Tor Browser Vs Orbot

[Egisto Chancellor]

Youare correct that Orbot mitigates the risk of the intermediate servers snooping on your browsing activity. It is also free, while most trustworthy VPNs cost money. However, Orbot is also much slower and often blocked. I also struggle to think of a threat model where you are concerned about a VPN provider snooping on you, but are not concerned about browser fingerprinting and your traffic being correlated using your IP address. Yes, Tor does mitigate this by blending you into a crowd (much like VPNs) but as soon as you long into an account (which you almost certainly will since all your traffic is being routed through Tor, as opposed to just your activity within the Tor Browser) that account is tied to that IP and browser fingerprint and your traffic can be correlated by an adversary with the resources for it.

You can pay with crypto, standard payment methods, gift card, send money by mail. Did you make a mistake somewhere with your payments.

Then just have another account number generated and you can work anonymously again.

Hello , i'm very new to this and I'm sorry if this has already been posted but I looked around and all I could find were very diplomatic and dry replyes, whiteout very clear directions... I hope my post can bring some clarity about the usage of tor on graphene OS, at least for myself .

-Question 1 : I have set up graphene as a WiFi only phone. Which means usually if I want to use it when I'm around, I'll have to use my daily driver phone as a hotspot, which has a VPN. Now the question is : can i use tor on graphene os, even if the hotspot is redirecting traffic to a VPN? I know there is absolutely no added benefit from doing so, it's just a matter of conveniency, i wouldn't like to have to shut the VPN down each time and reenable it after I'm done browsing with the graphene phone. It just isn't convenient but I'll be happy to do it if there was no other way and actually pairing tor traffic going through a mobile hotspot with a VPN would pose a threat to my anonymity on the web.

-Question2: I'm very new to this again, so I'm not really that much aware of the history of these two apps : orbot and tor browser. I just read the gist of it , so none are endorsed by the tor project and so on. But it's not clear to me if i should or should not use them both , or at least have them installed both , since I read in past posts on Reddit that one time it was necessary , nowadays the tor browser has orbot incorporated. So what is the state of thing regarding these apps? Is it necessary to have them both installed , and if not, how would I assure that my whole traffic from my apps go through tor if orbot is not installed (and using vanadium as a browser to navigate Tor net)? And by reverse, how would I go online with the Tor browser if i already had orbot running as a VPN , already redirecting everything to tor and over that i would have a Tor browser attempting a connection to Tor again ...it doesn't feel right and i fear it would fall into a loop.

Thanks in advance for any clarifying reply to my noobish conundrums!

Have a nice day

1) Your main phone probably should be on grapheneos for improved privacy. You're kind of throwing everything away with that arrangement. Generally, if you're running a VPN on a phone, the tethered phone's traffic will NOT be directed through that VPN.

2) Tor browser and orbot (VPN) should not be used together, they will create an infinite loop and blow up the world. Orbot is for directing ALL traffic on the device through TOR, and TOR Browser is for directing just that browser's traffic through TOR. You can have them both installed, but should only activate one at a time.

abcZ 1) yeah maybe I'll do the complete switch to graphene os , i wanted to try it and see what can I do on a Daily basis on it first and how much of a big slice of things i would have to change first .

Anyway what if my main device used as a hotspot was running orbot instead of a VPN ? Which are actually very similar as in how they are treated in android... I tried doing it and i did a tor check with my graphene os phone and it was detected as connected to tor.

How is so ?

abcZ Regarding answers to point 1) Can you cite any sources to that statement- that generally a secondary tethered device won't inherit the VPN status of its hosting hotspot? That seems like something people should speak about more often. Tell us everything you can please. Obvious solution, encryption on all devices.

abcZ For your 2nd point, What if you simply enable all apps except for Tor Browser in Orbot settings? Would that fix the loop issue? And would this cause any leakage if wanting to use Orbot system wide to hide your ip from everything?

[deleted] You can run a simple test to confirm if your phone functions per this generality; do a duckduckgo search on the tethered device for "my ip" and you'll see your public IP address listed near the top of the screen. Check if that matches the VPN or not.

The history of tethering may explain it. Back when cellular providers would want to charge extra for every MB/GB of tethering data, they didn't want users to hide their tethering activity through a VPN. They were still trying to steer customers to air cards for that. PDAnet+ became a popular alternative.

[deleted] "How" is just a matter of the network routing table. "Why" is something you would have to ask to those who implemented it that way, but as @Graphite suggests, the history might imply a motive.

Orbot is a free proxy app that provides anonymity on the Internet for users of the Android and iOS operating systems. It allows traffic from apps such as web browsers, email clients, map programs, and others to be routed via the Tor network.[3]

Additionally, Orbot has "Kindness mode", which can make it act a proxy server that others can use to circumvent censorship and access the Tor network. Specifically, it runs a Snowflake proxy on the user's device.[6][7]

In 2014 Orbot was discussed in detail in an article on "reporting securely from an Android device".[8] In January 2016, Lisa Vaas of NakedSecurity by Sophos described how to use Tor, including with Orbot on Android, to connect to Facebook.[9]

In July 2021, Tech Radar named Orbot one of 8 "Best privacy apps for Android in 2021" but warned of slower speeds.[10] In July 2021 Android Authority discussed Tor Browser and Orbot in brief reviews of "15 best Android browsers".[11]

In November 2021, John Leyden of The Daily Swig described collaboration between the Tor Project and the Guardian Project to develop Orbot for censorship circumvention for any application on a device, but warned Orbot does not remove identifying information from app traffic.[12] In July 2022, Laiba Mohsin of PhoneWorld.com described Orbot as a simple way to access the Dark Web on mobile.[13]

In October 2022, Damir Mujezinovic of MakeUseOf described Orbot as a "flagship" product for both iOS and Android to use the Tor network, and said it "will not make you completely anonymous, but it can certainly help bypass certain geographical restrictions,"[14] In November 2022, Mujezinovic wrote a detailed guide to using Orbot on iOS or Android.[15]

My question now is: Is it safe to use Orbot on Android? What if I happen to use plain HTTP traffic, either by accident or if website automatically side-loads elements via HTTP, over Orbot? If there is risk, are there mechanisms to make its usage more secure?

The most common exception would be for web browsers, but usually in that case your browser will have an HTTPS Only Mode you can enable, most do nowadays. Additionally, all modern browsers block mixed content automatically now, so if you are on an HTTPS page it should not be able to load any elements via HTTP.

You really need to investigate on per-app basis, if cleartext traffic/plain HTTP is allowed or not. As rule of thumb only HTTPS traffic should be passed through Orbot. Thanks again for the hint on the Android API!

How might app be verified to only use HTTPS?

You can inspect its AndroidManifest.xml for a flag called android:usesCleartextTraffic. If it exists and is set to "true", app allows plain HTTP (not good). HTTP whitelisting can also be done via alternative Network security config API, hence also look these entries up in the xml file. By using above procedure, I indeed could verify my RSS reader app on F-Droid does permit plain HTTP.

I wished, there would exist a proxy app in Always-on VPN mode for Android, which filtered non-HTTPS traffic and only passed HTTPS further through Orbot. This probably is way easier than checking each app - any hints on existing solutions appreciated.

I noticed that when using Orbots "VPN Mode" that my normal Firefox browser works fine and when I visit check.torproject.org it says I'm connected even though I'm not using the Tor Browser specifically. If I install the Https everywhere and NoScript extension, are there any compromises to using Tor this way?

Tor is a group of volunteer-operated servers that allows you to connect for free and improve your privacy and security on the Internet. Individuals and organizations can also share information over the Tor network with ".onion hidden services" without compromising their privacy. Because Tor traffic is difficult to block and trace, Tor is an effective censorship circumvention tool.

Before connecting to Tor, please ensure you've read our overview on what Tor is and how to connect to it safely. We often recommend connecting to Tor through a trusted VPN provider, but you have to do so properly to avoid decreasing your anonymity.

There are a variety of ways to connect to the Tor network from your device, the most commonly used being the Tor Browser, a fork of Firefox designed for anonymous browsing for desktop computers and Android.

Some of these apps are better than others, and again making a determination comes down to your threat model. If you are a casual Tor user who is not worried about your ISP collecting evidence against you, using apps like Orbot or mobile browser apps to access the Tor network is probably fine. Increasing the number of people who use Tor on an everyday basis helps reduce the bad stigma of Tor, and lowers the quality of "lists of Tor users" that ISPs and governments may compile.

3a8082e126