The headline image above is a cool visualisation from OnionScan #3.
It represents the surprising degree of “connectedness” inside Tor.
These days, most of us are well aware of how readily we can be tracked online.
Let’s ignore for the moment all the concerns we have about data breaches, surveillance, nation-state hackers, backdoors and so on.
Even in the most honest and well-meaning parts of the online world, we leave behind digital breadcrumbs that give away plenty of information about our likes, our pet peeves, the bus we usually take to work, and the browser we like best.
A few simple behaviours can limit the extent that we get tracked, such as turning off location services on our phones, regularly clearing our browser cookies, and taking the trouble to log out of our favourite social network sites when we’re not actually using them.
Occasionally however, we want to be really anonymous, and to keep our heads well below the parapet.
Indeed, online anonymity isn’t just for crooks, activists and whistleblowers.
Why use Tor?
If you think a web site is legitimate, but you’re not completely sure and would like to “try before you buy,” why not take an incognito look first, shielding your name, your IP number, even your country?
If you’re investigating a website that you think has ripped off your intellectual property, why advertise who you are?
If you want to know more about unexceptionable topics that it would nevertheless be best to keep private, such as medical issues, lifestyle choices or a new job, why shouldn’t you keep your identity to yourself?
Similarly, if you want to offer online services to help people with those very issues, you’d like them to feel confident that you’ll do your best to uphold their privacy and anonymity.
As we’ve mentioned many times on Naked Security, Tor (short for The Onion Router) is one popular tool for doing just that.
Tor’s “onion routing” deliberately and randomly bounces your web browsing traffic through a widely distributed network of nodes run by volunteers, so that no indiviual node in the Tor network knows both where your traffic started and where it finished up.
Crooks love Tor, of course, because it helps them hide in plain sight, and it helps them keep their servers going even after law enforcement investigators start searching for them to knock them offline or confiscate the data.
(If you are running a ransomware racket, for example, you lose hundreds of dollars for every victim who tries to contact you to pay up but can’t connect.)
How private and anonymous is Tor?
We’ve already written about the damage to your privacy that can be caused by Tor nodes that aren’t honest, or that have been hacked by dishonest users.
When your Tor traffic goes into the “onion network,” the first node in the list that you connect to, known as an “entry guard,” knows where you’re connecting from; you can’t easily avoid that.
And if your traffic emerges out of the onion network at the other end, the last Tor hop, or “exit node“, knows where you went, even if it doesn’t know who you are yet.
But that’s not all.
Tor is the onion router, and its job is to look after the journey that your network traffic takes along the way, whether you’re running a browser that’s making requests, or operating a server that’s generating replies.
Tor doesn’t look after the contents of your network traffic.
If you give away your name in a web form, or if your server identifies its location in one of its replies, Tor won’t dig into your traffic and “fix” the offending data.
In fact, for as long as your traffic is inside the onion network, Tor can’t see what’s in your packets at all, thanks to encryption.
That makes it hard to tell how careful the operators of your favourite dark web services are.
OnionScan #3
With this in mind, a privacy researcher in Canada recently published the third in a series of reports known as OnionScans:
The aim of these reports is to provide an accurate and up-to-date analysis of how anonymity networks are being used in the real world.
If you use Tor, even for completely uncontroversial online activity, you should take a look at this report.
There are some interesting surprises in there.
By connecting to as many Dark Web services as they could find and looking for common factors in the boilerplate details of the replies that came back, the researchers were able to figure out which servers shared the same hosting company.
For example, when you login to a remote server using the SSH protocol (short for Secure Shell), the server sends you a public encryption key to use in keeping your traffic confidential.
Ideally, when a single server farm is providing SSH services for multiple customers, it will use a unique public/private keypair for each customer, but that’s always not what happens: a single private key is often shared amongst all the SSH instances.
As long as the server keeps its one-size-fits all private key secure, everyone is safe against eavesdroppers, so this is an acceptable convenience.
But it’s not much good inside Tor, because the shared public key ties those customers needlessly together in a way that is bad for privacy and anonymity.
(In OnionScan #3, nearly a quarter of the SSH servers found within the Tor network shared a single SSH key, and were therefore hosted by a single operator – a much less varied ecosystem than you might have thought.)
Similarly, the researchers found that many FTP servers inside Tor had left identifying details in their login banners – the “welcome message” that the server displays when you first connect.
That’s a bit like answering your telephone to someone who’s never called you before by giving your full name slowly and clearly, instead of just saying “Hello,” and then wondering how the caller knows who you are.
What to do?
If you’re planning to use Tor, whether to run a client or a server, remember an old but simple saying: “Loose lips sink ships.”
Tor disguises the route that your traffic takes, but it doesn’t stop you saying or giving away things you didn’t mean to.
A good place to start for advice is Tor’s own FAQ, notably the section entitled Does Tor remove personal information from the data my application sends?
As for whether you should read the Tor FAQ using Tor itself…
…that’s one to decide for yourself.
Larry M
If you merely want to view a doubtful web site, why not simply use a web proxy? Google lists hundreds of them, mostly free. No need to install special software. Simply navigate to the web proxy and enter the suspicious URL there.
Mark Stockley
A free web proxy *is* a doubtful website ; )
Paul Ducklin
Yes, you could use a proxy.
But if your goal includes avoiding being tracked (which is where this article started), please remember that whoever operates the proxy ends up with a blow-by-blow record of your entire web browsing history – every URL, and, for unencrypted traffic, all the content, too. You’d better trust that free proxy you found on Google an awful lot!
Using Tor, your traffic goes through three randomly chosen nodes each time, so (a) the nodes change regularly and (b) no node knows both where your packets started *and* where they ended up. The entry node knows only that you browsed somewhere, but not what you looked at or where. The exit node knows where someone browsed to, but not that it was you. The middle node keeps the entry and the exit node apart and ignorant of each other so they can’t “compare notes” while your traffic is in transit.
As for complexity, installing the Tor Browser app, at least on OS X, is actually less hassle than changing your browser proxy, at least on Firefox :-)
Lastly, the default configuration of the Tor Browser app’s actual web browsing component (it’s the Firefox Extended Support Release) is almost certainly stricter than the settings in your usual browser, making it less likely that you’ll give away personal data by mistake during your most sensitive browsing.
Bryan
“many FTP servers inside Tor had left identifying details in their login banners”
I nearly snorted my water at reading this; that’s pretty funny.
You cannot trace us. You cannot find us.
Sincerely, Calvin
Paul Ducklin
For UK readers:
What is your name?
Don't tell him, Pike.