Hottest take of the week right there.
Why do they seem to imply that Tor was somehow created explicitly with this purpose in mind? That's like saying only criminals use the Internet, just because it can be used to commit crimes.
I think they are taking Tor's words and applying it to a much broader scope than they originally intended.
> Tor Browser prevents someone watching your connection from knowing what websites you visit.
If someone is watching only your connection as it exits your local ISP and nothing else, then yes, this is in fact true. It's just not articulated that plainly.
But if the author actually went as far as they are trying to, they might as well tell people to just give up because there's a chance your attacker already controls the destination server you're talking to in the first place.
If you're going to the trouble of trying to calculate the chances that nodes in the middle are compromised, why not include the destination itself too?
> The small set of people that centrally control Tor software and centrally manage the Tor network have the power to act to stop this abuse without lessening their (weak) protections.
Source: trust me bro
> The world's standards for encrypting data are so secure that no one has enough money or time to brute force their way into properly encrypted data, not even governments. They are better off waiting for a scientific breakthrough that may never come.
This completely disregards the possibility that any one of a number of root CAs aren't already compromised or cannot be coerced by your attacker.
If you're going to claim tor is insecure, you might as well go all the way and say it's pointless to use anything at all, ever.
CSAM is still distributed on the clearnet too... why isn't there a "solution" for that too?
So far the only solutions people seem to have come up with is mass surveillance, and that's not an option.
Did you know that the Tor Project allows exit nodes to filter based on the clear internet IP. So filtering is ok.
However, if a relay refuses to service an onion site directory look up, it will be banned by the Directory Authority. They could allow this today. But they don’t. That’s the simple solution. No surveillance. Not back door. No less privacy for everyone else.
edit: This is easy to confirm. I’m not asking anyone to trust me.
> For the Tor network, Onion Services can alleviate the load on exit nodes, since it's connections don't need to reach the exits.
Also:
> Directory Authority.
"These authorities are operated by trusted organizations or individuals with a strong commitment to the principles of privacy, security, and network neutrality."
Emphasis on neutrality... it's not the job of network operators to police the sites people can and can't access, this is exactly why many people use Tor in the first place.
> They could allow this today. But they don’t.
Speaking for onion services... no, they cannot, because the entire design of the tor network prevents this in the first place. No relay in the circuit knows the final destination because it is encrypted multiple times (like an onion) and each hop can only see where it needs to go next, not what the destination is.
Because the network was explicitly designed to not allow this... otherwise it becomes subject to censorship, which is one of the main goals they try to prevent.
The (onion) address itself is never transmitted in plaintext through the Tor network... when you access an onion site, your Tor client encrypts the traffic multiple times, literally like an onion. No relay in the circuit knows the final destination.
But the calculator states that if the investigating party has $150,000 a month budget for all targets they have a 100% certainty of getting your IP address... obviously this is false, so what else has the author claimed that is also not true?
The formula is wrong and it all falls apart.
BUT the author asked a different (but valid) question: assuming the adversary controls x out of N existing nodes, what is the success rate? I am unclear: is the assertion that everyone’s relay is honest today? From a privacy standpoint, that’s not a great assumption.
Lol, are we using the regular internet as an example of preventing all CSAM?
We've known for years that owning enough nodes results in the compromise of privacy and that it's likely the NSA has achieved this. Although there is some question around how that plays out if adversaries like China are also competing for similar node share percentage.
https://99firms.com/research/tor-stats
Says there seem to be about 65k onion sites.
This site:
https://protectchildren.ca/en/press-and-media/blog/2025/tor-...
Has some varying numbers depending on the observation time, but in final month listed saw 30k sites that had they identified as having CSAM.
I’m not sure how accurate either number is or if they are directly comparable but that would be a 50% of all onion sites ballpark.
Not sure how to measure general sites vs dedicated abuse sites.
It's definitely better than regular browsing for security, but it's not perfect.
That the author has received funding from the DOJ makes me wonder what their proposed solution is.
I see in the comments that the author is an academic, my cursory look of the site makes me disappointed to see such weak rigor applied here. This looks like a hit piece dressed up to sound scary. Not going to waste my time further on its claims when on the surface its given me this impression. Strikes me as yelling and not listening type of personality.
emeryberger•1h ago