Tor is the encrypted, anonymous way to browse the web that keeps you safe from prying eyes, right?
Well, no, not always.
Blogger and security researcher Chloe spent a month tempting unscrupulous Tor exit node operators with a vulnerable honeypot website to see if anyone was looking for passwords to steal.
In all, the trap sprung for twelve exit nodes, raising a finger of suspicion for them and reminding us that you can’t get complacent about security even if you’re using Tor.
Tor is a bit of heavy duty open source security software that’s famously used to access anonymous, hidden services (the so-called Dark Web) but, more commonly, used as a way to access the regular internet anonymously and in a way that’s resistant to surveillance.
Tor (short for The Onion Router) works by sending your encrypted network traffic on an eccentric journey between Tor ‘nodes’. At each step along the way each Tor node helps keep you safe by never knowing what’s in your message and never knowing more about your data’s journey than the node it came from and the next one it’s going to.
Eventually your network traffic leaves Tor’s safe embrace via an exit node – a gateway computer that decrypts your traffic so it can rejoin the regular internet before it arrives at its final destination.
Anyone can set up an exit node and because it’s the place where traffic is decrypted, anyone who runs an exit node can read the traffic passing through it.
Bad exit nodes are entirely possible then, and bad news if they exist, but how do we find them?
Chloe set up a fake website with a Bitcoin theme, downloaded a complete list of exit nodes and then logged in to the honeypot site multiple times via Tor, using a different exit node and a unique password each time.
Crucially the usernames and passwords were sent over regular HTTP rather than encrypted HTTPS so that when Tor’s layers of encryption were peeled back they were visible in the stream of traffic.
If the login attempts had gone unobserved and unabused then the total number of website visits and log in attempts recorded by the honeypot should have matched the number performed by Chloe exactly.
They didn’t.
After a month of testing there were over 600 unexplained page visits, 12 failed log-in attempts and 16 successful ones that hadn’t come from Chloe.
The passwords were not stored anywhere and were far too difficult to guess so if they were indeed stolen, they were stolen by somebody snooping on-the-wire.
The percentage of tests that experienced an extra log in attempt was very small (about 0.015%) and it’s possible that the results are down to other factors such as snooping activity downstream or even testing errors.
That said the trap can only catch the snoopers who are watching, interested in the bait and willing to act on it quickly. Any snoopers (or snooping software) that didn’t want to break cover for a quick Bitcoin would have gone undetected.
Chloe’s research is interesting then, but not quite a smoking gun.
There is a smoking gun though, and it belongs to Dan Egerstad.
In 2007 Egerstad set up just five Tor exit nodes and used them to intercept thousands of private emails, instant messages and email account credentials.
Amongst his unwitting victims were the Australia, Japanese, Iranian, India and Russia embassies, the Iranian Foreign Ministry, the Indian Ministry of Defence and the Dalai Lama’s liaison office.
He concluded that people were using Tor in the mistaken belief that it was an end-to-end encryption tool.
It is many things, but it isn’t that.
Dan Egerstad proved then that exit nodes were a fine place to spy on people and his research convinced him in 2007, long before Snowden, that governments were funding expensive, high bandwidth exit nodes for exactly that purpose.
Tor is a fine security project and an excellent component in a strategy of defence in depth but it isn’t (sadly) a cloak of invisibility.
Exit nodes, just like fake Wi-Fi hotspots, are an easy and tempting way for attackers to silently insert themselves into a network.
By running an exit node they can sit there as an invisible man-in-the-middle on a system that people choose when they want extra privacy and security.
When traffic emerges from an exit node, its origin is well concealed but the data itself is outside the protective umbrella of Tor’s encryption.
So if you’re using Tor to add an extra layer of security on top of your email, web or instant messaging, remember that it’s exactly that, an extra layer on top of the HTTPS or STARTLS you’d be using anyway – and not a substitute.