My thoughts on Tor appliances

Anonabox is not a magic bullet!

Yesterday, a lot of mainstream media (e.g., WIRED) started reporting about anonabox, an "an open source embedded networking device designed specifically to run Tor.", to quote their Kickstarter campaign.

For those of you who don't know what Tor is: It's a network run by volunteers that anonymizes your internet traffic. With everyone in the network using someone else's address from time to time, it is becoming harder for an observer (e.g. the websites you browse) to find out who is who.

Advertisements & Social Media kill Anonymity

This, of course only works until you go to a website like Facebook where you basically have to prove that you are you - because you have to login. But I don't want to talk about the behavioral constraints you have to consider when using Tor - their official FAQ as well as many other documents have already addressed this. What I want to talk about is Anonabox: I greatly support the idea of supporting the Tor network and adding as many nodes as possible. I agree that this is a great device to make this easier and hope that it will strengthen the Tor network in terms of bandwidth and diversity. I am quite sure that greater uptake will also help fixing some of the usability problems that come with browsing through Tor: A lot of websites block or discriminate against Tor users by disallowing them to register or post content - mostly because they are scared of abuse. Even though a non-anonymized stranger might possibly do as much damage as a Tor user. More Tor users is good! We also need Tor traffic which does recreational browsing (e.g., looking at animated gifs).

What Anonabox can not do

OK, now that I have gotten this disclaimer out, here's what I do want to emphasize most: Anonabox1 is not going to change your browsing behavior. You have to remember that whenever you login with something, it is capable of tracking you along the web. This applies mostly to Social Networks which have wide-spread "share this" buttons (e.g., Twitter, Facebook), but may also apply to Advertising Networks as they also have a great visibility into the list of websites you visit, which gives them a lot of information about yourself.

But what's worse, is that your browser is a highly functional, application platform for running whatever code a websites offers you. This code is heavily restricted from accessing your machine2, but that still gives the website a great deal of control over your browsing context. And the context is enough to generate a fingerprint of your device that allows a marginally skilled techie to recognize you whenever you come back.

Anonabox1 is incapable of modifying your browser or its functionality. It also can and should not look into your web traffic to prevent those bad things. Good internet traffic is encrypted traffic and when nobody should be able to look inside, this includes anonabox.

Do not rely on a false sense of Anonymity

If you have to rely on being anonymous, you can not rely on anonabox alone. If you care about anonymity, you must use a browser that has been patched and tamed towards privacy, not functionality. Read the Tor Warnings and use the Tor Browser. This is the best way to stay anonymous with Tor.


  1. This applies to all future and previous incarnation of Tor appliances. But if you like to tinker (and safe some money), you could run the free PORTAL software on that Raspberry Pi which is lying on your desk and waiting for a meaningful use case. 

  2. Well, a lot of browser exploits have proven this wrong. But let's not get into this for now. 

Please contact me or comment on Mastodon or Twitter. If you find something you wish to change, you may also submit a pull request.

All posts

  1. Origins, Sites and other Terminologies (Sat 14 January 2023)
  2. Finding and Fixing DOM-based XSS with Static Analysis (Mon 02 January 2023)
  3. DOM Clobbering (Mon 12 December 2022)
  4. Neue Methoden für Cross-Origin Isolation: Resource, Opener & Embedding Policies mit COOP, COEP, CORP und CORB (Thu 10 November 2022)
  5. Reference Sheet for Principals in Mozilla Code (Mon 03 August 2020)
  6. Hardening Firefox against Injection Attacks – The Technical Details (Tue 07 July 2020)
  7. Understanding Web Security Checks in Firefox (Part 1) (Wed 10 June 2020)
  8. Help Test Firefox's built-in HTML Sanitizer to protect against UXSS bugs (Fri 06 December 2019)
  9. Remote Code Execution in Firefox beyond memory corruptions (Sun 29 September 2019)
  10. XSS in The Digital #ClimateStrike Widget (Mon 23 September 2019)
  11. Chrome switching the XSSAuditor to filter mode re-enables old attack (Fri 10 May 2019)
  12. Challenge Write-up: Subresource Integrity in Service Workers (Sat 25 March 2017)
  13. Finding the SqueezeBox Radio Default SSH Passwort (Fri 02 September 2016)
  14. New CSP directive to make Subresource Integrity mandatory (`require-sri-for`) (Thu 02 June 2016)
  15. Firefox OS apps and beyond (Tue 12 April 2016)
  16. Teacher's Pinboard Write-up (Wed 02 December 2015)
  17. A CDN that can not XSS you: Using Subresource Integrity (Sun 19 July 2015)
  18. The Twitter Gazebo (Sat 18 July 2015)
  19. German Firefox 1.0 ad (OCR) (Sun 09 November 2014)
  20. My thoughts on Tor appliances (Tue 14 October 2014)
  21. Subresource Integrity (Sun 05 October 2014)
  22. Revoke App Permissions on Firefox OS (Sun 24 August 2014)
  23. (Self) XSS at Mozilla's internal Phonebook (Fri 23 May 2014)
  24. Tales of Python's Encoding (Mon 17 March 2014)
  25. On the X-Frame-Options Security Header (Thu 12 December 2013)
  26. html2dom (Tue 24 September 2013)
  27. Security Review: HTML sanitizer in Thunderbird (Mon 22 July 2013)
  28. Week 29 2013 (Sun 21 July 2013)
  29. The First Post (Tue 16 July 2013)