April 2nd, 2011 by George Notaras
I recently read that the Free Software Foundation has given the Award for Projects of Social Benefit to the TOR Project. Congratulations! There are indeed some cases that the TOR network can be extremely useful to the societies. On the other hand, the fact that an organization like the FSF gives this award to the TOR project combined with statements like “People like you and your family use Tor to protect themselves, their children, and their dignity while using the Internet“, that can be found throughout the TOR project website, may lead the typical internet user into thinking that the TOR network, apart from providing anonymity, is also a secure way of communication, which is far from the truth. I don’t claim to be a network security expert or an authority on the TOR network, but I don’t think any expertise is required in order to state the obvious.
At this point, it is useful to roughly describe how TOR works. The TOR network consists of TOR clients, relays and exit nodes. A client connects to the network which initiates the creation of a tunnel that starts at the user’s location and ends, after following a random route through the relays, to a random exit node. The user configures other software like web browsers or instant messengers to connect to the remote service through this tunnel. Once the request exits the tunnel at the exit-node, it goes through the network of the ISP that provides internet access to the TOR exit-node and it finally reaches the remote service. The response from the remote service follows the inverse route to get back to the user’s software. This way, the user’s ISP has absolutely no idea what services the user communicates with, since all user traffic goes through the TOR network and the network of a 3rd party ISP.
So, TOR can provide anonymity as far as the user’s ISP is concerned, but is it a secure way to communicate with remote services? If no extra encryption is used, then it is quite obvious that using remote services through the TOR network is totally insecure. Here is why.
The TOR exit-node is a key point in the communication between the user and the remote service. This is where the user’s data exits the TOR tunnel and continues its way to the remote service through the 3rd party ISP’s network. It is also the place where data from the remote service leaves the 3rd party ISP’s network and enters the TOR tunnel in order to reach the end user. If no encryption is used, it is possible for the exit-node operator to sniff this network traffic. This means that it is technically possible for an evil exit-node operator to:
know which web pages the user visits
read the messages the user exchanges through unencrypted IM networks
read the emails the user sends
if the user authenticates to any services without encryption, the evil exit-node operator could for example find out his mailbox or FTP account password or the passwords the user uses for authentication to web sites
even if the authentication to a web service has taken place through an encrypted SSL tunnel, if the rest of the communication with this specific web service is not encrypted, the evil operator could grab a copy of the user’s session cookie for this service and access it pretending to be him
These are some of the nasty things that can happen when you access remote services through a proxy server which you do not control.
Is there any guarantee that exit node operators do not sniff network traffic?
Even if the exit-node operators are cool, who can guarantee that the network traffic is not monitored within the 3rd party ISP‘s network? If the user accesses personalized services without encryption, then, even if the user’s real IP and thus his real name is not known, various pieces of collected data can be combined together and possibly reveal his real identity. This process is widely known as re-identification.
Is there any guarantee that the ISP providing internet access to a TOR exit node does not collect and sell information to “marketers and identity thieves”?
I consider the TOR project quite important. But, since typical internet users are urged to use the TOR network in order to browse the internet, the involved risks have to be explained in detail.
On the other hand, I’d like to urge internet users to spend some time to familiarize themselves with the basics of the HTTP protocol, the concepts of HTTP authentication and cookie based authentication and the importance of encrypted HTTP connections through SSL or TLS tunnels. Since the internet has become part of your lives, regardless of your profession, you need to be educated about these things, so as to be able to realize when your communication with the various internet services is vulnerable. You don’t have to be gurus, but rather get an idea of what is going on.
So far, it is quite clear that the only way to stay on the safe side while using anonymizing proxies on which you usually do not have full control, like TOR, is to connect to any remote services using encrypted connections only, usually through SSL or TLS tunnels. Personally, I never use anonymizing networks or third party proxies. This is because I never really had the need to hide my real location. Furthermore, I find it pointless as I don’t believe that such a thing as anonymity is really feasible. If I had to use TOR, I would try to find a way to connect to the remote service over an encrypted connection. In general, whenever I need a secure SOCKS proxy, for example when I have to use a public network to access personalized internet services, which do not offer full SSL access, I use OpenSSH client’s -D switch while logging in to a SSH server which I own and fully control and thus I have all the security I need.