# Polipo/TOR speed and testing

## audiodef

I've been using Polipo piped through TOR on my localhost, with Firefox set to use Polipo as a proxy. 

1. Is browsing always going to be slower this way? Can I speed it up?

2. How can I test the privacy of my browsing?

----------

## avx

 *Quote:*   

> 1. Is browsing always going to be slower this way? Can I speed it up?

 Yes. Depending on your config and your paranoia, routing through Tor means at least (IIRC) 3 hops more to reach the target than a direct connection(direct meaning without Tor). Depending on where the exit node for a connection is and how it is connected, the slowdown is significant.

There are some tweaks, ie. having a local DNS-resolver, so that this traffic is faster, setting up Tor only for sites/ressources really 'needing' them, etc.

As long as there are way to few exit nodes with good connections, there's not much you can do about it.

For 2, just google, there are a lot of pages out there telling you something about your connection. But always remember, that certain things can reveal your real identity(Java and Flash for example).

----------

## Marlo

1) Here ar nice Tips to tuning  Vidalia, Tor, Polipo and Firefox.

http://www.nsaneforums.com/topic/42042-tor-vidalia-bundle-tips-and-tricks/

 2) switch on tor and go to->  https://check.torproject.org/

----------

## audiodef

Thanks, guys. After reading your advice and the links, things seem to be running tolerably well with privoxy->polipo->tor. 

I think that's the order I've chained them in - is that the best chain?

----------

## avx

Depends. What exactly are you using privoxy for? If it's only for basic filtering, remember that polipo can do basic things in this regard, too.

One word of advice, maybe you didn't know it, yet, so just to be sure: Tor doesn't encrypt, so it's more than possible, that an exit node with malicious intentions can gather private data of yours, if you're not using end-to-end encryption, so you should be sure to force (ie.) SSL on things like webmail, online-shopping, etc.

Depending on what you are planning to achieve - if you want, elaborate - there may be some other solutions, which are faster and equally safe.

----------

## audiodef

I always use SSL for mail and transactions (buying stuff, and I limit that to only when I can't pay cash in person). All I really want is as much anonymity as possible from "traffic analysis". I just want to visit whatever site and not have them say "AAAHHH! You're IP 12345 using browser X and reading the thread about how to bake a chocolate cake!". 

Using polipo and tor, I've visited at least one site that could still read my originating IP (I have friends there who told me privacy ain't workin'). How do I force encryption? What would some other solutions be?

----------

## avx

There are a few ways, you can be tracked while using Tor, as I mentioned Flash/Java before. I'm not certain about JS, but I guess that's possible, too. Not to mention things like reading out your history via CSS and other tricks.

As for useragents and language-ids, you could fake them via privoxy (look for 'hide-accept-language' & 'hide-user-agent') to be somewhat generic, ie. Windows XP, IE7, en_US or something like that. But that may give not-used-to behaviour for some sites using the ua to present the contents in certain ways. Don't know if it's possible (guess so, but don't know how) to spoof other identifying things like resolution/fonts installed/...

Total and untraceable anonymity is very hard to achieve, if possible at all and even if it gets achieved, it will hit your browsing experience in speed and functionality, while some sites won't even let you connect when you visit via Tor.

Forcing encryption is only possible, if the site on the other end allows it, but doesn't use it by default. So you could setup rewrite-rules in privoxy or use extensions like SSL-Everywhere (IIRC it's called something like that). But that's still not 100% save, if the page in questions loads stuff (images) via normal http into the https-site.

Basically, using a textbrowser which doesn't handle all the stuff mentioned above would be a good start, if you could live with that. If that isn't good enough, you'd need to turn off anything in your normal browser.

----------

## audiodef

Thanks, avx. I appreciate your advice.   :Cool: 

Btw, I've tried this in tor, but I get an error:

```

ExitNodes {US,UK}

StrictExitNodes 1

```

Error:

```

Feb 17 08:38:49.862 [warn] Skipping obsolete configuration option 'Group'

Feb 17 08:38:49.862 [warn] Entry '{US' in ExitNodes is misformed.

Feb 17 08:38:49.862 [warn] Entry 'UK}' in ExitNodes is misformed.

Feb 17 08:38:49.862 [warn] Failed to parse/validate config: Invalid exit list '{US,UK}' for option 'ExitNodes'

```

----------

## avx

IIRC, the correct format would be '{UK},{US}'.

Edit, be aware though, that using such limitations can be risky, as a lot of countries (including for example China, US, Cuba and some others) have set up exit nodes under government control and using the country limitation adds to the chances to come out on a bad exit node. I'd do some online research on that and check which countries are known to have many nodes under their control. IIRC western europe (Fr,De,Esp,It) used to be quite safe - don't know if that has changed in the mean time, though.

----------

