I recently read that the Free Software Foundation has given the Award for Projects of Social Benefit to the TOR Project. Congratulations! There are indeed some cases that the TOR network can be extremely useful to the societies. On the other hand, the fact that an organization like the FSF gives this award to the TOR project combined with statements like “People like you and your family use Tor to protect themselves, their children, and their dignity while using the Internet“, that can be found throughout the TOR project website, may lead the typical internet user into thinking that the TOR network, apart from providing anonymity, is also a secure way of communication, which is far from the truth. I don’t claim to be a network security expert or an authority on the TOR network, but I don’t think any expertise is required in order to state the obvious.
At this point, it is useful to roughly describe how TOR works. The TOR network consists of TOR clients, relays and exit nodes. A client connects to the network which initiates the creation of a tunnel that starts at the user’s location and ends, after following a random route through the relays, to a random exit node. The user configures other software like web browsers or instant messengers to connect to the remote service through this tunnel. Once the request exits the tunnel at the exit-node, it goes through the network of the ISP that provides internet access to the TOR exit-node and it finally reaches the remote service. The response from the remote service follows the inverse route to get back to the user’s software. This way, the user’s ISP has absolutely no idea what services the user communicates with, since all user traffic goes through the TOR network and the network of a 3rd party ISP.
So, TOR can provide anonymity as far as the user’s ISP is concerned, but is it a secure way to communicate with remote services? If no extra encryption is used, then it is quite obvious that using remote services through the TOR network is totally insecure. Here is why.
The TOR exit-node is a key point in the communication between the user and the remote service. This is where the user’s data exits the TOR tunnel and continues its way to the remote service through the 3rd party ISP’s network. It is also the place where data from the remote service leaves the 3rd party ISP’s network and enters the TOR tunnel in order to reach the end user. If no encryption is used, it is possible for the exit-node operator to sniff this network traffic. This means that it is technically possible for an evil exit-node operator to:
- know which web pages the user visits
- read the messages the user exchanges through unencrypted IM networks
- read the emails the user sends
- if the user authenticates to any services without encryption, the evil exit-node operator could for example find out his mailbox or FTP account password or the passwords the user uses for authentication to web sites
- even if the authentication to a web service has taken place through an encrypted SSL tunnel, if the rest of the communication with this specific web service is not encrypted, the evil operator could grab a copy of the user’s session cookie for this service and access it pretending to be him
These are some of the nasty things that can happen when you access remote services through a proxy server which you do not control.
Is there any guarantee that exit node operators do not sniff network traffic?
Even if the exit-node operators are cool, who can guarantee that the network traffic is not monitored within the 3rd party ISP‘s network? If the user accesses personalized services without encryption, then, even if the user’s real IP and thus his real name is not known, various pieces of collected data can be combined together and possibly reveal his real identity. This process is widely known as re-identification.
Is there any guarantee that the ISP providing internet access to a TOR exit node does not collect and sell information to “marketers and identity thieves”?
I consider the TOR project quite important. But, since typical internet users are urged to use the TOR network in order to browse the internet, the involved risks have to be explained in detail.
On the other hand, I’d like to urge internet users to spend some time to familiarize themselves with the basics of the HTTP protocol, the concepts of HTTP authentication and cookie based authentication and the importance of encrypted HTTP connections through SSL or TLS tunnels. Since the internet has become part of your lives, regardless of your profession, you need to be educated about these things, so as to be able to realize when your communication with the various internet services is vulnerable. You don’t have to be gurus, but rather get an idea of what is going on.
So far, it is quite clear that the only way to stay on the safe side while using anonymizing proxies on which you usually do not have full control, like TOR, is to connect to any remote services using encrypted connections only, usually through SSL or TLS tunnels. Personally, I never use anonymizing networks or third party proxies. This is because I never really had the need to hide my real location. Furthermore, I find it pointless as I don’t believe that such a thing as anonymity is really feasible. If I had to use TOR, I would try to find a way to connect to the remote service over an encrypted connection. In general, whenever I need a secure SOCKS proxy, for example when I have to use a public network to access personalized internet services, which do not offer full SSL access, I use OpenSSH client’s -D switch while logging in to a SSH server which I own and fully control and thus I have all the security I need.
How secure is the TOR network for everyday internet browsing? by George Notaras is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright © 2011 - Some Rights Reserved
Interesting approach, especially for those who consider unknown proxies provide secure tunnels. +1 for ssh -D, the only negative is that you need access to a ssh server you know it’s secure.
Hi Panagiotis. Thanks for your comment.
Indeed, the only problem is that. I used to have an ssh server at home accessible from the internet, so I could use it any time I liked and consume any amount of bandwidth I needed. But, admittedly, this is not always possible.
Well i believe that using Tor though it’s not as secure as ssh tunneling espeacialy logging using signed keys but compared to unencrypted browsing escecialy through hostile infrastructures (ie work, university, or even nation wide firewalls) i could proove it’s self as a viable alternative to unencrypted browsing.
On the other hand I also believe that having a an ssh server at home, or any other place you (and only you or people you trust) have access could proove very handy.
Hi Lefteris. Thanks for stopping by. An ssh server running at home is my favorite solution, but it requires that a computer is always on.
**EDIT**: We usually do not allow posts that contain just links. This is an exception because of the high relevance of the linked articles.
http://www.theregister.co.uk/2007/09/10/misuse_of_tor_led_to_embassy_password_breach/
http://www.theregister.co.uk/2007/11/23/tor_abuse/
Another problem is : the user’s exit node is responsible for the traffic through is ISP, so if an anonymous user surf on pedo***** sites, it might be a problem for the user of the exit node in some country, such as France.
Tor is simply reporting responsibility of the net usage to another users, which is not quite good all all.
Regard.
What you state in this article is well known to the Tor Project. It is not uncommon to see such things and related matters discussed on the tor-talk mailing list. The Tor Project certainly cannot be held responsible for what 3rd parties say about the Tor Network. I don’t know about such things as what the FSF said being found “throughout the TOR project website”, but I do know that their download page specifically warns about the fact that Tor doesn’t/can’t encrypt the traffic between the exit node and the final destination and encourages use of https. They promote the HTTPS Everywhere extension for Firefox. They warn about ways that your IP address can leak and recommend using Tor Button. All of this is in the “full list of warnings” which is linked to from the banner near the top of the download pages that asks “do you want Tor to really work?”
In addition to hiding what you are doing and where you are going from your ISP, Tor is also useful for being anonymous to the website you are accessing. No anonymity is perfect and the Tor project knows this. Known attacks are sometimes discussed on tor-talk. But with the proper precautions the anonymity is relatively good. The Tor Project’s website provides links to some of the academic research that is being done on anonymity if you wish to learn more.
You are certainly correct that it would be good for Internet users to understand (in rought terms) what https is and when it is important to use it. (Some would say it is always important — hence the HTTPS Everywhere extension.) Likewise, Tor users would do well to read and understand what is in the warnings and advice the Tor project gives. But that does not detract from the usefulness of the Tor Network for certain purposes.
Hi Jim. Thanks for your comment.
I, generally, agree with everything you have written. I’d only like to add the following.
Nowadays, step-by-step instructions about how to spy on other people on the same network exist everywhere on the net, including youtube. People don’t need to know much before they are able to sniff network traffic. They don’t even have to be smart to do it.
On the other hand, TOR, by design, puts a random person and a random ISP between the user and the internet service. Anyone would expect the TOR project to provide the TOR users with all the information they would ever need in order to stay secure while they use the TOR network.
George Notaras wrote: “Anyone would expect the TOR project to provide the TOR users with all the information they would ever need in order to stay secure while they use the TOR network.”
I think they are trying to do that. If you can help them do that better, the help would likely be appreciated. If you are so inclined, perhaps the tor-talk mailing list would be a good place to express your concerns and offer help.
Me trying to help with this is not good enough, because I am not the right person for this kind of job. I am not a network security expert, so I might miss lots of things about the security issues involved in using the TOR network. But, if you check the donations page on the TOR web site, you will realize that the project has enough resources to hire a professional.