Depends on your goals and your threat model. Tails is kinda 80% "I think a TLA will kick down my door or take my computer at the border physically" or you want to use untrusted hardware and 20% "I want to avoid online tracking". If you're worried about online tracking only it might not be the place to start out.
this post was submitted on 07 Dec 2025
43 points (97.8% liked)
Ask Lemmy
35971 readers
1758 users here now
A Fediverse community for open-ended, thought provoking questions
Rules: (interactive)
1) Be nice and; have fun
Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them
2) All posts must end with a '?'
This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?
3) No spam
Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.
4) NSFW is okay, within reason
Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com.
NSFW comments should be restricted to posts tagged [NSFW].
5) This is not a support community.
It is not a place for 'how do I?', type questions.
If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.
6) No US Politics.
Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online
Reminder: The terms of service apply here too.
Partnered Communities:
Logo design credit goes to: tubbadu
founded 2 years ago
MODERATORS
If you use it correctly, it's just about as private as you can get.
There are limits to keep in mind. The internet itself is an American military technology (as is TOR). So if you're hiding something more delicate than porn history I would get educated.
Yeah, but it's open source, so so what? When people say this it seems like either cope to justify doing nothing, or some kind of ritual purity thing.
I'm reminded of the backdoor the NSA placed in OpenSSL.
I love open source everything, but open source doesn't just automatically mean "safer".
But most people who looked at the NSA's backdoored encryption noticed it was sus and didn't use it (as I remember it, that was a decade ago). Per your link, at the time of publishing it was unclear if anyone was using the effected version.
Okay, sure. Open source doesn't mean completely safe, but if it's a well-known package it does mean much, much safer. Public public affiliations don't even say much about who authored whatever thing; here's a another near-miss that illustrates that - which is why this can feel more like ritual purity than an actual security argument.
So what should OP use?
The algorithm has been included in the code libraries and software of major vendors and industry bodies, including Microsoft, Cisco Systems, RSA, Juniper, RIM for Blackberry, OpenSSL, McAfee, Samsung, Symantec, and Thales, according to Nist documentation, external.
Whether the software of these organisations was secure depended on how the algorithm had been used, Cambridge University cryptographic expert Richard Clayton told the BBC.
I wouldn't say it didn't affect anyone. And the thing about stuff like this is that this is just what has been found there likely exist many other things like this that won't be found for a long time if it all.
OP should still use open source, to be clear I never said they shouldn't.
But your comment implied that because it is open source it automatically means that it is safe and trustworthy and that isn't true.
Obviously your security is much better on widely used open source software and programs than on proprietary stuff that isn't widely audited but it doesn't guarantee your safety and that's all I was pointing out.
Also to add to this, since the discussion is about TOR I think this line of conversation is even more warranted and not just some "ritualistic" thing like your edit on that original comment says. TOR is 80% funded directly by the State department.
Now, yes many talented software people are out there but the governments of the world have some of the best and it would be in all of their best interests not to disclose a vulnerability in something they could use against someone. You're either the USAs ally or someone that is against it, either of those options would make you not disclosing a vulnerability in your best interests.
So to automatically assume that software from a government that historically is against human and privacy rights is safe simply because it is open source is disingenuous.
That said, I still recommend TOR and I like it a lot. But I do not recommend trusting something simply because it is open source. Since this user wanted an in depth conversation on the topic I don't feel like its "ritualistic purity" to disclose all that I said above.
It isn't bad to be suspicious. If no one was, then open source wouldn't even matter because no one would be wary enough to check.
Post the next paragraph too.
Moreover, the algorithm had been shown to be insecure in 2007 by Microsoft cryptographers Niels Ferguson and Dan Shumow, added Mr Clayton.
"Because the vulnerability was found some time ago, I'm not sure if anybody is using it," he said.
But your comment implied that because it is open source it automatically means that it is safe and trustworthy and that isn’t true.
Well, your comment implied that OP shouldn't trust Tor. OP should trust Tor at least as much as they trust their own device, which almost certainly has closed-source components I'd rather target if I was the NSA. (Or the Chinese, or...)
Since this user wanted an in depth conversation on the topic I don’t feel like its “ritualistic purity” to disclose all that I said above.
Except in-depth isn't what was offered. This reply appears all the time in regards to Tor, and it never comes with alternative suggestions. So yeah, I suspect something irrational is motivating it.
That excerpt still says it was deployed to all the businesses listed above it, though. So yes it was being used however those businesses used it.
And yes closed source components are inescapable (and also a potential threat) unless you use something that is GNU certified and I don't even think a lot of them can even run the current version of Tails but I havent researched it in awhile. Maybe could run Tor browser though but if my memory serves correctly even stuff that is GNU certified has some proprietary hardware in it.
But no, the irrationality here would be saying "because something is open source you should trust it automatically and ask no questions about it" which of course isn't what you said but you implied that because something is open source its automatically to be trusted. And that's not true.
I never said not to use TOR or implied that, I said (and you can look back at my comments and see) that just because something is open source doesn't automatically mean it is safe and trustworthy. And I don't think its irrational to say that.
This was all in response to someone pointing out that depending on what the person is using TOR for they should do more research about it and educate themselves on security of using it which is true.
Never just see open source and assume complete safety or trustworthiness. Which is something people who have never used TOR do all the time and why you see the points I made being brought up around the conversation constantly.
Open source doesn't guarantee complete safety, you should still take other steps in addition to using open source to better enhance your privacy and security. TOR is great and I think OP and others interested should use it, but you should never blindly trust something just because it is open source and used a lot. Vulnerabilities can happen all the time, if they didn't Tails wouldn't ever need updated at all.
Alternatives (that I wouldn't really recommend) do exist and since you mentioned how none were mentioned the two that come to mind first is i2p and Whonix although Whonix uses Tor routing but is an alternative to Tails I guess. Still wouldn't recommend them over Tails though.
That excerpt still says it was deployed to all the businesses listed above it, though. So yes it was being used however those businesses used it.
It was in the OpenSSL (for example) as an option you could manually enable. Who knows if anyone actually did, given that everyone who knew enough to specifically ask also heard it was suspicious.
Very anonymous, it routes all traffic though the tor network and blocks all direct connections except for the unsafe browser.
Of course tor cannot protect you from bad opsec, the user installing malware on it or a powerful enough opponent that can analyse both entry and exit nodes (or just owns 0 day exploits). But for most common people it's pretty damn anonymous I would say.
can analyse both entry and exit nodes
has this ever been demonstrated in practice?
IIRC only for a tiny, non-selective subset of users unlucky enough to pick your two bad nodes. Otherwise Tor would basically be dead.
There's only been like 3 times mainly that have been found out about publicly at least
OnionDuke Malware (2014)
Operation Onymous (2014)
Tor Exit Node Malware Campaign (2020)
So it can happen but doesn't happen often and the people who pull it off usually have virtually unlimited funding to do it. For the common person its still safer than rawdogging the internet
I mean, it's not that expensive to start an exit node, and requires "only" knowhow to mess with someone's unencrypted browsing, which is what the first and third did. I can't remember now if Onymous actually managed to break Tor anonymity - I'm pretty sure good-old-fashioned stings turned out to be a big part of it.
IIRC the two-node timing attack I was thinking of was an academic demonstration. Because it's too non-specific to be very useful.
If you use it as non-persistence thumb drive, it's pretty good. There are still ways you can start to fingerprint it's use but in general as long as you do everything right it's solid.
Could the same be achieved by running it in a VM?
Yes and no.
It's point is to limit identifiable information for any operations done on the os. Using it within a VM only sets it within a box, any use of the OS to connect to the outside world, or create some file with longer term persistence will finger print you as that main OS is the pass-through between the VM and the outside world.
Giving an example of how I might use it would help:
If I'm speaking with an international activist, early career reporter, or high-risk private sector worker, I have a custom tails that I can flash and offer them to use.
For a private sector worker it has a doc on some basic information on requesting whistle-blower protection from a given government, agency contact points, etc.
For a reporter or activist it might have a doc on how to ensure they have a social safety net for informing others of their movements, basic tools for performing field work if local computers might be being monitored, and of course how to connect to the internet in areas where traffic monitoring is routine.
I can have that information persistent on the drive only useful for reference, while the rest of the OS can be used as intended without being easily fingerprinted as intended, but only if that drive is the ONLY thing that's acting as any form of operation on a computer. If it's on a VM, installed onto an onboard drive, it looses some of it's ability to act as a real tool.
So the risk is more about what breadcrumbs I leave on the host OS?
It's more the inverse, the host OS running a VM will fingerprint any information you are sending out.
If your plan is to just run it offline through a VM, then it's unlikely to leave much persistent information.
Tails is meant as a secure non-persistent tool for communication at it's base, and that's what it is best for. I might recommend looking at running a properly containerized environment on your VM for getting similar effects if you're working on software and OS testing, it's how I go. Think rolling vs production environments.
Got it, thanks!
I'm not sure how anonymous it is, but it's really handy for seeing the last n lines of a file.
Tor isn't on postquantum encryption yet, which is less than great.
Besides that, about as good as it gets, and at the cost of being less usable.
Only if you learn how to use it correctly
Follow-up question: is the use case for Tails still relevant? The main premise is that public computers might be bugged, and so you can plug this in and be less worried about it. However, public computers aren't really a thing anymore, and the ones that are left might have secure boot or other BIOS security that might prevent booting from USB.
Also, I am puzzled as to why they picked GNOME, which is a resource hogger. Don't these public computers have little RAM? I'd assume that 4 GB is already generous.
Was XFCE a thing when the project started?
If you don't trust your own hardware or are worried about a session being compromised it also offers some protection - especially if you have a physical read-only switch on your media.
Thought XFCE has been a thing for a long time. Even if it wasn't, neither was resource hogging sugar coated unconfigurable GNOME as we know today.
Hmm, no, you're right. XFCE had it's first release in 1997 vs. 1999 for GNOME. I guess I just didn't hear about it until GNOME started having controversy.
neither was resource hogging sugar coated unconfigurable GNOME as we know today.
Yeah, that might be the real thing. Tails had it's first release in 2009, and it's possible they just haven't moved over yet.