General security

What Good is Tor?

Infosec Institute
April 7, 2014 by
Infosec Institute

To the uninitiated, Tor, formerly known as The Onion Router, is probably the most popular proxy network for internet anonmyzing. It's called an onion router because traffic goes through many layers of encrypting servers. The gateway IP of the user and the destination IP are also encrypted, as opposed to being in plain text. The internet server destiination is supposed to only see the IP of the exit node. That's supposed to prevent users from being identifiable via server logs, whereas traffic being encrypted at all points is supposed to prevent eavesdropping.

Tor has had its ups and downs ever since the first alpha was released in 2002. In 2011 and 2012, Tor had a big surge in users. Software packages, like the Tor web browser bundle, which uses a customized Aurora version of Firefox and Vidalia as the GUI to control Tor connectivity, helped enhance the accessibility of the service. Tor has been very helpful for uses like allowing tech savvy Chinese overcome the "Great Firewall of China," and protecting the work of investigative journalists. Edward Snowden famously used Tor to inform The Guardian and The Washington Post about PRISM last year.

But as websites can also be hosted on Tor, often using the .onion top level domain, it's been a haven for child pornography websites. Less harmfully, but still controversial, was The Silk Road, a sort of "eBay" for illegal drugs. The site ran somewhat successfully for a couple of years, but the DEA and the FBI were able to get it shut down last year. As far as the child pornography sites go, a number of members of Anonymous have been able to gather intel on many of them, and send it to the authorities. Of all the hacktivism done in the name of Anonymous or LulzSec, that has got to be the action most popular with the general public. Tor websites are only accessible by web browsers connected through Tor.

My first experience with Tor was when I installed the browser bundle in early 2012, and gave it a spin, just for fun. A nice UX feature is that a preset message page in your browser will tell you if you've successfully connected. From that point on, connectivity to Tor can be toggled via Vidalia. But you can't be sure your browser is using Tor until you get that message.

Illustration 1: Via Wikimedia Commons

It took me a few hours to find a working URL for The Silk Road, as it was constantly changing, for obvious reasons. When I did find a current URL, looking at the website was kind of neat. Simply visiting The Silk Road, from Canada, in and of itself wasn't illegal. It would only be problematic if I was caught having illegal substances mailed. I assure you, I didn't go that far. The Silk Road only took Bitcoins, and I've never purchased them. Even though they were a lot more affordable then than now. But the experience certainly satiated my curiousity.

One experiential downside of Tor is that by having to go through all of those encrypting proxy servers, which are supposed to route traffic in a random way, is that you get really slow uploads and downloads, even if your ISP connection is very fast. But for users of Tor, the traffic slowdown is worth it.

An entire live Linux distro, Tails, is built to route all TCP/IP traffic through Tor.

One development that has excellerated the growth of Tor was when Adafruit released Onion Pi, a Tor server designed to run in the Raspbian OS on Raspberry Pi devices. The software is all free, and Raspberry Pi devices retail for $25 to $35, depending on the model. So, hobbyists who strongly believe in the Tor project can easily run a Tor server very inexpensively, even if they buy a Raspberry Pi to dedicate to that purpose.

But alas, Tor isn't as secure as many people think it is.

The primary vulnerability is Tor's exit nodes -- the point in the Tor network where you access the target internet server. However many layers of encryption there are as your traffic travels Tor, the traffic from the exit node to the destination won't be encypted unless you're using an internet protocol with built-in encryption, such as HTTPS, and/or you're using properly configured encryption software on your client machine. Even then, encyption is only as strong as its mathematics. If any point of encryption uses a symmetrical key or a bitlength of less than 128 bits, it's pretty easy to crack, especially with a cluster or a botnet.

It's probable, especially in the wake of the recent NSA revelations, that government agencies such as the NSA and CSIS sniff traffic on many exit nodes.

In 2007, Swedish security wizard Dan Egerstad was able to gather the email credentials for over 100 embassy and governmental accounts. He did so by hosting his own Tor exit nodes. There's no barrier of entry for anyone to host an exit node, and all the necessary information is on Tor's website. There's always a legal risk involved, but governmental espionage agents and traditional blackhats aren't going to be scared off by that. When users weren't using secured internet protocols or weren't encrypting data before they sent it, Egerstad was able to sniff that traffic off of his exit nodes just fine.

Last year, people were stunned to learn about one way that NSA was getting around Tor. A man they caught running exit nodes got a deal that would prevent him from facing criminal charges. He turned his nodes over to their use, to run malware through them to gather identifying information on Tor users.

Tor servers were encrypted with a very secure key, 1024 bits. But, speculating that it would cost the NSA a few million dollars each time they crack a key, they could have been cracking a few keys per day. That's only a tiny fraction of Tor traffic, but especially considering if other intelligence agencies around the world and organized crime were doing that as well, there's always a chance that a key you've used has been cracked. A few million dollars to crack one key would have to be targeted to a particular user though, so the risk was greatest if you're in a position to draw attention to your activities. As of version 2.4 of Tor, released last year, Tor now uses elliptical curve cryptography. That's supposed to be more secure than the DH algorithm they were using. As I'm not a cryptographer, I cannot go into detail about that. What does concern cryptographers is that Tor has yet to use 2048 bit RSA, which is supposed to be even more secure, and theoretically, it should be.

It's been suggested via leaked documents that the NSA has cracked a fair amount of SSL, which is what encrypts HTTPS and other secured internet protocols. But keep in mind that SSL standards are always updated, so it's another cat and mouse game.

Tor's offical website confirms that they can't protect against end-to-end attacks. That's when someone is able to not only sniff an exit node, but the traffic that leaves your client to Tor, as well. If identifying details can be sniffed at both ends, a sniffer can confirm your internet targets, and probably the data in the packets being sent and received. That makes it ever more prudent to security-harden your machine, and to use encrypting software on your end.

Schneier on Security mentioned a gaping vulnerability in the Windows version of the Tor Browser Bundle. That vulnerability was patched on June 26th, 2013. But it's certainly possible that there are vulnerabilities in various Tor client and server applications that have yet to become public knowledge. Patching vulnerabilities in every kind of software possible is a constant and evolving process. And by it's very definition, zero-day attack vulnerabilties can't be patched. But I'm impressed by Malwarebytes' zero-day prevention software for Windows, which is still in public beta as of this writing. That kind of program can only do so much, but if they're going to choose a platform to start the development of such a project, Windows is an excellent choice because it's so prevalent and infamously insecure.

One hypothesis of mine is that the wide implementation of Onion Pi servers may have played a role in making Tor less secure. When the computer it runs on is so inexpensive, and so small (the size of other ARM boards, like the ones in smartphones), it's possible for many hobbyists to run Tor relays without having much proxy server securing experience.

If you are going to use Tor, like I said, you should encrypt as much on your client end as you possibly can. Preferably, use a Linux or Unix/BSD distro. Still be aware of what the risks are.

You can also consider using a free VPN instead, such as The machines and the infrastructure that implement a VPN are usually in-house, unlike Tor. But if you choose to do that, be prudent in doing your research on a particular VPN's security before you decide to use it. You'd have to trust the party that runs the VPN of your choice. Even then, nothing is 100% secure, as that's impossible.

As Tails is built to use Tor for all internet traffic, I hope their development team are looking into alternatives.

Securing and anonmyzing internet traffic is always going to be a cat and mouse game, just as antivirus software development and malware development always will be. It helps to stay constantly informed. In the world of computer technology, everything evolves quickly.


Is Tor Really Anonymous and Secure?

Is Tor's Anonymous Internet Still Secure?,news-17530.html

FBI claims tor stymied child abuse investigation

Has Tor Been Compromised?

Anonymity Crackdown: NSA vs. Tor

Security expert used tor to collect government email passwords

Embassy leaks highlight pitfalls of Tor

Onion Pi turns Raspberry Pi into Tor proxy and wireless access point

Infosec Institute
Infosec Institute

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training.