I'd be VERY surprised if it actually mattered to them. If gog're willing to jump through hoops to get by regional restrictions and pricing, it would be hypocracy to penalise you for doing something similar under your principals.

TBH, I wouldn't wait for an official answer that 'may' put them in a position to be liable for something down the line. Just go ahead and do it, it'll be alright.

That was why I decided to ask in the forums

Well if I were you I'd consider it answered and go do whatever you want to do. ;)

I already marked this as solved :)

Unless anyone has any recommendations on what to use as a proxy or vpn, I've got my answer

That's something I am unable to help you with., good luck though.

np, thanks anyways :)

That's not quite true - you may find your credit card being (falsely) reported as invalid. I've used Tor for all web access for the last 5-6 years and did fairly recently encounter this. I did "solve" this by contacting customer support who then relaxed the IP address settings on my account.

There is a risk in using Tor, since the exit node can monitor your traffic (though they'll only typically see 10 minutes' worth and, without identifiable data in the network data can't tell where it came from) but that's far smaller than the risk of ISP/government monitoring in my view. HTTPS traffic won't be subject to such monitoring (so purchases can be done safely, though some merchants may give you trouble - Paypal will throw a fit immediately and block your account) but do be aware of how HTTPS exploits (like SSL Strip) work. Double-check that financially sensitive pages *are* using HTTPS and if your browser reports a certificate issue, change exit node.

Finally, thanks for responding. I've just started using Tor and trying to figure out how everything works on it. What else should I be aware of?
edit: Also how can I tell if I page has been SSL stripped?

Tor does nothing to filter traffic, so you still need the likes of NoScript or AdBlock (if using Firefox) to secure yourself from malicious or compromised webpages. If using Firefox, definitely consider the plugin since this adds extra measures to frustrate [url=http://panopticlick.eff.org/]browser fingerprinting.

Tor is much slower than direct web access as it relies on volunteer-supplied bandwidth. Try to lower usage by using an external downloader (like GetRight but dozens of free alternatives exist too) for file downloads and video streams. These won't then be anonymised (which in my view is less important since a list of downloads is far less of a privacy risk than one of websites visited and search terms used) but they won't be slowed down either.

For the same reason, Tor is not suited for P2P traffic.

Finally, each Tor node is owned and managed by someone who is effectively agreeing to take the brunt of any hassle caused by questionable/illegal activities. Please consider that if tempted to wander on the dark side.

I already use no-script, ad-block, betterprivacy, and ghostery. I'll definately take a look at the GetRight addon. I've been using the Torbundle package since that is what the main website recommends.

I have noticed that Tor is slow, but then again I suppose there is always a price to pay. How can you tell if the node you are using is trusted or not? Or is it mostly a leep of faith? (I'm assuming the latter). I'm not interested in doing anything illegal, although I do have a morbid sense of curiosity but I know (usually) when to keep it in check.

Do you have any recommendations for interesting sites to check? Basically, whatever you feel like sharing.
edit; Even with the Torbundle, should I still get the Tor button anyway?

SSL Stripper works in two ways. It can try replacing https addresses with the equivalent http and it will show in your browser, so be aware of how your browser indicates an encrypted webpage (address starting with https plus a padlock icon somewhere, which should provide certificate/encryption details when clicked).

Another technique SSL Stripper can try is, similar to phishing, swapping the https URL you requested with a different, but similar-looking, https domain controlled by the attacker and signed with a valid certificate. Just as with phishing, the domain name should be visible if you check properly.

Since these techniques involve modifying HTTP initially, you can protect yourself by creating bookmarks/favourites for your key financial sites' https login pages and using those rather than clicking on any http webpage links.

Moxie Marlinspike's PDF Defeating SSL has more on this.

Just to clarify - this isn't a Tor-specific vulnerability, it can happen whether you use Tor or not and Tor will prevent this happening in some cases (e.g. if your ISP or their network provider tried this stunt). However I have (once) come across an attempt to degrade encryption (to SSL v2) which my browser (Opera) reported as an error. So treat any certificate error messages with extreme caution (at least, switch exit node and try again).
The Tor bundle should include the Tor button plugin. To test that Tor is working try lookup sites like . To review your traceability, check EFF's [url=http://panopticlick.eff.org/]Panopticlick page (Tor alone won't affect this, but TorButton and other Firefox plugins should). To see what information your browser discloses generally, try , Privacy.net's [url=http://privacy.net/analyze-your-internet-connection/]Analyze Your Internet Connection or Leader.ru's Investigation Report.

That's not GOG's problem; it's the card issuer's.

If the card issuer won't honor a charge from a company in Cyprus, GOG can't collect and has to block the sale.

Many US card issuers, especially Visa franchisees and prepaid card operations, block "card not present" charges from many countries. This is entirely legal, entirely within their scope of doing business as they deem prudent, and damn frustrating if you the consumer, or GOG the merchant, can't make a deal because the charge was declined.

Nothing you or GOG can do about it except refuse to deal with those companies.

The problem with TOR is that it is used for so much really heinous stuff that any law enforcement that traces TOR traffic to you is going to put you on a list of probable child pornographers. Since the TOR endpoints are largely known to law enforcement, it becomes child's play to determine that you are using TOR, even if they can't discern the content.

It's actually the card processor that GOG uses that decides to block by IP. In such a case, they won't even attempt to access the card so the card issuer would see nothing.

What's more frustrating are processors who do access the card, reserving the charge (hence lowering the amount of money available on credit, without showing up as a transaction) and then block the order. You have to wait potentially several days for the reservation to vanish before your card's credit limit is restored.
While it *is* possible to see if someone is using Tor or not (by checking whether they're accessing Tor entry nodes), you can't do it by looking at the exits.

Law enforcement can be pretty dense at times, but flagging every Tor user as a probable kiddlly fiddler/other criminal would be hugely unproductive, requiring them to perform thousands (if not tens of thousands) of unnecessary checks. Rather like trying to ban pre-pay credit cards (which although similarly abused, are sometimes the only cards available for those with poor credit records or bankrupts).

Maybe there are cases such as you describe, but there are many cases where the reason a transaction was declined is that the card issuer declined on the grounds that the transaction was a card not present transaction from a blacklisted country. Maybe not on transactions originating from the UK, but it is a common problem for US buyers.

There may be legitimate users of TOR, but nobody with any knowledge of actual TOR traffic is so naive as to believe that any significant number of TOR users are legitimate. If you use TOR and later find out that you ended up in a database of potential suspects, well, I hope you knew that going in.

Well the majority of Tor servers are based in the US and Germany so that reasoning is unlikely to apply here.
Try running an exit node for a few years - you'll be in a better position to judge.