My doubts about Orbot

So when using Tor, logging into some personal account with real name is usually considered a useless move which it is, but then I don’t understand anything about how Orbot works.

WiFi traffic intercepted using WiFi Pineapple makes an adversary see everything unencrypted, cookies that weren’t secure properly etc, wouldn’t the end node of Orbot hopping your phone traffic reveal everything as well? Since the data from the exit node to the destination is unencrypted. And no way everything you do in your phone is under an alias.

I just don’t understand Orbot. I don’t understand how it is a privacy tool.

So Orbot routes all of your device’s traffic through the Tor network, so your IP address is anonymous for all of your phone’s internet traffic (other fingerprinting features can still be used)

Your traffic is routed through 3 randomly selected nodes worldwide. Therefore, no single node knows who you are, and what you’re browsing, at the same time.

If your wifi traffic is intercepted locally, the attacker knows who you are, but doesn’t know what you’re browsing. If the exit node is compromised, it knows what you’re browsing, but it doesn’t know who you are (your real IP address).

1 Like

There are good tutorial online explaining what’s TOR and how it works. I recommend you watching them to avoid shooting your own foot.

It really depends.
For example I only login into this account from TOR. Yeu will understand it once you undrestand how the wholu thing works, don’t worry.

I wrote personal, as in something like your Instagram with your actual name. Since its very hard aliasing your entire phone traffic, won’t the exit node be able to know everything about you if you’re routing traffic through it? That was my doubt.

And I have watched multiple explanations where it’s clearly said the exit node’s connection to your destination is unencrypted.

Exactly my problem with Orbot! If I route my entire traffic through it without any alias, they might not have my real IP but the exit node still knows my identity right?
Aliasing your whole phone is just not possible completely, so why and how is Orbot a good privacy tool?

@ewEfA2jy @win
I edited my post to make my doubts with Orbot clear. It is much more clear now, solutions?

Well, first of all TOR provides anonymity.

If you have a bad actor inside your LAN I can assure you that TOR is the least important thing in that case.

All traffic inside of the TOR network is encrypted.

First of all, it’s a tor node. Not an Orbot node, Orbot is the name of the mobile app to access it.

And the trafic that goes from the exit node to the server is encrypted. (Obviusly as far as you use HTTPS, which you should be doing)

You must be aware of that. All of the anonymity that TOR provides is rendered useless if you end up being finguerprinted by another thing.

Ej: the way you type, your timezone, crossing information, JS, etc…

I would advise against using The Tor Browser on Android. Use a whonix VM.
And regarding app traffic, well, routing things like Instagram is useless since they already know a looooot about you and can easily deanonymize you.

Althought it can still be useful for bypassing firewalls and restrictions.

I’m not an expert and I could be wrong about what I’ve said. Also, sorry for the gramatical errors.

I saw multiple tutorials that said otherwise.

I don’t use it, it was merely an example. I am more worried about the traffic of all my secure apps being intercepted or traced back to me.

right.

ahh amateur mistake, sorry.

right alot of what you said clarified some doubts but I uninstalled it from my phone since its too confusing. The place I live in is planning laws to become more Orwellian so I was looking at other ways, but I gotta find something else.

If you’re connecting to a server via HTTPS all traffic is encrypted. Obviusly if it’s not HTTPS it’s not encrypted. But it works the same way on the normal internet.

The best tool is the one that works for you. Hope your situation does not get too bad regarding privacy.

1 Like

The exit node knows what you’re browsing, but doesn’t know who you are. If you’re using HTTPS encryption on sites you visit, the exit node won’t be able to pick up on other fingerprinting measures used by the site you are visiting.

It is a good privacy tool because it hides your real IP address, and hides your browsing traffic from your ISP.

Just to chime in, Orbot is a very interesting piece to the puzzle since it doesn’t generally have a huge use-case in many people’s threat models. It’s incredibly inconvenient of a tool to run system-wide, without properly being able to guarantee anonymity. So it ends up being just a trustless VPN. (Trustless as in there’s no central party for you to trust)

Because of this, I always go back to Orbot being a trusted, free ‘VPN’ that just swaps in as your VPN. This may be only worth considering for people who are very strapped for cash and can’t afford a quality VPN provider. That’s the only real use-case I come back to for the tool outside very specific situations - like maybe a certain browser you use communicates with Orbot and allows you to onion-route that browser’s traffic via Tor. Even then though, there’s now an official Tor Browser for Android, so :person_shrugging:

1 Like

Incidentally, Orbot lead developer Nathan Freitas spoke at yesterday’s State of the Onion livestream. His remarks may be of interest to readers of this thread: State of the Onion 2022 | Tor Community - YouTube

2 Likes

I did some test a week or so ago with using orbot and visiting https://check.torproject.org

1 Like

Using Orbot on CalyxOS android 13,

Orbot on with VPN mode off, checking the above TOR website, I am not using TOR.

Orbot on with VPN mode on, i am using TOR.

Orbot on with Proton VPN on or off, I not using TOR.

So off this one test Orbot on with out VPN mode on this website tells me I am not using tor, or am I just using a know TOR exit node?