privacyguides/privacyguides.org
1
0
Fork 0
mirror of https://github.com/privacyguides/privacyguides.org.git synced 2025-07-31 15:51:08 +00:00
Code Issues Activity

New Crowdin Translations (#2110)

Browse Source 
Co-authored-by: Crowdin Bot <support+bot@crowdin.com>
This commit is contained in:
Privacy Guides [bot]
2023-04-04 21:38:20 -05:00
committed by GitHub
parent 6582156917
commit 4847c25066
624 changed files with 36410 additions and 5747 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
i18n/zh-Hant/advanced/communication-network-types.md
View File

@@ -1,103 +1,103 @@
---
title: "Types of Communication Networks"
title: "通訊網路的類型"
icon: 'material/transit-connection-variant'
description: An overview of several network architectures commonly used by instant messaging applications.
description: 簡介常見的即時通訊應用程式網路架構。
---
There are several network architectures commonly used to relay messages between people. These networks can provide different privacy guarantees, which is why it's worth considering your [threat model](../basics/threat-modeling.md) when deciding which app to use.
有幾種網絡架構常運用於在人與人之間傳遞消息。 這些網路提供不同的隱私保證,這就是為什麼在決定使用哪個應用程式時,最好能考慮您的[威脅模型](../basics/threat-modeling.md)
[Recommended Instant Messengers](../real-time-communication.md ""){.md-button}
[推薦的即時通訊工具](../real-time-communication.md ""){.md-button}
## Centralized Networks
## 集中式網絡
![Centralized networks diagram](../assets/img/layout/network-centralized.svg){ align=left }
![集中網絡圖](../assets/img/layout/network-centralized.svg){ align=left }
Centralized messengers are those where all participants are on the same server or network of servers controlled by the same organization.
集中式信使是指所有參與者都在同一伺服器或同一組織所控制的伺服器網絡。
Some self-hosted messengers allow you to set up your own server. Self-hosting can provide additional privacy guarantees, such as no usage logs or limited access to metadata (data about who is talking to whom). Self-hosted centralized messengers are isolated and everyone must be on the same server to communicate.
有些自託管信使允許設置自己的伺服器。 自託管可以提供額外的隱私保證,例如不用記錄或限制讀取元數據(關於誰與誰交談的資料)。 自託管的集中式信使是隔離的,每個人都必須在同一個伺服器上進行通信。
**Advantages:**
**優點**
- New features and changes can be implemented more quickly.
- Easier to get started with and to find contacts.
- Most mature and stable features ecosystems, as they are easier to program in a centralized software.
- Privacy issues may be reduced when you trust a server that you're self-hosting.
- 新功能和變更可以更快地實施。
- 更容易使用和查找聯系人。
- 近乎成熟和穩定的生態系統,因為集中式軟件更容易編程。
- 當您信任自我託管的伺服器時,隱私問題可能會減少。
**Disadvantages:**
**缺點**
- Can include [restricted control or access](https://drewdevault.com/2018/08/08/Signal.html). This can include things like:
- Being [forbidden from connecting third-party clients](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165) to the centralized network that might provide for greater customization or a better experience. Often defined in Terms and Conditions of usage.
- Poor or no documentation for third-party developers.
- The [ownership](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/), privacy policy, and operations of the service can change easily when a single entity controls it, potentially compromising the service later on.
- Self-hosting requires effort and knowledge of how to set up a service.
- [限制控制或存取](https://drewdevault.com/2018/08/08/Signal.html)。 可能包括以下內容:
- 集中型網路 [禁封了](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165)可以提供更靈活自定與更佳使用體驗的第三方客戶端。 通常定義在使用條款和條件。
- 對於第三方開發人員來說,文件記錄很糟。
- 由單一實體控制服務時,其 [所有權](https://web.archive.org/web/20210729191953/https://blog.privacytools.io/delisting-wire/)、隱私政策和服務操作可輕易改變,甚致危及服務。
- 自我託管需要精力和設置服務的知識。
## Federated Networks
## 聯邦式網絡
![Federated networks diagram](../assets/img/layout/network-decentralized.svg){ align=left }
![聯邦式網絡圖](../assets/img/layout/network-decentralized.svg){ align=left }
Federated messengers use multiple, independent, decentralized servers that are able to talk to each other (email is one example of a federated service). Federation allows system administrators to control their own server and still be a part of the larger communications network.
聯合信使使用多個獨立的分散式伺服器,這些伺服器能夠彼此通訊(電子郵件是聯合服務的一個例子)。 聯邦讓系統管理員控制自己的伺服器,成為更大通訊網絡中的一員。
When self-hosted, members of a federated server can discover and communicate with members of other servers, although some servers may choose to remain private by being non-federated (e.g., work team server).
當自行託管時,聯邦伺服器的成員可以發現並與其他伺服器的成員進行通信,而有些伺服器可能會選擇保持私密而不加入聯邦(例如工作團隊伺服器)。
**Advantages:**
**優點**
- Allows for greater control over your own data when running your own server.
- Allows you to choose whom to trust your data with by choosing between multiple "public" servers.
- Often allows for third-party clients which can provide a more native, customized, or accessible experience.
- Server software can be verified that it matches public source code, assuming you have access to the server or you trust the person who does (e.g., a family member).
- 運行自己的伺服器可以更加控制自己的資料。
- 可從多個“公共”伺服器之中選擇信任的資料託付者。
- 可讓第三方客戶端提供更原生、定制或親和的體驗。
- 假設您有存取伺服器的權限或信任有此權限的人(例如,家庭成員),可以驗證伺服器軟體是否與公開原始碼相符。
**Disadvantages:**
**缺點**
- Adding new features is more complex because these features need to be standardized and tested to ensure they work with all servers on the network.
- Due to the previous point, features can be lacking, or incomplete or working in unexpected ways compared to centralized platforms, such as message relay when offline or message deletion.
- Some metadata may be available (e.g., information like "who is talking to whom," but not actual message content if E2EE is used).
- Federated servers generally require trusting your server's administrator. They may be a hobbyist or otherwise not a "security professional," and may not serve standard documents like a privacy policy or terms of service detailing how your data is used.
- Server administrators sometimes choose to block other servers, which are a source of unmoderated abuse or break general rules of accepted behavior. This will hinder your ability to communicate with members of those servers.
- 添加新功能較複雜,因為這些功能需要標準化和測試,以確保可與網絡上的所有伺服器配合使用。
- 根據前一點,與集中式平臺相比,聯邦式網絡欠缺完整功能或容易出現意外,例如離線時的訊息中繼或訊息刪除。
- 可能會產生某些元數據(例如使用 E2EE 時, “誰在與誰交談”但不知其實際內容的資料)。
- 聯邦式伺服器通常需要信任伺服器管理員。 他們可能是業餘愛好者,也不是“安全專業人士” ,欠缺標準文件,如隱私政策或服務條款,來詳細說明資料如何被使用。
- 伺服器管理員有時會封鎖其他伺服器,因為它們無節制地濫用的或違反公認行為的一般規則。 這會阻礙您與這些伺服器成員溝通的能力。
## Peer-to-Peer Networks
## 對等網絡
![P2P diagram](../assets/img/layout/network-distributed.svg){ align=left }
![P2P示意圖](../assets/img/layout/network-distributed.svg){ align=left }
P2P messengers connect to a [distributed network](https://en.wikipedia.org/wiki/Distributed_networking) of nodes to relay a message to the recipient without a third-party server.
P2P 軟體連接到 [分佈式網路](https://en.wikipedia.org/wiki/Distributed_networking) 中的節點,在沒有第三方伺服器的情況下將訊息傳遞給收件人。
Clients (peers) usually find each other through the use of a [distributed computing](https://en.wikipedia.org/wiki/Distributed_computing) network. Examples of this include [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT), used by [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) and [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) for example. Another approach is proximity based networks, where a connection is established over WiFi or Bluetooth (for example, Briar or the [Scuttlebutt](https://www.scuttlebutt.nz) social network protocol).
客戶端(對等軟體)通常通過 [分布式計算](https://en.wikipedia.org/wiki/Distributed_computing) 網絡找到彼此。 例如, [Distributed Hash Tables](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT) [torrents](https://en.wikipedia.org/wiki/BitTorrent_(protocol)) [IPFS](https://en.wikipedia.org/wiki/InterPlanetary_File_System) 使用。 另一種方法是鄰近的網絡通過WiFi或藍牙建立連接例如 Briar [Scuttlebutt](https://www.scuttlebutt.nz) 社交網絡協議)。
Once a peer has found a route to its contact via any of these methods, a direct connection between them is made. Although messages are usually encrypted, an observer can still deduce the location and identity of the sender and recipient.
一旦對等體通過任何這些方法找到通往其聯繫的路徑,它們之間就會建立直接連接。 通常訊息內容會加密,但觀察者仍然可以推斷發件人和收件人的位置和身份。
P2P networks do not use servers, as peers communicate directly between each other and hence cannot be self-hosted. However, some additional services may rely on centralized servers, such as user discovery or relaying offline messages, which can benefit from self-hosting.
P2P 網絡不使用伺服器,對等方彼此之間直接通信,因此不能自我託管。 但是,一些額外的服務可能要靠集中式伺服器,例如用戶看到或轉發離線消息,這些需要自託管伺服器的協助。
**Advantages:**
**優點**
- Minimal information is exposed to third-parties.
- Modern P2P platforms implement E2EE by default. There are no servers that could potentially intercept and decrypt your transmissions, unlike centralized and federated models.
- 最少的信息暴露給第三方。
- 現代 P2P 平臺皆已預設為 E2EE。 不像集中和聯邦式網絡,沒有伺服器會攔截和解密您的傳輸。
**Disadvantages:**
**缺點**
- Reduced feature set:
- Messages can only be sent when both peers are online, however, your client may store messages locally to wait for the contact to return online.
- Generally increases battery usage on mobile devices, because the client must stay connected to the distributed network to learn about who is online.
- Some common messenger features may not be implemented or incompletely, such as message deletion.
- Your IP address and that of the contacts you're communicating with may be exposed if you do not use the software in conjunction with a [VPN](../vpn.md) or [Tor](../tor.md). Many countries have some form of mass surveillance and/or metadata retention.
- 精簡功能集:
- 訊息只能在兩個對等方都在線時發送,但是,客戶端可能會在本地儲存訊息以等待聯絡人在線時送出。
- 增加移動設備的電池使用量,因為客戶端必須保持與分佈式網絡的連接,以了解誰在線。
- 缺少某些傳訊功能或不完整,例如訊息刪除。
- 如果您未將軟體與 [VPN](../vpn.md) [Tor](../tor.md)配合使用,則很可能暴露了自己和通訊聯絡人的 IP 位址。 許多國家都有某種形式的大規模監控和/或元數據保留。
## Anonymous Routing
## 匿名路由
![Anonymous routing diagram](../assets/img/layout/network-anonymous-routing.svg){ align=left }
![匿名路由示意圖](../assets/img/layout/network-anonymous-routing.svg){ align=left }
A messenger using [anonymous routing](https://doi.org/10.1007/978-1-4419-5906-5_628) hides either the identity of the sender, the receiver, or evidence that they have been communicating. Ideally, a messenger should hide all three.
使用 [匿名路由](https://doi.org/10.1007/978-1-4419-5906-5_628) 的傳訊方式會隱藏發送者、接收者的身份或他們一直在溝通的證據。 理想情況下,這三種東西都該被隱藏。
There are [many](https://doi.org/10.1145/3182658) different ways to implement anonymous routing. One of the most famous is [onion routing](https://en.wikipedia.org/wiki/Onion_routing) (i.e. [Tor](tor-overview.md)), which communicates encrypted messages through a virtual [overlay network](https://en.wikipedia.org/wiki/Overlay_network) that hides the location of each node as well as the recipient and sender of each message. The sender and recipient never interact directly and only meet through a secret rendezvous node so that there is no leak of IP addresses nor physical location. Nodes cannot decrypt messages, nor the final destination; only the recipient can. Each intermediary node can only decrypt a part that indicates where to send the still encrypted message next, until it arrives at the recipient who can fully decrypt it, hence the "onion layers."
匿名路由[有多種](https://doi.org/10.1145/3182658) 實現方式。 其中最著名 [洋蔥路由](https://en.wikipedia.org/wiki/Onion_routing) (即 [Tor](tor-overview.md) ,該虛擬 [覆蓋網絡](https://en.wikipedia.org/wiki/Overlay_network) 隱藏節點位置以及收件人和發件人之間的加密訊息。 發送者和接收者不會直接互動,而是通過祕密會合節點,這樣就不會洩漏 IP 位址或物理位置。 節點無法解密訊息,也無法解密最終目的地;只有收件人可以。 中間節點只能解密下一步送到哪裡的指示,消息本體仍保持加密直到送達最終有權限解密的收件人,因此是“洋蔥層”。
Self-hosting a node in an anonymous routing network does not provide the hoster with additional privacy benefits, but rather contributes to the whole network's resilience against identification attacks for everyone's benefit.
在匿名路由網絡中自我託管節點無法增加額外隱私優勢,但有助於整個網絡軔性抵禦識別攻擊。
**Advantages:**
**優點**
- Minimal to no information is exposed to other parties.
- Messages can be relayed in a decentralized manner even if one of the parties is offline.
- 很少甚至無資訊暴露給其他方。
- 消息可以以分散的方式接力傳遞,即使其中一方離線。
**Disadvantages:**
**缺點**
- Slow message propagation.
- Often limited to fewer media types, mostly text, since the network is slow.
- Less reliable if nodes are selected by randomized routing, some nodes may be very far from the sender and receiver, adding latency or even failing to transmit messages if one of the nodes goes offline.
- More complex to get started, as the creation and secured backup of a cryptographic private key is required.
- Just like other decentralized platforms, adding features is more complex for developers than on a centralized platform. Hence, features may be lacking or incompletely implemented, such as offline message relaying or message deletion.
- 消息傳播速度慢。
- 通常僅支援少數媒體類型,因為網絡速度慢主要為文字傳輸。
- 隨機路由選擇節點,某些節點可能遠離發送者和接收者,增加延遲,甚至因某個節點離線而無法傳輸消息。
- 入手更複雜,因為需要創建和備份加密私鑰。
- 如同其他分散式平臺,對開發人員而言,添加功能比集中式平臺更複雜。 因此,功能欠缺或未完全執行,例如離線消息中繼或消息刪除。

194
i18n/zh-Hant/advanced/dns-overview.md
View File

@@ -1,50 +1,50 @@
---
title: "DNS 簡介"
icon: material/dns
description: The Domain Name System is the "phonebook of the internet," helping your browser find the website it's looking for.
description: 網域名稱系統是“網際網路電話簿” ,可幫助瀏覽器找到它正在尋找的網站。
---
The [Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS 將網域名稱轉換為 IP 位址,以便瀏覽器和其他服務可以通過分散的伺服器網路載入網路資源。
[網域名稱系統](https://en.wikipedia.org/wiki/Domain_Name_System) 是「網際網路的電話簿」。 DNS 將網域名稱轉換為 IP 位址,以便瀏覽器和其他服務可以通過分散的伺服器網路載入網路資源。
## 什麼是 DNS
當您訪問一個網站時,會傳回一個數字地址。 For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned.
當您訪問一個網站時,會傳回一個數字地址。 以訪問 `privacyguides.org`網站為例,它傳回的地址為 `192.98.54.105`
DNS 從網際網路的 [早期](https://en.wikipedia.org/wiki/Domain_Name_System#History) 就存在了。 來往 DNS 伺服器的 DNS 請求通常 **不是** 加密的。 一般家用的網路中,客戶的伺服器通常是由 ISP 透過 [DHCP](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol)給予的。
Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world, ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). 當您要求被封鎖網域的IP位址時伺服器可能不會回應或可能會使用其他IP位址回應。 由於DNS通訊協定沒有加密 ISP (或任何網路營運商)可以使用 [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) 來監控請求。 網路服務供應商也可以根據共同特徵封鎖請求,無論你使用哪種 DNS 伺服器。 未加密的 DNS 總是使用 53 號[端口](https://en.wikipedia.org/wiki/Port_(computer_networking)) 並且總是使用UDP。
未經加密的 DNS 請求很容易**被監視** 或在傳輸過程中**遭到修改modified**。 在某些地區, ISP 被要求做初級的 [DNS 過濾](https://en.wikipedia.org/wiki/DNS_blocking) 當您要求被封鎖網域的IP位址時伺服器可能不會回應或可能會使用其他IP位址回應。 由於DNS通訊協定沒有加密 ISP (或任何網路營運商)可以使用 [DPI](https://en.wikipedia.org/wiki/Deep_packet_inspection) 來監控請求。 網路服務供應商也可以根據共同特徵封鎖請求,無論你使用哪種 DNS 伺服器。 未加密的 DNS 總是使用 53 號[端口](https://en.wikipedia.org/wiki/Port_(computer_networking)) 並且總是使用UDP。
接下來,我們將討論並提供一個教程來證明外部觀察者可以使用普通的未加密 DNS 和 [加密 DNS ](#what-is-encrypted-dns)看到什麼。
### 未加密的 DNS
1. 使用 [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) [Wireshark](https://en.wikipedia.org/wiki/Wireshark) 項目的一部分) ,我們可以監控和記錄網路封包的傳輸。 This command records packets that meet the rules specified:
1. 使用 [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) [Wireshark](https://en.wikipedia.org/wiki/Wireshark) 項目的一部分) ,我們可以監控和記錄網路封包的傳輸。 此命令記錄符合指定規則的封包:
```bash
tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8
```
2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) (Linux, MacOS etc) or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) (Windows) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically, unless they are configured to use encrypted DNS.
2. 我們可以使用 [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) Linux MacOS 等)或 [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) Windows 將DNS 查詢發送到伺服器。 Web 瀏覽器等軟體會自動執行這些查詢,除非它們被配置為使用加密的DNS
=== "Linux, macOS"
= = = "Linux macOS"
```
dig +noall +answer privacyguides.org @1.1.1.1
dig +noall +answer privacyguides.org @8.8.8.8
```
=== "Windows"
= = = "Windows"
```
nslookup privacyguides.org 1.1.1.1
nslookup privacyguides.org 8.8.8.8
```
3. Next, we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results:
3. 接下來我們要[分析](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) 結果:
=== "Wireshark"
```
wireshark -r /tmp/dns.pcap
wireshark -r/tmp/dns.pcap
```
=== "tshark"
@@ -55,14 +55,14 @@ Unencrypted DNS requests are able to be easily **surveilled** and **modified** i
如果執行上面的 Wireshark 命令,頂部窗格會顯示「[frame](https://en.wikipedia.org/wiki/Ethernet_frame)」,底部窗格會顯示所選框架的所有資料。 企業過濾和監控解決方案(例如政府購買的解決方案)可以自動執行此過程,而無需人工交互,並且可以聚合這些框架以產生對網路觀察者有用的統計數據。
| No. | Time | Source | Destination | Protocol | Length | Info |
| --- | -------- | --------- | ----------- | -------- | ------ | ---------------------------------------------------------------------- |
| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | Standard query 0x58ba A privacyguides.org OPT |
| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT |
| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | Standard query 0xf1a9 A privacyguides.org OPT |
| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT |
| 不。 | 時間 | 來源 | 目的地 | 協議 | 長度 | 資訊 |
| -- | -------- | --------- | --------- | --- | --- | ----------------------------------------------------- |
| 1 | 0.000000 | 192.0.2.1 | 1.1.1.1 | DNS | 104 | 標準查詢 0x58ba A privacyguides.org OPT |
| 2 | 0.293395 | 1.1.1.1 | 192.0.2.1 | DNS | 108 | 標準查詢回應 0x58ba A privacyguides.org A 198.98.54.105 OPT |
| 3 | 1.682109 | 192.0.2.1 | 8.8.8.8 | DNS | 104 | 標準查詢 0x58ba A privacyguides.org OPT |
| 4 | 2.154698 | 8.8.8.8 | 192.0.2.1 | DNS | 108 | 標準查詢回應0xf1a9 A privacyguides.org A 198.98.54.105 OPT |
An observer could modify any of these packets.
觀察者可以修改這些封包。
## 什麼是「加密後的 DNS」
@@ -70,47 +70,47 @@ An observer could modify any of these packets.
### DNSCrypt
[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) 是第一種查詢加密 DNS 的方法之一。 DNSCrypt operates on port 443 and works with both the TCP or UDP transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS](#dns-over-https-doh).
[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) 是第一種查詢加密 DNS 的方法之一。 DNSCrypt 在 443 端口上運作,與 TCP UDP 傳輸協議一起使用。 DNSCrypt 從未向 [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force)提交文件 ,也未通過 [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) 流程,因此 [實用少](https://dnscrypt.info/implementations)並未被廣泛使用。 因此,它大量被更受歡迎的 [DNS over HTTPS](#dns-over-https-doh) 取代。
### DNS over TLS (DoT)
### 通過 TLS 的 DNS)
[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in Android 9, iOS 14, and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to DoH in recent years, as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 which can be blocked easily by restrictive firewalls.
[**DNS over TLS**](https://en.wikipedia.org/wiki/DNS_over_TLS) 是另一種加密 DNS 通訊方式,其定義於 [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858)。 支持首先在Android 9 iOS 14Linux [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) 版本237中實現。 近年來,業界偏好已經從 DoT 轉移到 DoH ,因為 DoT 協議[複雜](https://dnscrypt.info/faq/) 並且在實現中對RFC 的遵照狀況各不相同。 DoT 還在專用端口 853 上運行,但很容易被限制性防火牆阻止。
### DNS over HTTPS (DoH)
### 通過 HTTPS 的 DNS)
[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with HTTPS. Support was first added in web browsers such as Firefox 60 and Chrome 83.
[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) 定義在 [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) 文件,封包查詢透過[HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) 協議,以 HTTPS 提供安全性。 最初使用於 Firefox 60 Chrome 83 等網頁瀏覽器。
Native implementation of DoH showed up in iOS 14, macOS 11, Microsoft Windows, and Android 13 (however, it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so [installing third-party software is still required](../dns.md#encrypted-dns-proxies).
DoH 原生執行出現在 iOS 14, macOS 11, Microsoft Windows, Android 13 (不過其並未[預設啟動 ](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144))。 一般 Linux 桌面支援仍待 systemd [實現](https://github.com/systemd/systemd/issues/8639) 所以 [還是得安裝第三方軟體](../dns.md#encrypted-dns-proxies)
## 外部人士可以看到什麼?
在此範例中,我們將記錄當我們提出 DoH 請求時發生的事情:
1. First, start `tshark`:
1. 首先,打開 `tshark`
```bash
tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1"
```
2. Second, make a request with `curl`:
2. 其次,使用 `curl`提出請求:
```bash
curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org
```
3. After making the request, we can stop the packet capture with <kbd>CTRL</kbd> + <kbd>C</kbd>.
3. 提出請求後,快速鍵 <kbd>CTRL</kbd> + <kbd>C</kbd>可停止封包捉取。
4. Analyse the results in Wireshark:
4. Wireshark 中分析結果:
```bash
wireshark -r /tmp/dns_doh.pcap
```
We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned.
[連接建立](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) 在加密連接時會進行 [TLS 握手](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) 。 當查看隨後的“應用程序數據”封包時,都不包含所請求的域名或它的 IP 地址。
## 什麼時候 **不該** 使用加密的 DNS
在有網路過濾(或審查)的地方,訪問被禁止的資源可能會產生某些後果,您應該在 [威脅模型](../basics/threat-modeling.md)中考慮這些後果。 We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org) or a [VPN](../vpn.md) instead. 如果您使用的是VPN ,則應使用 VPN 的 DNS 伺服器。 使用 VPN 時,您已經信任它們與您的所有網路活動。
在有網路過濾(或審查)的地方,訪問被禁止的資源可能會產生某些後果,您應該在 [威脅模型](../basics/threat-modeling.md)中考慮這些後果。 非常 **不建議**把加密 DNS 用在此目的上。 使用 [Tor](https://torproject.org) [VPN](../vpn.md) 代替。 如果您使用的是VPN ,則應使用 VPN 的 DNS 伺服器。 使用 VPN 時,您已經信任它們與您的所有網路活動。
當我們進行 DNS 查詢時,通常是因為我們想要存取資源。 接下來,我們將討論一些即使在使用加密 DNS 時也可能會披露您的瀏覽活動的情況:
@@ -122,27 +122,27 @@ We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmis
### 伺服器名指示(SNI)
伺服器名稱指示通常用於IP位址託管多個網站時。 This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection.
伺服器名稱指示通常用於IP位址託管多個網站時。 這可能是像 Cloudflare 的服務,或者其他 [阻斷服務攻擊](https://en.wikipedia.org/wiki/Denial-of-service_attack) 保護。
1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets:
1. 再次開始捕捉 `tshark`。 我們添加了一個自身IP 地址的過濾器,因此您不會捕獲過多封包:
```bash
tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105
```
2. Then we visit [https://privacyguides.org](https://privacyguides.org).
2. 然後訪問 [https://privacyguides.org](https://privacyguides.org)
3. After visiting the website, we want to stop the packet capture with <kbd>CTRL</kbd> + <kbd>C</kbd>.
3. 在訪問網站後,以 <kbd>CTRL</kbd> + <kbd>C</kbd>停止封包捕捉。
4. Next we want to analyze the results:
4. 接下來分析結果:
```bash
wireshark -r /tmp/pg.pcap
wireshark -r/tmp/pg.pcap
```
We will see the connection establishment, followed by the TLS handshake for the Privacy Guides website. Around frame 5. you'll see a "Client Hello".
連接建立後與 privacyguides 網站的TLS 握手。 大約在第5 幀附近。 你會看到一個“客戶你好”。
5. Expand the triangle &#9656; next to each field:
5. 展開每個字段旁邊的三角形 &#9656;
```text
▸ Transport Layer Security
@@ -152,64 +152,88 @@ We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmis
▸ Server Name Indication extension
```
6. We can see the SNI value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value:
6. 我們可以看到我們正在訪問的網站的SNI值。 `tshark` 命令可以直接爲所有包含 SNI 封包提供值:
```bash
tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name
```
This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/), which prevents this kind of leak.
即便使用「加密 DNS」伺服器網域也可能會透過 SNI 披露。 [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) 協議帶來了 [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/),可以防止這種洩漏。
Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently, Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. 這是因為作為HTTP/3的一部分的 [QUIC](https://en.wikipedia.org/wiki/QUIC) 協議要求 `ClientHello` 也被加密。
政府,特別是 [中國](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) 和 [俄羅斯](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/),已經[開始封鎖](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) ,或者有些表示將這樣做。 近來俄羅斯
### Online Certificate Status Protocol (OCSP)
開始屏蔽使用 [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3)的外國網站。 這是因為作為HTTP/3的一部分的 [QUIC](https://en.wikipedia.org/wiki/QUIC) 協議要求 `ClientHello` 也被加密。</p>
Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting an HTTPS website, the browser might check to see if the website's [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been revoked. This is generally done through the HTTP protocol, meaning it is **not** encrypted.
The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status.
We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command.
### 線上憑邆狀態協議 (OCSP)
1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file:
瀏覽器會披露瀏覽活動的另一種方式是使用 [線上憑證狀態協議 (Online Certificate Status Protocol)](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol)。 訪問有 HTTPS 網站時,瀏覽器會檢查網站的 [憑證](https://en.wikipedia.org/wiki/Public_key_certificate) 是否已被撤銷。 這是透過 HTTP 協議完成的,這意味著它**不是** 加密的。
OCSP 請求包含憑證,其帶有獨特的"[序列號](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)"。 它被發送到 “OCSP 回應器”去檢查其狀態。
利用 [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) 命令模擬瀏覽器會做什麼。
1. 取得伺服器憑證並使用 [`sed`](https://en.wikipedia.org/wiki/Sed) 來保留重要部分並將其寫入檔案:
```bash
openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 |
sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert
```
2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate.
2. 取得中間憑證。 [憑證授權機構(CA)](https://en.wikipedia.org/wiki/Certificate_authority) 通常不會直接簽署憑證;他們使用所謂的「中間」憑證。
```bash
openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 |
sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert
```
3. The first certificate in `pg_and_intermediate.cert` is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END:
3. `pg_and_intermediate.cert` 中的第一個憑證實際上是步驟1 的伺服器憑證。 我們可以再次使用 `sed` 來刪除直到 END 第一個實例:
```bash
sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \
/tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert
```
4. Get the OCSP responder for the server certificate:
4. 取得伺服器憑證的OCSP 回應器:
```bash
openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert
```
Our certificate shows the Lets Encrypt certificate responder. If we want to see all the details of the certificate we can use:
我們的憑證顯示 Lets Encrypt 憑證回應器。 如果我們想查看憑證的所有細節,我們可以使用:
```bash
openssl x509 -text -noout -in /tmp/pg_server.cert
```
5. Start the packet capture:
5. 開始捕取封包:
```bash
tshark -w /tmp/pg_ocsp.pcap -f "tcp port http"
```
6. Make the OCSP request:
6. 提出 OCSP 要求:
```bash
openssl ocsp -issuer /tmp/intermediate_chain.cert \
@@ -218,13 +242,19 @@ We can simulate what a browser would do using the [`openssl`](https://en.wikiped
-url http://r3.o.lencr.org
```
7. Open the capture:
7. 打開捕捉資料:
```bash
wireshark -r /tmp/pg_ocsp.pcap
```
There will be two packets with the "OCSP" protocol: a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle &#9656; next to each field:
將會有兩個帶有「OCSP」通訊協定的封包「Request」和「Response」。 對於“Request” ,可以通過擴展每個字段旁邊的三角形 &#9656; 來看到“序列號”
```bash
▸ Online Certificate Status Protocol
@@ -235,7 +265,10 @@ We can simulate what a browser would do using the [`openssl`](https://en.wikiped
serialNumber
```
For the "Response" we can also see the "serial number":
對於“回應” ,我們也可以看到“序列號”
```bash
▸ Online Certificate Status Protocol
@@ -248,17 +281,25 @@ We can simulate what a browser would do using the [`openssl`](https://en.wikiped
serialNumber
```
8. Or use `tshark` to filter the packets for the Serial Number:
8. 或者使用 `tshark` 來過濾序列號的封包:
```bash
tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber
```
If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number.
## Should I use encrypted DNS?
如果網路觀察者拿到可公開取得的公共憑證,就可將序列號與該憑證作匹配,從而確定您正在訪問的網站。 這個過程可以自動化並且可以將IP地址與序列號相關聯。 也可檢查 [憑證透明度](https://en.wikipedia.org/wiki/Certificate_Transparency) 日誌的序列號。
## 我應該用加密 DNS 嗎?
這個流程圖描述了何時 *應該使用* 加密 DNS:
We made this flow chart to describe when you *should* use encrypted DNS:
``` mermaid
graph TB
@@ -275,32 +316,39 @@ graph TB
ispDNS --> | No | nothing(Do nothing)
```
Encrypted DNS with a third-party should only be used to get around redirects and basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences or you're interested in a provider that does some rudimentary filtering.
[List of recommended DNS servers](../dns.md ""){.md-button}
與第三方合作的加密 DNS 應限於避開重定向和基本的 [DNS 封鎖](https://en.wikipedia.org/wiki/DNS_blocking) ,也就是確定無後顧或對供應商的基本過濾感興趣時才用第三方。
## What is DNSSEC?
[推薦的 DNS 伺服器列表](../dns.md ""){.md-button}
[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC) is a feature of DNS that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but rather prevents attackers from manipulating or poisoning the responses to DNS requests.
In other words, DNSSEC digitally signs data to help ensure its validity. In order to ensure a secure lookup, the signing occurs at every level in the DNS lookup process. As a result, all answers from DNS can be trusted.
The DNSSEC signing process is similar to someone signing a legal document with a pen; that person signs with a unique signature that no one else can create, and a court expert can look at that signature and verify that the document was signed by that person. These digital signatures ensure that data has not been tampered with.
## 什麼是 DNSSEC
DNSSEC implements a hierarchical digital signing policy across all layers of DNS. For example, in the case of a `privacyguides.org` lookup, a root DNS server would sign a key for the `.org` nameserver, and the `.org` nameserver would then sign a key for `privacyguides.org`s authoritative nameserver.
[Domain Name System Security Extensions](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) (DNSSEC)是 DNS 的一項功能,域名查找的回應予以驗證。 它無法為查詢者提供隱私保護而是防止攻擊者操縱或毒害對DNS 請求的回應。
<small>Adapted from [DNS Security Extensions (DNSSEC) overview](https://cloud.google.com/dns/docs/dnssec) by Google and [DNSSEC: An Introduction](https://blog.cloudflare.com/dnssec-an-introduction/) by Cloudflare, both licensed under [CC BY 4.0](https://creativecommons.org/licenses/by/4.0/).</small>
換句話說, DNSSEC 對資料進行數位簽名,幫助確保其有效性。 為了確保安全查找,過程中的每個層級都會簽名。 因此DNS 全部的回答都可以被信任。
## What is QNAME minimization?
DNSSEC 簽署過程類似於無法仿製的個人獨特簽名於法律文件,法院專家透過簽名驗證該文件效力須依據簽名的真假判定。 這些數位簽名確保資料不會被篡改。
A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server).
DNSSEC 在所有 DNS 層中實施分級數位簽名政策。 例如,查詢 `privacyguides.org` ,根 DNS 伺服器將簽署尾綴 `.org` 伺服器密鑰,然後 `.org` 伺服器再簽署 `privacyguides.org`的授權名稱伺服器的密鑰。
Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816).
<small>改編自 Google [DNS Security Extensions (DNSSEC) overview] (https://cloud.google.com/dns/docs/dnssec)和 Cloudflare [DNSSEC: An Introduction] (https://blog.cloudflare.com/dnssec-an-introduction/) ,兩者均根據[CC BY 4.0] (https://creativecommons.org/licenses/by/4 .0/)授權。</small>
## What is EDNS Client Subnet (ECS)?
The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query.
It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps.
## 什麼是QNAME最小化
This feature does come at a privacy cost, as it tells the DNS server some information about the client's location.
QNAME是“限定名稱” ,例如 `privacyguides.org`。 QNAME 最小化可減少從 DNS 伺服器傳送到 [授權名稱伺服器](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server)的資訊量。
與其傳送完整域名 `privacyguides.org` QNAME最小化意味著 DNS 伺服器會請求所有 `.org`尾綴 的記錄。 進一步的技術描述在 [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816)。
## 什麼是 EDNS 客戶端子網(ECS )
[EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) 是遞歸DNS 解析器為DNS 查詢的 [主機或客戶端](https://en.wikipedia.org/wiki/Client_(computing)),指定 [子網絡](https://en.wikipedia.org/wiki/Subnetwork) 的方法。
它的目的是回答客戶端距離最靠近的伺服器以“加快”資料的傳遞,類似[內容傳遞網絡](https://en.wikipedia.org/wiki/Content_delivery_network),後者通常用於視頻串流和 JavaScript Web 應用程序。
此功能確實以隱私為代價,因為它會告訴 DNS伺服器一些有關客戶端位置的資訊。

82
i18n/zh-Hant/advanced/payments.md
View File

@@ -1,84 +1,84 @@
---
title: Private Payments
title: 私密支付
icon: material/hand-coin
---
There's a reason data about your buying habits is considered the holy grail of ad targeting: your purchases can leak a veritable treasure trove of data about you. Unfortunately, the current financial system is anti-privacy by design, enabling banks, other companies, and governments to easily trace transactions. Nevertheless, you have plenty of options when it comes to making payments privately.
購買習慣的資料視為廣告定位聖杯是有原因的:購買行為會洩漏有關當事人的許多寶貴資訊。 不幸的是,目前的金融體系在設計上不利隱私,使銀行、其他公司和政府能夠輕鬆追蹤交易。 然而,在私下付款方面,您有很多選擇。
## Cash
## 現金
For centuries, **cash** has functioned as the primary form of private payment. Cash has excellent privacy properties in most cases, is widely accepted in most countries, and is **fungible**, meaning it is non-unique and completely interchangable.
幾個世紀以來, **現金** 一直是私人支付的主要形式。 在大多數情況下,現金具有優秀的隱私性,在大多數國家被廣泛接受,並且是 **可替代的**,這意味著它是非唯一的,完全可互換。
Cash payment laws vary by country. In the United States, special disclosure is required for cash payments over $10,000 to the IRS on [Form 8300](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000). The receiving business is required to ID verify the payees name, address, occupation, date of birth, and Social Security Number or other TIN (with some exceptions). Lower limits without ID such as $3,000 or less exist for exchanges and money transmission. Cash also contains serial numbers. These are almost never tracked by merchants, but they can be used by law enforcement in targeted investigations.
現金支付法因國家而異。 在美國10,000美元以上交易需在 [8300表格中](https://www.irs.gov/businesses/small-businesses-self-employed/form-8300-and-reporting-cash-payments-of-over-10000)對美國國稅局披露。 收款業必須驗證收款人的姓名、地址、職業、出生日期、社會安全號碼或其他TIN (部分例外)。 少於 3,000 美元交換和匯款,就無須身份證明。 現金鈔票有序號。 商家很少追蹤序號,但執法部門可以在針對性調查中用到它們。
Despite this, its typically the best option.
儘管如此,現金仍是最好的選擇。
## Prepaid Cards & Gift Cards
## 預付卡 & 禮品卡
Its relatively simple to purchase gift cards and prepaid cards at most grocery stores and convenience stores with cash. Gift cards usually dont have a fee, though prepaid cards often do, so pay close attention to these fees and expiry dates. Some stores may ask to see your ID at checkout to reduce fraud.
在大多數雜貨店和便利店用現金購買禮品卡和預付卡相對簡單。 禮品卡通常不收取費用,但預付卡通常會收取費用,因此請留意其費用和到期日期。 為了減少欺詐行為,部分商店可能會在結帳時要求查看身分證件。
Gift cards usually have limits of up to $200 per card, but some offer limits of up to $2,000 per card. Prepaid cards (eg: from Visa or Mastercard) usually have limits of up to $1,000 per card.
禮品卡通常每張上限為 200美元有些禮品卡上限到 2,000 美元。 預付卡(例如:來自 Visa Mastercard )通常卡片額度為 1,000 美元。
Gift cards have the downside of being subject to merchant policies, which can have terrible terms and restrictions. For example, some merchants dont accept payment in gift cards exclusively, or they may cancel the value of the card if they consider you to be a high-risk user. Once you have merchant credit, the merchant has a strong degree of control over this credit.
禮品卡的缺點是受商家政策的約束,這些政策可能有糟糕的條款和限制。 例如,有些商家不接受禮品卡付款,或者對高風險用戶取消禮品卡的價值。 一旦您拿了由商家信用擔保的禮品卡,商家就會對這筆金額有強烈的控制權。
Prepaid cards dont allow cash withdrawals from ATMs or “peer-to-peer” payments in Venmo and similar apps.
預付卡無法從 ATM 提取現金或在 Venmo 以應用程序中進行“點對點”付款。
Cash remains the best option for in-person purchases for most people. Gift cards can be useful for the savings they bring. Prepaid cards can be useful for places that dont accept cash. Gift cards and prepaid cards are easier to use online than cash, and they are easier to acquire with cryptocurrencies than cash.
對於大多數人來說,現金仍然是現場購物的最佳選擇。 禮品卡用處在於節省。 預付卡適用於不接受現金的地方。 網路中禮品卡和預付卡比現金更容易使用,也更容易透過加密貨幣獲得。
### Online Marketplaces
### 網上交易平臺
If you have [cryptocurrency](../cryptocurrency.md), you can purchase gift cards with an online gift card marketplace. Some of these services offer ID verification options for higher limits, but they also allow accounts with just an email address. Basic limits start at $5,000-10,000 a day for basic accounts, and significantly higher limits for ID verified accounts (if offered).
如果您有 [加密貨幣](../cryptocurrency.md),可在線禮品卡市場購買禮品卡。 有服務在更高額度時有提供身份驗證選項,它們也允許帳戶只需提供電子郵件地址。 基本帳戶限額為每天 5,000-10,000 美元,身份驗證帳戶(如果有)的限額則更高。
When buying gift cards online, there is usually a slight discount. Prepaid cards are usually sold online at face value or with a fee. If you buy prepaid cards and gift cards with cryptocurrencies, you should strongly prefer to pay with Monero which provides strong privacy, more on this below. Paying for a gift card with a traceable payment method negates the benefits a gift card can provide when purchased with cash or Monero.
在網上購買禮品卡時,通常會有小折扣。 預付卡通常以面值或收取服務費在網上銷售。 如果您使用加密貨幣購買預付卡和禮品卡,您最好使用強大隱私的 Monero 付款,下面將進一步說明。 使用可追溯的付款方式支付禮物卡,取消了用現金或 Monero 購買禮品卡的隱私優點。
- [Online Gift Card Marketplaces :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces)
- [網上禮品卡市場 :material-arrow-right-drop-circle:](../financial-services.md#gift-card-marketplaces)
## Virtual Cards
## 虛擬卡
Another way to protect your information from merchants online is to use virtual, single-use cards which mask your actual banking or billing information. This is primarily useful for protecting you from merchant data breaches, less sophisticated tracking or purchase correlation by marketing agencies, and online data theft. They do **not** assist you in making a purchase completely anonymously, nor do they hide any information from the banking institution themselves. Regular financial institutions which offer virtual cards are subject to "Know Your Customer" (KYC) laws, meaning they may require your ID or other identifying information.
另一種保護個資免受線上商家侵害的方法是使用虛擬的一次性卡片,以掩蓋您的實際銀行或帳單資訊。 這可對付商家數據洩露,營銷機構粗糙的跟蹤或購買聯結以及線上資料盜竊。 **無法完全匿名**您的購買行為,也不能對金融機構隱瞞自身的資訊。 發行虛擬卡的常規金融機構受「瞭解您的客戶」( KYC )法律約束,這意味著您需要提供身份證明文件或其他識別信息。
- [Recommended Payment Masking Services :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services)
- [推薦付款掩蔽服務 :material-arrow-right-drop-circle:](../financial-services.md#payment-masking-services)
These tend to be good options for recurring/subscription payments online, while prepaid gift cards are preferred for one-time transactions.
這些往往是線上定期/訂閱付款的好選擇,而預付禮品卡則更適合一次性交易。
## Cryptocurrency
## 加密貨幣
Cryptocurrencies are a digital form of currency designed to work without central authorities such as a government or bank. While *some* cryptocurrency projects can allow you to make private transactions online, many use a public blockchain which does not provide any transaction privacy. Cryptocurrencies also tend to be very volatile assets, meaning their value can change rapidly and significantly at any time. As such, we generally don't recommend using cryptocurrency as a long-term store of value. If you decide to use cryptocurrency online, make sure you have a full understanding of its privacy aspects beforehand, and only invest amounts which would not be disastrous to lose.
加密貨幣是一種數位形式的貨幣,其設計上沒有中央機構如政府或銀行即自行運作。 *有些* 加密貨幣可以在線上私密交易,但許多使用公開區塊錬則無法保障交易隱私。 加密貨幣是非常不穩定的資產,這它們的價值可能隨時發生急速顯著變化。 因此,不建議加密貨幣作為長期價值儲存。 如果決定使用加密貨幣,請確保已充分了解其隱私,且投資金額不會變成災難性損失。
!!! danger
!!! 危險
The vast majority of cryptocurrencies operate on a **public** blockchain, meaning that every transaction is public knowledge. This includes even most well-known cryptocurrencies like Bitcoin and Ethereum. Transactions with these cryptocurrencies should not be considered private and will not protect your anonymity.
絕大多數加密貨幣都在* *公共* *區塊鏈上運作,這意味著每筆交易都可公開知道。 這包括最知名的加密貨幣,如比特幣和以太坊。 加密貨幣的交易不應被視為私密,也不會保護您的匿名性。
Additionally, many if not most cryptocurrencies are scams. Make transactions carefully with only projects you trust.
此外,許多(如果不是大多數)加密貨幣都是騙局。 只用你信任的項目小心進行交易。
### Privacy Coins
### 隱私幣
There are a number of cryptocurrency projects which purport to provide privacy by making transactions anonymous. We recommend using one which provides transaction anonymity **by default** to avoid operational errors.
有許多加密貨幣聲稱通過匿名交易來提供隱私。 建議探用** 預設**為匿名交易的工具,以避免操作時發生錯誤。
- [Recommended Cryptocurrency :material-arrow-right-drop-circle:](../cryptocurrency.md#coins)
- [推薦的加密貨幣 :material-arrow-right-drop-circle:](../cryptocurrency.md#coins)
Privacy coins have been subject to increasing scrutiny by government agencies. In 2020, [the IRS published a $625,000 bounty](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc) for tools which can break Bitcoin Lightning Network and/or Monero's transaction privacy. They ultimately [paid two companies](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) a combined $1.25 million for tools which purport to do so (it is unknown which cryptocurrency network these tools target). Due to the secrecy surrounding tools like these, ==none of these methods of tracing cryptocurrencies have been independently confirmed.== However, it is quite likely that tools which assist targeted investigations into private coin transactions exist, and that privacy coins only succeed in thwarting mass surveillance.
隱私硬幣受到政府機構日益嚴格的監管。 2020年[美國稅務局 IRS 發表 $625,000 賞金](https://www.forbes.com/sites/kellyphillipserb/2020/09/14/irs-will-pay-up-to-625000-if-you-can-crack-monero-other-privacy-coins/?sh=2e9808a085cc),來徵求工具破解 Bitcoin Lightning Network Monero 交易隱私。 最後由 [二家公司](https://sam.gov/opp/5ab94eae1a8d422e88945b64181c6018/view) (Chainalysis and Integra Fec) 共同獲得 $1250000 美元,但外界並不知道所開發的工具是用在哪一種加密貨幣網路。 由於這些工具的保密性,追蹤加密貨幣的方法都未得到獨立的證實。隱私硬幣交易很可能被運用在針對性地調查,而大規模監控則無法阻止。
### Other Coins (Bitcoin, Ethereum, etc.)
### 其他貨幣(比特幣、以太坊等)
The vast majority of cryptocurrency projects use a public blockchain, meaning that all transactions are both easily traceable and permanent. As such, we strongly discourage the use of most cryptocurrency for privacy-related reasons.
絕大多數加密貨幣項目使用公共區塊鏈,這意味著所有交易記錄都很容易追溯和永久保存。 因此,我們強烈不鼓勵把加密貨幣用和隱私相關的事物上。
Anonymous transactions on a public blockchain are *theoretically* possible, and the Bitcoin wiki [gives one example of a "completely anonymous" transaction](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation). However, doing so requires a complicated setup involving Tor and "solo-mining" a block to generate completely independent cryptocurrency, a practice which has not been practical for nearly any enthusiast for many years.
公開區塊錬上的匿名交易*理論上* 可行,比特幣維基就 [提出如何"完全匿名"交易的案例](https://en.bitcoin.it/wiki/Privacy#Example_-_A_perfectly_private_donation)。 然而這樣需要複雜的設置涉及Tor和“獨自挖掘”一個區塊來產生完全獨立的加密貨幣多年來幾乎沒有任何愛好者實踐過。
==Your best option is to avoid these cryptocurrencies entirely and stick with one which provides privacy by default.== Attempting to use other cryptocurrency is outside the scope of this site and strongly discouraged.
= =您最好還是完全避免這些加密貨幣,並堅持使用預設隱私的加密貨幣。嘗試使用其他加密貨幣超出了本網站的範圍,非常不建議。
### Wallet Custody
### 錢包保管
With cryptocurrency there are two forms of wallets: custodial wallets and noncustodial wallets. Custodial wallets are operated by centralized companies/exchanges, where the private key for your wallet is held by that company, and you can access them anywhere typically with a regular username and password. Noncustodial wallets are wallets where you control and manage the private keys to access it. Assuming you keep your wallet's private keys secured and backed up, noncustodial wallets provide greater security and censorship-resistance over custodial wallets, because your cryptocurrency can't be stolen or frozen by a company with custody over your private keys. Key custody is especially important when it comes to privacy coins: Custodial wallets grant the operating company the ability to view your transactions, negating the privacy benefits of those cryptocurrencies.
加密貨幣有兩種形式的錢包:託管錢包和非託管錢包。 託管錢包由集中式公司/交易所運營,錢包的私鑰由該公司持有,您可以使用用戶名和密碼從任何地方存取。 非託管錢包是您自己控制和管理錢包的私鑰。 假如可以保管好錢包的私鑰安全並備份,非保管錢包比保管錢包具有更大的安全性和審查抵抗力,因為您的加密貨幣不會被保管的公司竊取或凍結。 密鑰保管在隱私貨幣上尤其重要:保管錢包使運營公司能夠查看您的交易,否定了這些加密貨幣的隱私優勢。
### Acquisition
### 取得
Acquiring [cryptocurrencies](../cryptocurrency.md) like Monero privately can be difficult. P2P marketplaces like [LocalMonero](https://localmonero.co/), a platform which facilitates trades between people, are one option that can be used. If using an exchange which requires KYC is an acceptable risk for you as long as subsequent transactions can't be traced, a much easier option is to purchase Monero on an exchange like [Kraken](https://kraken.com/), or purchase Bitcoin/Litecoin from a KYC exchange which can then be swapped for Monero. Then, you can withdraw the purchased Monero to your own noncustodial wallet to use privately from that point forward.
私下購買 [加密貨幣](../cryptocurrency.md) ,如Monero 可能很困難。 P2P 市場如 [LocalMonero](https://localmonero.co/),為促進人群交易的平台,也是個可考慮的選擇。 如果使用需要 KYC的交易所是您可接受的風險(只要隨後的交易無法追蹤)。一個更容易的方式是從 [Kraken](https://kraken.com/)等交易所購買 Monero ,或者從 KYC 交易所購買比特幣/萊特幣,然後兌換為 Monero。 然後,您可以將購入的 Monero 提取到自己的非保管錢包,以便 日後私下使用。
If you go this route, make sure to purchase Monero at different times and in different amounts than where you will spend it. If you purchase $5000 of Monero at an exchange and make a $5000 purchase in Monero an hour later, those actions could potentially be correlated by an outside observer regardless of which path the Monero took. Staggering purchases and purchasing larger amounts of Monero in advance to later spend on multiple smaller transactions can avoid this pitfall.
如果您選擇這條路線請確保以不同的時間和額度購買與用掉Monero 。 如果你在交易所購買 5000 美元的 Monero ,並在一個小時後花掉這筆錢,外部觀察者會將這些行為作關聯,無關 Monero 走的是通道。 驚人的購買和提前購買大量的Monero 以支應之後小額交易,可以避免這種陷阱。
## Additional Considerations
## 其他注意事項
When you're making a payment in-person with cash, make sure to keep your in-person privacy in mind. Security cameras are ubiquitous. Consider wearing non-distinct clothing and a face mask (such as a surgical mask or N95). Dont sign up for rewards programs or provide any other information about yourself.
使用現金現場付款時,請務必謹記現場隱私。 安全攝影機無處不在。 不妨考慮穿著不顯眼的衣服和口罩如外科口罩或N95 )。 請勿註冊獎勵計劃或提供自己的相關資訊。
When purchasing online, ideally you should do so over [Tor](tor-overview.md). However, many merchants dont allow purchases with Tor. You can consider using a [recommended VPN](../vpn.md) (paid for with cash, gift card, or Monero), or making the purchase from a coffee shop or library with free Wi-Fi. If you are ordering a physical item that needs to be delivered, you will need to provide a delivery address. You should consider using a PO box, private mailbox, or work address.
在網上購買時,理想情況下應該透過 [Tor](tor-overview.md)進行。 但是,許多商家不允許使用 Tor 購買。 可以考慮使用 [推薦的 VPN](../vpn.md) (使用現金、禮品卡或 Monero 支付),或利用咖啡店或圖書館免費 Wi-Fi 購買。 如果你訂購的是實體物品,則需要提供送遞地址。 您應該考慮使用郵政信箱、私人郵箱或工作地址。

78
i18n/zh-Hant/advanced/tor-overview.md
View File

@@ -1,80 +1,94 @@
---
title: "Tor 簡介"
icon: 'simple/torproject'
description: Tor 是一個免費使用的去中心化網路,專為盡可能多地使用互聯網而設計
description: Tor 是一個免費使用的去中心化網路,其讓用戶在使用網際網路之際盡可能地保護自己的隱私
---
Tor 是一個免費使用的去中心化網路,專為盡可能多地使用互聯網而設計。 如果使用得當,該網路可以實現私人和匿名瀏覽和通
Tor 是一個免費使用的去中心化網路,其讓用戶在使用網際網路之際盡可能地保護自己的隱私。 如果使用得當,該網路可以實現私人和匿名瀏覽和通
## 工作原理
## 連接明網服務的路徑建立
Tor 的工作原理是通過一個由數千個志願者運行的服器組成的網絡路由您的流量,稱為節點(或中繼)。
「明網服務」是用任何瀏覽器都可訪問的網站,例如 [privacyguides.org](https://www.privacyguides.org)。 Tor 允許您匿名連接到某些網站,由數千個志願者運行的服器組成的網絡引導您的流量,這些伺服器稱為節點(或中繼)。
每當您連接到 Tor 時,它都會選擇三個節點來構建通往網際網路的路徑,這種路徑稱為「路」。 每個節點都有自己的功能:
每當您連接到 Tor 時,它都會選擇三個節點來構建通往網際網路的路徑,這種路徑稱為「路」。
<figure markdown>
! [Tor 路徑顯示您的設備到達目的地網站之前所連接的入口節點,中間節點和出口節點] (../assets/img/how-tor-works/tor-path.svg#only-light)
! Tor 路徑顯示您的設備到達目的地網站之前所連接的入口節點,中間節點和出口節點] (../assets/img/how-tor-works/tor-path-dark.svg#only-dark)
<figcaption>Tor 迴路路徑</figcaption>
</figure>
每個節點都有自己的功能:
### 入口節點
入口節點通常稱為守護節點是Tor客戶端連接的第一個節點。 入口節點能夠看到您的 IP 位址,但無法看到您正在連接的內容。
入口節點,通常稱為守護節點,是 Tor 客戶端連接的第一個節點。 入口節點能夠看到您的 IP 位址,但無法看到您正在連接的內容。
Unlike the other nodes, the Tor client will randomly select an entry node and stick with it for two to three months to protect you from certain attacks.[^1]
不像其它節點 Tor 客戶端會隨機地選取入口節點後持續使用二~三個月以防護某些外部攻擊 [^1]
### 中間節點
中間節點是 Tor 客戶端連接的第二個節點。 它可以看到流量來自哪個節點(入口節點)以及它下一步要去哪個節點。 中間節點無法看到您的 IP 位址或您連接的網域。
對於每個新路,中間節點從所有可用的 Tor 節點中隨機選擇
對於每個新路,中間節點是隨機從所有可用的 Tor 節點中選出
### 出口節點
出口節點是您的 Web 流量離開 Tor 網路並轉發到所需目的地的點。 The exit node is unable to see your IP address, but it does know what site it's connecting to.
出口節點是您的 Web 流量離開 Tor 網路並轉發到所需目的地的點。 出口節點無法看到您的 IP 位址,但它知道將連接到哪個網站。
出口節點將從所有可用的 Tor 節點中隨機選擇,並使用退出中繼標記。[^ 2]
<figure markdown>
![Tor path](../assets/img/how-tor-works/tor-path.svg#only-light)
![Tor path](../assets/img/how-tor-works/tor-path-dark.svg#only-dark)
<figcaption>Tor circuit pathway</figcaption>
## Onion 服務的路徑建立
“Onion 服務” (也通常被稱為“隱藏服務” )是只能由 Tor 瀏覽器訪問的網站。 這些網站有一個長串隨機生成的域名,結尾為 `.onion`
在Tor中連接到 Onion服務的工作原理與連接到明網服務非常相似但您的流量在到達目的地伺服器之前會通過 **6 個** 節點。 不過就如之前所言,其中只有三個節點會有助 *您的*匿名性,而另外三個節點則是為了保護 * Onion 服務* 匿名性,隱藏該網站的真正 IP 和位置,就如同 Tor 瀏覽器如何隱蔽您的 IP 一樣。
<figure style="width:100%" markdown>
! [Tor路徑顯示您的流量通過您的三個Tor節點加上三個額外的Tor節點隱藏網站的身份] (../assets/img/how-tor-works/tor-path-hidden-service.svg#only-light)
! [Tor路徑顯示您的流量被路由通過您的三個Tor節點加上三個額外的Tor節點隱藏網站的身份] (../assets/img/how-tor-works/tor-path-hidden-service-dark.svg#only-dark)
<figcaption>Tor電路路徑與洋蔥服務。 <span class="pg-blue">藍色</span> 圍欄中的節點屬於您的瀏覽器,而 <span class="pg-red">紅色</span> 圍欄中的節點屬於伺服器,因此它們的身份對您是隱藏的。</figcaption>
</figure>
## 加密
Tor 使用來自出口,中間和入口節點的密鑰對每個數據包(傳輸數據區塊)進行三次加密,依此順序
Tor 使用來自出口,中間和入口節點的密鑰對每個包(傳輸數據區塊)依序進行三次加密。
一旦 Tor 構建了電路,數據傳輸將按照以下方式進行:
1. 首先:當數據包到達入口節點時,第一層加密被移除。 在這個加密數據包中,入口節點將找到另一個具有中間節點地址的加密數據包。 然後,入口節點將將數據包轉發到中間節點。
1. 首先:當數據包到達入口節點時,第一層加密被移除。 在這個加密包中,入口節點將找到另一個具有中間節點地址的加密包。 然後,入口節點將將包轉發到中間節點。
2. Secondly: when the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and this time finds an encrypted packet with the exit node's address. The middle node will then forward the packet to the exit node.
2. 其次:當中間節點從入口節點接收到封包時,它也會利用其密鑰刪除一層加密,找到具有出口節點地址的加密數據包。 然後中間節點將數據包轉發到出口節點。
3. Lastly: when the exit node receives its packet, it will remove the last layer of encryption with its key. The exit node will see the destination address and forward the packet to that address.
3. 最後:當退出節點收到其數據包時,它將使用其密鑰移除最後一層加密。 出口節點將看到目的地地址,並將封包轉發到該地址。
下面是一個替代圖表,顯示了這個過程。 每個節點都會移除自己的加密層,當目標服務器返回數據時,同樣過程完全相反。 例如,退出節點不知道你是誰,但它確實知道來自哪個節點,因此添加了自己的加密層並將其發送回來。
下面是顯示此過程的圖表。 每個節點都會移除自己的加密層,當目的地伺服器傳回數據時,同樣過程會再反向發生。 例如,出節點不知道你是誰,但它確實知道封包來自哪個節點,因此添加了自己的加密層並將其發送回來。
<figure markdown>
![Tor encryption](../assets/img/how-tor-works/tor-encryption.svg#only-light)
![Tor encryption](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark)
<figcaption>Sending and receiving data through the Tor Network</figcaption>
![Tor 加密](../assets/img/how-tor-works/tor-encryption.svg#only-light)
![Tor 加密](../assets/img/how-tor-works/tor-encryption-dark.svg#only-dark)
<figcaption>通過 Tor 網路發送與接數資料</figcaption>
</figure>
Tor 允許我們連接到服器,而不需要任何一方知道整路徑。 入口節點知道你是誰,但不知道你要去哪裡;中間節點不知道你是誰或你要去哪裡;出口節點知道你要去哪裡,但不知道你是誰。 由於出口節點負責了最終連線,目伺服器永遠不會知道您的 IP 位址。
Tor 允許我們連接到服器,而不任何一方知道整路徑。 入口節點知道你是誰,但不知道你要去哪裡;中間節點不知道你是誰或你要去哪裡;出口節點知道你要去哪裡,但不知道你是誰。 由於出口節點負責了最終連線,目的地伺服器永遠不會知道您的 IP 位址。
## 注意事項
雖然 Tor 確實提供了強大的隱私保證,但必須意識到 Tor 並不完美:
雖然 Tor 確實提供了強大的隱私保證,但必須意識到並不完美:
- 資金充足的對手有能力被動地觀察全球大多數網絡流量,他們有機會通過先進的流量分析來解除 Tor 用戶的匿名化。 Tor 也不能保護你免於錯誤地暴露自己,例如如果你分享了太多關於你真實身份的信息。
- Tor 出口節點還可以監控通過它們的流量。 這意味著可以記錄和監控未加密的流量,例如純 HTTP 流量。 如果此類流量包含個人身份識別信息,則可以將您去匿名化到該出口節點。 因此,我們建議在可能的情況下使用 HTTPS。
- 資金充足的對手有能力被動地觀察全球大多數網絡流量,他們有機會通過先進的流量分析來解除 Tor 用戶的匿名化。 Tor 也不能保護你免於不當地暴露自己,例如你分享了太多關於你真實身份的信息。
- Tor 出口節點還可以監控通過它們的流量。 這意味著可以記錄和監控未加密的流量,例如純 HTTP 流量。 如果此類流量包含個人身份識別信息,則該出口節點可以將會消除匿名性。 因此,我們建議在可能的情況下使用 HTTPS。
如果您希望使用 Tor 瀏覽網頁,我們只建議使用 **官方** Tor 瀏覽器:它旨在防止指紋。
- [Tor Browser :material-arrow-right-drop-circle:](../tor.md#tor-browser)
- [Tor 瀏覽器 :material-arrow-right-drop-circle:](../tor.md#tor-browser)
## Additional Resources
## 其他資源
- [Tor Browser User Manual](https://tb-manual.torproject.org)
- [How Tor Works - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) <small>(YouTube)</small>
- [Tor Onion Services - Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) <small>(YouTube)</small>
- [Tor 瀏覽器用戶手冊](https://tb-manual.torproject.org)
- [ Tor 如何運作 - Computerphile](https://invidious.privacyguides.net/embed/QRYzre4bf7I?local=true) <small>(YouTube)</small>
- [Tor O洋蔥服務- Computerphile](https://invidious.privacyguides.net/embed/lVcbq_a5N9I?local=true) <small>(YouTube)</small>
[^1]: The first relay in your circuit is called an "entry guard" or "guard". It is a fast and stable relay that remains the first one in your circuit for 2-3 months in order to protect against a known anonymity-breaking attack. The rest of your circuit changes with every new website you visit, and all together these relays provide the full privacy protections of Tor. For more information on how guard relays work, see this [blog post](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) and [paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) on entry guards. ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/))
[^1]: 迴路中的第一個節點被稱為“入口守衛”或“守衛”。 它是一個快速和穩定的中繼站,作迴路中的第一個入口通常會維持 2~3個月以防止已知的匿名破壞攻擊。 其餘的迴路則會依每次訪問網站而變化這些中繼節點共同提供Tor 完整隱私保護。 了解更多關於守衛中繼的運作,請參考 [部落格文章](https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters) 和 [入口守衛論文paper](https://www-users.cs.umn.edu/~hoppernj/single_guard.pdf) ([https://support.torproject.org/tbb/tbb-2/](https://support.torproject.org/tbb/tbb-2/))
[^2]: Relay flag: a special (dis-)qualification of relays for circuit positions (for example, "Guard", "Exit", "BadExit"), circuit properties (for example, "Fast", "Stable"), or roles (for example, "Authority", "HSDir"), as assigned by the directory authorities and further defined in the directory protocol specification. ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html))
[^2]: 中繼標記:迴路位置(例如, “Guard” “Exit” “BadExit” ,迴路屬性(例如, “Fast” “Stable” )或角色(例如, “Authority” “HSDir” )這些中繼節點的特殊( dis- )資格,是由目錄機構分配並在目錄協議規範中進一步定義。 ([https://metrics.torproject.org/glossary.html](https://metrics.torproject.org/glossary.html))