Open Source Anonymity Networks
Individuals and organizations have pulled resources together to form reliable anonymity networks. It is important that both client and server software are open source. Otherwise, without public scrutiny, it's hard to prove that a network is indeed anonymous, rather than a spy center. There is no guarantee that the server software is not compromised, but at least the client software is not spyware.
Externally, an anonymity network is just an encrypted proxy. The plurality of server nodes provides reliability, capacity, and anonymity.
The Onion Router is a P2P proxy network where a client can also be a relay server. The use of dynamic, random, independently encrypted paths, and the lack of logs make the traffic through the network hard to trace.
TOR has been perceived as slow, and it's popularity limited. But in fact, TOR has been designed to have a practical speed as compared to other more fail safe systems such as I2P and Freenet. Indeed the limiting factor in the TOR network is the availability of an entry node for the end user. The game changer is the availability of low cost (or free) virtual host in the cloud. If users bring on their own private bridge, the TOR speed is comparable to the faster anonymity systems. They are anonymity issues with your own TOR node in the cloud. There are many considerations, but you can always open it up for deniability.
With your private TOR bridge, the typical speed of TOR is 300 Kb/s (if you have a broad band connection). This is already at the low end of DSL modems, a lot faster than 54 Kb/s dial-ups.
For new users, it's almost fool proof to download and install the portable bundle, which includes a pre-configured Firefox browser and filtering software. There are no settings and no other software to run. Experienced users can install the separate TOR bundle, allowing them to use the most update browser version.
Perhaps the biggest weakness of TOR is it's popularity. TOR supports all protocols that use socks, or can be adapted to use socks. It is slow and even unusable for web surfing at some time of the day.
TOR is highly anonymous when the number of nodes is large. However, anyone can join TOR as a server node (relay). The same as any proxy servers, the exit nodes can see unencrypted web and email contents. In the case of TOR, an exit node can claim to have a high capacity to attract users, making it easier to spy on large numbers of users. Similarly, an entry node captures users with known IPs, vulnerable for traffic analysis, though the destinations of the user traffic are encrypted.
Some of the TOR attacks can be eliminated by proxy chaining, for example, running TOR on top of a VPN, and using an encrypted web proxy as the final stage. In this case, no node in the TOR network knows the user IP, destination, or web content. However, each additional stage has it's own vulnerability, which doesn't necessarily make the whole chain more secure.
TOR cannot bypass censorship because it's entry and exit nodes are publicly known, but the blocking of all the IP's is a huge task. Even if all the TOR relays are blocked, there are non-published relays that act as bridges into the TOR network. Relay owners can send their bridge address directly to users, who can also request directly from the TOR authority. The use of VPNs (to get into TOR) and encrypted web proxies (to get to sites that banned TOR) circumvents the problem, but only temporarily, because these servers will also be banned once becoming popular and visible.
Traffic analysis may be obscured by running a relay on your computer. Even if your adversary observes your traffic at your ISP and at our destination websites, the presence of other user traffic at about the same time may reduce the certainty of the timing correlations. On the other hand, you may invite suspicions for activities that you are not involved, and even receive complains if you participate as an exit node. However, the Electronic Frontier Foundation is willing to represent you, or find legal help in your country. So far, no relay owners have run into trouble with the law.
JonDonym provides a pool of proxy chains to choose from, each consisting of at most three stages called mixes, ideally operated by three independent organizations. While the integrity of TOR relies on large numbers and randomness, JonDonym relies on regular inspection and certification of known operators.
To use the JonDonym network, a user needs to install the proxy client called Jondo, and Java, in which the client is written. There is also a portable bundle that includes a reconfigured Firefox variant, the Jondo client, and optionally Java. JonDonym only supports http/https traffic. Typically it is more responsive than TOR.
The first mix in the chain knows the IP of the user, the last mix knows only the destination and unencrypted web traffic, while the middle mix has no information of either. Since most mix operators are based in Germany, under German data retention laws, users can in theory be identified under court orders.
All paid services provide 3-stage mixes, mostly located in different countries. Less secure, but free public services only have two-stages. The experimental service has the two stages running back to back in a university environment, essentially providing a simple proxy server, though a lot more reliable and available.
Again, to mitigate the German data retention laws and other attacks, a VPN and an encrypted web proxy outside of Germany can be added as the first and final stage respectively.
A Jondo user can help other users to circumvent censorship by being a proxy into the otherwise banned JonDonym network. Like TOR, the privacy of these forwarders need to be considered. Also, the easier Jondo users can find these forwarders, the easier are the censors to block.
The relatively fewer number of chains makes JonDonym more susceptible to traffic analysis. For some of the paid services, the number of users for each chain is typically under 100. By observing the traffic into and out of JonDonym with public IP addresses, it is not difficult to narrow down or find out who visited which website. JonDonym computes an anonymity indicator taking into account many factors, including the number of users in the chain. In these cases, we are talking very powerful censors targeting individuals.