Slicing onions: Part 1 – Myth-busting Tor.
The Tor network is an anonymity system designed to protect the privacy and anonymity of its users. Unlike a VPN service, Tor is both free to use and decentralized. Sadly, there is plenty of misinformation around about Tor. This post aims to clearly explain Tor and to debunk various myths surrounding it.
The Path Tor works by sending your traffic over a network of thousands of voluntarily run nodes (sometimes referred to as relays). Each node is a server that is run by volunteers to help you improve your privacy and anonymity. Every time you connect to Tor, it will choose three nodes to build a path to the internet; this is called a circuit. Each of these nodes has its own function:
The Entry Node: often called the guard node, this is the first node your computer connects to. The entry node sees your IP address, but does not see what you are connecting to. Unlike the other nodes, the Tor client will randomly select an entry node, and stick with it for 2 to 3 months. I’ll expand on the reasons for this in a future blog.
The Middle Node: the second node to which your Tor client connects. This node can see which node traffic came from (the entry node) and which it goes to next. It does not, however, see your IP address, or the domain you are connecting to. This node is randomly picked from all Tor nodes for each circuit.
The Exit Node: is where your traffic leaves the Tor network and is forwarded to the destination domain. The exit node does not know your IP (who you are) but it knows what you are connecting to. The exit node will, like the middle node, be chosen at random from the Tor nodes(if it runs with an exit flag).
A quick visualization:
1. When the packet arrives at the entry node the first layer of encryption is removed. In this encrypted packet it will find another encrypted packet with the middle node’s address. The entry node will then forward that to the middle node.
2. When the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and find an encrypted packet with the exit nodes address. The middle node will then forward the packet to exit node.
3. When the exit node receives its packet, it will remove the last layer of encryption with its key, and find the destination address that the user wanted to connect to, and forward the packet to that address.
Here is an alternative visualization of the process. Note how each node removes its own layer of encryption, and when the destination website returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it DOES know which node it came from, so it adds his own layer of encryption, and sends it back.
So what do we learn from this? Well we learn that Tor allows us to connect to a website without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are OR where you are going; and the exit node knows where you are going, but not who you are. Because the exit node makes the connection, the destination website will never know who you are (the IP address of the originating device).
Although Tor is one of the best ways out there to protect your privacy and security these days, it sadly suffers from a bad reputation. This is the result of a number of myths which we’ll now attempt to debunk:
But Tor was created by the US government, it must have a backdoor! Tor was not written by the government. Tor was written by Roger Dingledine, later on joined by Nick Matthewson, with the funding from the Naval research lab through Paul Syverson. The claim that that it must therefore contain a backdoor does not hold up for the following reasons: First of all, the US government uses Tor to hide its own activities online; if it had a backdoor, it would not be safe for them to use. One could argue that they could make their own anonymity systems, but this wouldn’t be effective. If the government would build their own system, and only let themselves use it, then ALL traffic is known to be automatically CIA/NSA/FBI traffic, making it pointless to use in the first place. One must not forget that you cannot be anonymous alone, you need similarly anonymous peers to form a crowd for you to blend into. The more people you throw into the mix, the harder any individual is to find.
Tor will get me on a watch list! The claim that using Tor gets you on a watch list in a western society makes no sense at all. Not because it won't ever happen, but because it would be useless in the case they did it. Analysis shows that the Tor network gets as many as 2 million users a day. That’s a huge list, big enough that targeted surveillance is no longer possible, and governments would have to rely on mass surveillance. Hey, mass surveillance, wasn’t that already happening somewhere? Oh yeah, it's called the internet! The only place where using Tor could be dangerous is in nations with an oppressive government, but in that case a VPN is just as likely to arouse suspicion and get you on “the list”. Also with Tor, one can try to avoid detection by using bridge relays, which are entry nodes that are not publicly listed. Finally, it is worth considering what use of Tor protects you from, and whether that is more important than what the theoretical list would expose you to. It’s a little like thinking that using HTTPS will get you on a list, so you will no longer use HTTPS to protect yourself.
But exit nodes can do spooky stuff with my traffic! This one is partially true, although your traffic is encrypted while entering and traveling through the Tor network, the connection between the website and your exit node is not. If I were to login into a webpage using HTTP, an exit node could intercept my password. And while this was a big issue in the past, the massive adoption of HTTPS, which went from 67% of all websites in 2017 to 77% in 2018 , has made most manipulation done by the exit node impossible, as the exit node will only see an encrypted HTTPS packet that it has to forward, so even it does not know what the packet contains.
But the government can set up a lot of nodes to de-anonymize people! While Tor is indeed not a silver bullet, setting up a lot of nodes is a very unlikely attack, that can either be fairly trivially detected, or become VERY expensive, depending on how it is done. First of all to really DE-anonymize someone this way, you need to at least have the entry node and exit node of a Tor user. Remember when I explained above that entry nodes are chosen once, and are kept for 2/3 months? This is exactly why: if the government wants to become your entry node it has N% chance to be picked by you out of 6000+ nodes. If I am lucky, and pick a non-government node, the government will have to keep all their nodes running (costing lots of money) for at least two months before they get another chance of becoming your entry. Also it takes At least 8 days, maximum of 68 days before it gets up to full speed, to become a Guard node, as you see, this is slow, expensive, and generally a very unattractive way of finding a Tor user. While yes, they COULD do it, it wouldn't make sense for them to do it as there are a lot of attacks out there that are a lot cheaper to execute and try out. In the Tor stinks slides that were leaked in the Snowden documents, it was stated that they could de-anonymize a very small fraction of people, but it can not be used to target specific people on demand. which makes this expensive attack, not worth it in a real life scenario.
But Tor is only used by criminals on this thing called the dark web, we should not support it! Firstly, while Tor can be used to reach websites anonymously on the “dark web”, the VAST majority of Tor traffic is used to reach normal websites. While some people are convinced Tor is enabling pedophiles and should be taken down, this is not a solution and will not help anything. If you take away Tor, all that would happen is that criminals will use another (illegal) medium to conduct their business, where an activist in Iran may be killed and tortured without the protection of Tor. Tor may be a two edged sword, but the side of the benefits to society cuts a whole lot sharper then the criminal side.
I heard attack XYZ can break Tor! As I said above, Tor is no silver bullet, there can be attacks out there that could be used to try and de-anonymize Tor users. But it is currently the best we have, and as Tor grows, with each user and each new node, attacks become harder and more expensive to execute. All we currently know is that in 2013, as part of the Snowden leaks, the NSA was not able to reliably trace Tor users.
But what about this drug market that got busted? It was hosted on Tor! It is true that there are certain individuals that abuse Tor to hide illegal websites, and many have been caught doing it. However, in each and every one public case of a take down, Tor was not the cause. One has to understand that even if your connection is anonymous, other things might be not. Tor is not magic security dust, it will not make your server “unhackable”. Software bugs are still a thing, government infiltration is still a thing, and simply user error is still a thing. These tactics are WAY cheaper, and also often a lot easier, to execute then any attacks directed at Tor itself.
But Tor is funded by the US government! This one is partially true. While most current funding of the Tor project comes from the US government, people first have to realize that again, the government uses Tor themselves, so it makes sense for them to fund its development. Secondly, the US government is enormous, and it makes perfect sense that one part of the government is trying to improve it, while the other part wants to break it. Furthermore it's worth mentioning that the Tor project is actively trying to diversify their funding sources, with success. In 2015 85% of Tor's funding came from the US government, it went down to 76% in 2016, and even 51% in 2017. Do you want to help out diversifying Tor's funding even further? You can do so by heading to their webpage, by donating you will help their important work. It is also worth mentioning that all Tor code is completely FOSS, all discussions and meetings, all research, everything the Tor project does is transparent and available for anyone online to crawl through and investigate; meaning that if the Tor project were to do something sketchy, people can see it.
No, Tor is, like I mentioned above, not a silver bullet. While it is currently the best option we have, there are certain attacks that could be used against Tor (like traffic confirmation attacks) to try and de-anonymize its users. For this however, other technical measures can be taken to protect yourself further. What Tor is though, is a way to make mass surveillance so expensive, so hard, that governments will now have to scale down, and focus their resources on specific targets, essentially dumping mass surveillance. And that is the power of Tor.
Now that we got most Tor myths out of the way, we can move on to the next post in the Slicing onions series. Here I will explain how Tor relates to VPNs, what their use cases are, and when you should use one above the other: Slicing onions: part 2 – Onion recipes; VPN not required