You might think: Why on earth are you writing about this subject? Given my extensive background in Information Technology, and my keen interest in privacy and security, I would like to share my thoughts on the matter in order to highlight a misconception (in my opinion) within the general public eye. I say this with the kindest of hearts because unfortunately, with all the current hype regarding the revelations by Edward Snowden and the activities of the NSA, many are blindly promoting the use of the Tor Network as a secure platform. However, my goal here is to provide a stance that I hope educates some readers as to why the Tor Network is not as secure as media and bloggers would make out.
For those readers that are not truely understanding of what Tor is, let me briefly summarise the network using quotes:
Tor is software that allows users to browse the web anonymously (Nicol, 2016).
Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location (Tor Project, 2016).
Firstly, you have to recognise the Tor Project website clearly communicates a message about preventing someone learning what sites you visit, which is in line with the first quote about anonymous browsing. Clearly, both quotes do not mention secure end-to-end encryption yet the feeling I get when speaking to people is, they describe it as a ‘secure platform so nobody can see what you’re doing!’.
This concerns me because a simple search on the popular engine Google reveils a different story. Research was carried out in 2014 to see if anyone could establish a link back to the original user of the Tor service. Although admittingly, the researchers found the whole process of monitoring such a large scale network a challenge, they did conclude they were able to reveal the sources (users) of the traffic going through the Tor Network up to 81.4% of the time (real-world experiments) and in-lab tests revealed the users 100% of the time (Chakravarty et al, 2014). This should state that the Tor Network is not as secure as it is made out to be. An important factor we must realise here is that the Tor Network was not created for general public usage, but for concealing government activities. However, the use of the Tor Network has grown in massive quantities over the past few years and is currently growing very rapidly at the time of writing this essay (Baraniuk, 2016).
You may be thinking… so what is your concern? My concern is that users can be found by linking usage data (Chakravarty et al, 2014) yet the usage is still ever increasing (Baraniuk, 2016). Not many people know that the Tor Network is made up of volunteers that give up their computer’s processing power and internet connection capabilities to make this network active (Tor Project, 2016). When you connect using the Tor Network your traffic is first using an entry node (computer that encrypts your data while being transported over the Tor Network) (Nicol, 2016), it then travels through random internal nodes (only ever revealing the last node and the next node but never the entry and exit nodes) (Nicol, 2016), then your information is passed to an exit node (decrypts your data so the site you want to reach can understand it) (Nicol, 2016). The important aspect here is that all these nodes (entry, internal, & exit) are operated by volunteers (the general public) using their own computers at home (Tor Project, 2016). Surely an important focus point here is the entry and exit nodes?
These entry and exit nodes get to see your unencrypted data (unless you’re using HTTPS for example) (Zetter, 2007). Let us say there is a person who wants to find out as much information about account usernames and passwords, what better way than to run a entry node or better still an exit node. If you are not using HTTPS to secure your connection the moment you start the Tor service, then all your information is passed along the internet in plain text view (Stockley, 2015). For example, when submitting username and password data to insecure forums, your inputs can be read by anyone who runs an exit node. An exit node is able to ‘sniff’ any data that is transported through it (Burton, 2015). Burton (2015) refers to an experiment conducted by a Swedish researcher called “Chloe” who managed to indentify 16 exit nodes that had logged her ficticous usernames and passwords and better still, attempted to use them and login to her fake accounts. You might not think 16 (1.14%) is much when there were a total of 1400 exit nodes… However, exit nodes frequently change as you use the Tor Network which means the risks are high (Nicol, 2016; Burton, 2015; Chloe, 2015). If exit nodes and indeed input nodes can be monitored, and anybody can setup one of these nodes voluntarily, then surely the government must be operating quite a number of nodes to try monitor usage on the Tor Network (Lee¹, 2014). Clearly, the government disagree with not being able to access data they see fit for investigation and some countries have taken it a step further by offering thousands of pounds in rewards for those who can ‘crack’ the Tor Network (Lee², 2014). For me, this is not the only concern because very few users know that if a person can run an exit node, they can potentially control the outflow of data coming from it. It is possible to redirect traffic to a different location first, then redirect after (man-in-middle attacks) to scrape as much content as possible from the connection. Over 70 exit nodes were found to be doing this with active connections and the investigations, and searches are still continuing which are set to continue into the far future (DeepDotWeb, 2015).
The whole point of this essay is to highlight that the Tor Network is NOT as secure as the media and blogging platforms would have you believe. Yes, Tor can allow you access to the Deep Dark Web (Nicol, 2016) but the lack of understanding about the technology is leaving many people at risk of cyber attacks. If you do not secure how you enter the Tor Network then how you leave will just be as insecure. I would like to leave you with what I feel is an important message to take away from this essay:
If you make efforts to try understand how certain technologies work, you stand a good chance of understanding the security implications involved, and potential counter-active measures such as HTTPS.
Baraniuk, C,. (2016). Tor: ‘Mystery’ spike in hidden addresses. BBC News. Accessed: 23-02-2016. Available: https://www.bbc.co.uk/news/technology-35614335
Burton, G,. (2015). Tor exit nodes ‘sniffing’ data – research. Computing.co.uk. Accessed: 23-02-2016. Available: https://www.computing.co.uk/ctg/news/2415961/tor-exit-nodes-sniffing-data-research
Chakravarty, S,. M, Barbera,. G, Portokalidis,. M, Polychronakis,. & A, Keromytis,. (2014). On the Effectiveness of Traffic Analysis Against Anonymity Networks Using Flow Records. Lecture Notes in Computer Science. 8362. pp 247-257. Accessed: 23-02-2016. Available: https://link.springer.com/chapter/10.1007%2F978-3-319-04918-2_24
Chloe (2015). A month with BADONIONS. Accessed: 23-02-2016. Available: https://chloe.re/2015/06/20/a-month-with-badonions/
DeepDotWeb (2015). 70 Malicious Tor Exit Nodes Exposed By Siganit.org. Accessed: 23-02-2016. Available: https://www.deepdotweb.com/2015/04/26/70-malicious-tor-exit-nodes-exposed-by-siganit-org/
Lee¹, D,. (2014). NSA ‘targets’ Tor web servers and users. BBC News. Accessed: 23-02-2016. Available: https://www.bbc.co.uk/news/technology-28162273
Lee², D,. (2014). Russia offers $110,000 to crack Tor anonymous network. BBC News. Accessed: 23-02-2016. Available: https://www.bbc.co.uk/news/technology-28526021
Nicol, W,. (2016). A beginner’s guide to Tor: How to navigate through the underground Internet. Accessed: 23-02-2016. Available: http://www.digitaltrends.com/computing/a-beginners-guide-to-tor-how-to-navigate-through-the-underground-internet/
Stockley, M,. (2015). Can you trust Tor’s exit nodes? Naked Security via Sophos.com. Accessed: 23-02-2016. Available: https://nakedsecurity.sophos.com/2015/06/25/can-you-trust-tors-exit-nodes/
Tor Project (2016). Anonymity Online. Accessed: 23-02-2016. Available: https://www.torproject.org/
Zetter, K,. (2007). Rogue Nodes Turn Tor Anonymiser Into Eavesdropper’s Paradise. Wired.com. Accessed: 23-02-2016. Available: https://archive.wired.com/politics/security/news/2007/09/embassy_hacks?currentPage=all