the creator. For example, don't open a pdf with a pdf viewer. If the content is public anyway, try using a free online pdf viewer.

不要进行(手机)验证

Websites such as Google, Facebook and others will ask for a (mobile) phone number if you login over Tor. Unless you are really clever or have an alternative, you shouldn't do it.

Reason: The number you give away will be logged. The SIM card is most likely registered on your name. And even if not, receiving an SMS gives away your location. Even if you anonymously bought a SIM card and do it from a point far away from your home, there is still a risk: the phone itself. Each time the phone logs into the mobile network, the provider will log the SIM card serial number [11] AND the phone serial number [12]. If you bought the SIM card anonymously, but not the phone, it's not anonymous, because these two serials will get linked. If you really want to do mobile verification, you need a spot far away from your home, a fresh phone, and a fresh SIM card. Afterwards, you must turn off the phone, and burn both the phone and the SIM card right after doing it.

You could try to find an online service receiving SMS for you. That would work and would be anonymous. The problem is, that it most likely won't work for Google and Facebook, because they actively blacklist such numbers for verification. Or you could try to find someone else receiving the SMS for you, but that would only shift the risk from you to the other person.

Why this page?

You can skip "Why this page?".

This page highly risks to state obvious things. Obvious to whom? Developers, hackers, geeks, etc. may call that common sense.

Those groups tend to lose contact to actual non-techy users. It's good sometimes to read usability papers or feedback from people who do not post on mailing lists or in forums.

For example:

  • Quoted from "To Toggle, or not to Toggle: The End of Torbutton"[13]:

mike, am i completely anonymized if i log onto my facebook account? im using firefox 3.6 with tor and no script on windows 7 machine. thank you.

Footnotes

  1. https://lists.torproject.org/pipermail/tor-dev/2012-April/003472.html
  2. Tor Browser should set SOCKS username for a request based on referer
  3. https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton The Tor Blog
  4. https://en.wikipedia.org/wiki/Deep_packet_inspection
  5. https://www.torproject.org/docs/faq.html.en#ChooseEntryExit
  6. 6.0 6.1 6.2 This was originally posted by adrelanos (proper) to the TorifyHOWTO (w) (license) (w). Adrelanos didn't surrender any copyrights and can therefore re-use it here. It is under the same license as this DoNot page.
  7. 7.0 7.1 7.2 An identifier could be for example a (Flash) Cookie with an unique number.
  8. Fingerprinting defense isn't perfect yet in any browser. There are still open bugs. See tbb-linkability and tbb-fingerprinting.
  9. http://dee.su/liberte
  10. Quote (w)
  11. IMSI
  12. IMEI
  13. https://blog.torproject.org/blog/toggle-or-not-toggle-end-torbutton The Tor Blog

Attribution

Thanks to intrigeri and anonym, who provided feedback and suggestions for this page on the Tails-dev mailing list.


Random News:

There are five different options for subscribing to Whonix source code changes.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself.