Tor is the encrypted, anonymous way to browse the web that keeps you safe from prying eyes, right?
Well, no, not always.
Blogger and security researcher Chloe spent a month tempting unscrupulous Tor exit node operators with a vulnerable honeypot website to see if anyone was looking for passwords to steal.
In all, the trap sprung for twelve exit nodes, raising a finger of suspicion for them and reminding us that you can’t get complacent about security even if you’re using Tor.
Tor is a bit of heavy duty open source security software that’s famously used to access anonymous, hidden services (the so-called Dark Web) but, more commonly, used as a way to access the regular internet anonymously and in a way that’s resistant to surveillance.
Tor (short for The Onion Router) works by sending your encrypted network traffic on an eccentric journey between Tor ‘nodes’. At each step along the way each Tor node helps keep you safe by never knowing what’s in your message and never knowing more about your data’s journey than the node it came from and the next one it’s going to.
Eventually your network traffic leaves Tor’s safe embrace via an exit node – a gateway computer that decrypts your traffic so it can rejoin the regular internet before it arrives at its final destination.
Anyone can set up an exit node and because it’s the place where traffic is decrypted, anyone who runs an exit node can read the traffic passing through it.
Bad exit nodes are entirely possible then, and bad news if they exist, but how do we find them?
Chloe set up a fake website with a Bitcoin theme, downloaded a complete list of exit nodes and then logged in to the honeypot site multiple times via Tor, using a different exit node and a unique password each time.
Crucially the usernames and passwords were sent over regular HTTP rather than encrypted HTTPS so that when Tor’s layers of encryption were peeled back they were visible in the stream of traffic.
If the login attempts had gone unobserved and unabused then the total number of website visits and log in attempts recorded by the honeypot should have matched the number performed by Chloe exactly.
They didn’t.
After a month of testing there were over 600 unexplained page visits, 12 failed log-in attempts and 16 successful ones that hadn’t come from Chloe.
The passwords were not stored anywhere and were far too difficult to guess so if they were indeed stolen, they were stolen by somebody snooping on-the-wire.
The percentage of tests that experienced an extra log in attempt was very small (about 0.015%) and it’s possible that the results are down to other factors such as snooping activity downstream or even testing errors.
That said the trap can only catch the snoopers who are watching, interested in the bait and willing to act on it quickly. Any snoopers (or snooping software) that didn’t want to break cover for a quick Bitcoin would have gone undetected.
Chloe’s research is interesting then, but not quite a smoking gun.
There is a smoking gun though, and it belongs to Dan Egerstad.
In 2007 Egerstad set up just five Tor exit nodes and used them to intercept thousands of private emails, instant messages and email account credentials.
Amongst his unwitting victims were the Australia, Japanese, Iranian, India and Russia embassies, the Iranian Foreign Ministry, the Indian Ministry of Defence and the Dalai Lama’s liaison office.
He concluded that people were using Tor in the mistaken belief that it was an end-to-end encryption tool.
It is many things, but it isn’t that.
Dan Egerstad proved then that exit nodes were a fine place to spy on people and his research convinced him in 2007, long before Snowden, that governments were funding expensive, high bandwidth exit nodes for exactly that purpose.
Tor is a fine security project and an excellent component in a strategy of defence in depth but it isn’t (sadly) a cloak of invisibility.
Exit nodes, just like fake Wi-Fi hotspots, are an easy and tempting way for attackers to silently insert themselves into a network.
By running an exit node they can sit there as an invisible man-in-the-middle on a system that people choose when they want extra privacy and security.
When traffic emerges from an exit node, its origin is well concealed but the data itself is outside the protective umbrella of Tor’s encryption.
So if you’re using Tor to add an extra layer of security on top of your email, web or instant messaging, remember that it’s exactly that, an extra layer on top of the HTTPS or STARTLS you’d be using anyway – and not a substitute.
Dan King
Anyone can stand up a Tor exit node whenever they want so in reality you should *never* trust exit nodes. Its also worth noting that Tor wasn’t designed for end-to-end security, rather privacy from the first few hops of your connection
Always use end-to-end encryption while using Tor.
Dman
You’re still trusting that there are enough clean nodes between you and your target to keep you safe. Anyone can run a tor node, but how many know if their node has been hacked? Have enough dirty nodes and poof goes your security.
Finding dirty nodes run by really stupid people is easy… a smart person would only attack after getting all information about the target covertly. A unlisted bitcoin site screams “trap” to any smart person.
4caster
Unless one is a paedophile, fraudster, tax evader, terrorist, enemy or spy, why would one need greater security than HTTPS?
Anonymous
Go enjoy your Facebook dude
Foo
Try activists, for example.
You really need to get out some more if you are seriously asking this.
Andrew Ludgate
Let’s strip your comment back a bit. paedophiles, fraudsters, tax evaders, terrorists and spies are all just subclasses of “enemy,” right?
So what you’re really saying is “Unless you’re doing something someone who has the capability both to watch what you’re doing and take action against you doesn’t like, why would you need greater security than TLS?”
Now think about the list of activities you can perform on the Internet that wouldn’t drop you in that category for at least one nation state or other powerful group in the world.
The last thing you want, for example, is to be browsing a news site and happen to look at some content deemed illegal in some part of the world, and then be arrested at the airport the next time your airplane touches down in that area (whether you’re visiting or just passing through).
Add to that, the only way to increase the security of the people who, by nature of their location in the world or occupation, need to use such a service, is to have a LOT of ordinary content also streaming over the service — otherwise, any use of TorBrowser will be an immediate flag that the person using it is most likely “a paedophile, fraudster, tax evader, terrorist, enemy or spy.”
Tor is also an excellent way of hiding your identity/location from the many marketing companies on the internet who want to track your every move. At least if you’re using TorBrowser with its recommended settings and usage, most of the information that will create a unique identifier for you and link that back to your real identity is stripped away, meaning that your insurance company no longer knows when you’re searching for alternative treatments for a heart condition, for example.
Kevin
Ludgate. You are a god damn genius. We need more people like you….
Paul Ducklin
One reason might be that you aren’t any of the above, but you have to share the internet with people who are.
Anonymous
Where do you people come from?
Rod
I’m confused why everyone is reacting to this comment as though it’s the first time they’ve been trolled.
I guess…. well done, 4caster. I’d have hoped the name alone was enough to prevent this kind of reaction.
Particularly interesting to see this reaction on a blog for security research. Even assuming the audience is just enthusiastsic and not well-versed in the subject, it’s a bit comical that this form of social engineering was effective.
Raif Badawi
Somebody like this guy:
[URL removed. Look up “Raif Badawi” – Ed]
Anonymous
What’s wrong with tax evasion? Also what about jouralism, buying drugs, and… Oh yeah PRIVACY!
falseprofit
4caster, you would want something better than HTTPS in the event you can not trust a CA (central authority).
So like applications like SSH, GPG, and self signed HTTPS websites.
These are used by system admins, people that want to quickly host an HTTPS site for personal use/testing, and people that want to talk using OTR (off the record)
loadtest
This isn’t accurate. You’re confusing two different technologies and mixing up their uses.
SSH and self signed HTTPS websites are the same as HTTPS. Where the top of the PKI chain leads is up to no one but yourself to decide, but there are some suggestions in the form of OS and some browser (notably Firefox) defaults.
PGP (or GPG if that’s what you really meant) is different. The keychain there is your own, and you decide whose keys you want to add to it.
If you’re a system administrator, PKI best practices are to set up an enterprise CA for your forest or domain and push that root to computers via group policy. That’s because if you’re an enterprise that values its security, the encryption keys should never be exposed to a third party, including an issuing CA.
If you want to talk off the record, presumably you want to talk to one person. In that case, PGP is a superior choice in terms of ease of set up and ensuring the privacy of your key.
whafedooblog
Little confused here with Tor. So, if governments can and have run exit nodes, and have the ability to decrypt your response, plus have the ip the response is going to, doesn’t that defeat the point? Can’t they track you that way?
Sorry if it’s a noob question. Networks were never my strong point!
Paul Ducklin
They don’t have the final IP that the response is going back to, but they may very well have enough information in the web request (cookies, for instance) to guess who you are, or at least to associate you with other traffic at other times. And yes, that does defeat the point.
However, if the web request is also using HTTPS (SSL/TLS), then they can’t (easily) read inside the web request or the reply. It’s when you use Tor *alone* that you get problems.
I think people assmue that because Tor uses encryption *internally* to keep the traffic anonymous inside the Tor network, their traffic is somehow magically encrypted all the way from their browser to the final site, *even if the final site is not using encryption* and therefore their browser is sending out unencrypted data.
That’s why there are extensive guidelines from the Tor guys about what else you need to as well as use Tor to do the whole privacy/secrecy thing correctly.
Remember: Tor = “the onion router”. Router as in routing network packets hither and thither. It it not “the onion encryptor” or “the complete privacy protector,” and it wasn’t designed to be.
escrow
Thanks for the article. I had no idear the model behind Tor was actually a little bit “flawed”…
J_L
No mention of VPN combined with Tor? Heck you can chain some VPNs together, provided you can take the hit in reduced Internet speed.
Anonymous
This has advantages, but won’t on it’s own protect you from bad exit nodes.
Mark Stockley
The Tor project itself discourages use of VPN with Tor IIRC.
Your entry node changes each time you create a Tor circuit or your Tor circuit is refreshed. If you connect to Tor via a VPN then that cycling is moot – I just need to compromise your VPN provider instead of a few thousand entry nodes.
hero
the best use of TOR have for a long time been for the PRESS journalists getting their news OUT OF of countries with censored internet via bridge IP nodes
doodle
These snooper nodes are actually helping tor by providing more bandwidth ha ha
Anonymous
“Those who would give up essential privacy, for a little temporary bandwidth, deserve neither privacy nor bandwidth.”
lulzx2447
Lots of misinformation in the comments. Remember, exit nodes are only used when you LEAVE the Tor network.. aka leave hidden services(.onion). If you stick to hidden services, it’s close to impossible to find out who you are, unless you de-anonymize yourself somehow(name, mail, text etc). Traffic WITHIN(hidden services) Tor is end-to-end encrypted. Outside Tor? Eh, good luck have fun.
But yes, browsing hidden services can get boring real quick.. it gets stale as there are very few good .onions out there. At some point you would have to leave the hidden services and browse instagram, youtube/whatever.. or some random non https site and you would be(potentially) exposed(exit node), as mentioned, when browsing within Tor(hidden services) this isn’t a problem as the node isn’t used thus cannot be “sniffed”. Even if a hidden service is a honeypot it’s close to impossible to find out who you are.
Using Tor for the “clearweb” aka facebook, or whatever site is a waste if you ask me, unless you live in a country where VPN’s are banned. I say just stick to VPN’s if you live in a country where VPN’s are a-ok.
Debby
Hey Mark,
With TOR, you can change the exit node and choose or exclude a specific country.
Sure, all the countries are not “safe” but this is a solution.
The country code list is available here [URL removed]
Mark Stockley
That’s not a solution to compromised exit nodes – hackers are not confined to specific countries.
Anonymous
Tor forces HTTPS, so you went out of your way and created a vulnerabbility that doesn’t normally exist.
batman
^ true, but the point is the exit nodes are being monitored.