HTTPS and Tor: Working Together to Protect Your Privacy and Security Online
This week EFF released a new version its HTTPS Everywhere extension for the Firefox browser and debuted a beta version of the extension for Chrome. EFF frequently recommends that Internet users who are concerned about protecting their anonymity and security online use HTTPS Everywhere, which encrypts your communications with many websites, in conjunction with Tor, which helps to protect your anonymity online. But the best security comes from being an informed user who understands how these tools work together to protect your privacy against potential eavesdroppers.
Whenever you read your email, or update your Facebook page, or check your bank statement, there are dozens of points at which potential adversaries can intercept your Internet traffic. By using Tor to anonymize your traffic and HTTPS to encrypt it, you gain considerable protection, most notably against eavesdroppers on your wifi network and eavesdroppers on the network between you and the site you are accessing. But these tools have important limitations: your ISP and the website you are visiting still see some identifying information about you, which could be made available to a lawyer with a subpoena or a policeman with a warrant.
Protecting your security and anonymity against real-time government wiretapping is considerably more difficult. In a country where ISPs are controlled by the government or vulnerable to government bullying, Internet users should be especially aware of what kinds of information is still visible to ISPs and may be subject to government surveillance. To a lesser degree, websites may be subject to the same kinds of government bullying and may be compelled to give up information about their customers.
Finally, government agencies with particularly vast resources, such as the NSA, may be able to circumvent the protection provided by Tor through what is known as the “Global Network Adversary” attack. If the Global Network Adversary (GNA) controls the relay through which you enter the Tor network and the relay through which you exit, the GNA can correlate the size and timing of your traffic to identify you on the Tor network. In this scenario, the GNA will have the origin and destination of your traffic, but if you are using HTTPS, they will not be able to read the content. You can help combat the GNA by running a Tor relay, adding to the strength and diversity of the Tor network.
EFF has put together an interactive graphic to explain the ways in which HTTPS and Tor work together to provide you with certain kinds of protection against a variety of potential adversaries. Click on the image to try it out.