What is Tor?
Tor is a software that enables anonymous communication. Pioneered by the United States Naval Research Laboratory in the 90s, it initially protected U.S. intelligence communications online. The technology was later taken over by DARPA who made it open-source and available to the public.
The Tor browser is commonly deemed as safe, but that is not true.
The browser was built for users to remain anonymous online, not security. Understanding the difference is important if you want to protect your users and organization.
How the Tor Browser Works
The web browser works by employing a practice called “onion routing”. Onion routing makes communication over the network anonymous. Tor is actually an acronym for “The Onion Router”. Onion routing works by encapsulating messages in layers of encryptions (kind of like an onion). The messages are encrypted and transmitted through a series of nodes called “onion routers”.
At each node, a layer of encryption is peeled away. This includes information about the next node the packet is destined for. The message arrives at its destination when the final layer is decrypted.
The sender remains anonymous because each node only knows the location of the immediately preceding and following nodes. The nodes do not know anything about the sender’s identity or what the encrypted message says.
Why People Think Tor is Safe
Since the messages sent are encrypted and the sender remains anonymous, many assume that Tor is secure.
In some ways, it is. Except, anonymity is not the same as security.
And it, like all software, has vulnerabilities.
Tor Browser Vulnerabilities
When used properly, it may offer some additional security over other browsers. But there are still A LOT of caveats.
- It only protects applications configured to send their Internet traffic through the browser. Tor recommends using the browser to protect privacy and anonymity, but does not mention security.
- File-sharing applications notoriously ignore proxy settings and de-anonymize your torrent and other web traffic when you do.
- Users cannot use browser plugins.
- Only visiting HTTPS websites is allowed.
- You cannot open documents downloaded while online.
- You must use a bridge relay rather than connecting directly to the public network.
Can you imagine the average user reading this entire list and actually following it?
Remember, the military built this software to complete a narrow range of use cases. They did not build it for the average user.
If that’s not enough, there are still other weaknesses to consider.
Exit Node Eavesdropping
Exit nodes are the point in the network where an encrypted communication leaves the network for the target server. Attackers identifying nodes can then monitor the traffic and inject malicious code in presumably safe, encrypted transmissions.
In reality, nodes are not that hard to set up. In 2014, a group of Playstation hackers showed how easy it was to spin up nodes.
Sure, the browser has improved since then, but hackers have gotten more sophisticated too.
The point is, exit nodes are vulnerable and the network is hostile.
The U.S. intelligence services initially built the browser to communicate anonymously across the Internet. Other countries use it for the same purpose.
And state-sponsored actors watch state-sponsored actors on the network.
On the Georgian Impact Podcast, one security expert said, “You should assume that when you’re sending traffic in the network, that there’s somebody that’s looking at it.”
Part of the reason has to do with how “easy” it is to set yourself up as an exit node. As described on the podcast:
I can sit down and I can run an exit node. I can offer to the Foundation, like, “Hey, I have, you know, a box of co-lo and I’d be happy to let you pump like 10 megabits per second of traffic through it. Here’s what you need to hook me up. Go ahead and send some traffic.”
I can do that and I can get access to tens of thousands of people’s network traffic that way. What I can’t do is I can’t call up Verizon and say, “Hey, can you route customer x, y, z’s Web browsing through my machine now?” I would have to break into Verizon to do that.
While you may not be hiding state secrets, the reality is that there are several people on the network who have a vested interest in actively monitoring and trying to “hack” the network.
Additionally, up to 30% of the total and 57% of the active services on the Tor network belong to organizations that carry out illicit activity such as selling drugs, credit card information, violence-for-pay, or child pornography.
It’s not called “the dark web” for nothing. As mom always said, ‘you are the company you keep.’ Hang out with this company and you may come back with a virus.
Traffic Analysis Attack
Although the sender and messaging information propagated through the network is encrypted, there are ways to use what’s called “timing analysis” to monitor traffic, anticipate it flows through the network, and break the anonymity of the chain as it reaches an exit node.
There have been times when other weaknesses have exploited vulnerabilities in the Tor network.
In many cases, attackers have been able to exploit weaknesses in the Tor architecture or an exit node to uncover IP addresses, decrypt messages, or hijack communications.
How to Protect Your Organization
Use of the browser and network can expose uninformed users to malvertising, drive-by-download attacks, or worse.
Is Tor Safe? It is not, contrary to what some people think, a secure experience. In general, you likely don’t need anyone in your organization on the network or using the browser. So, don’t enable it.
If you do, then make sure to heed the Tor project’s warnings. Maybe separate them from your organization’s core network.
You should also make sure you have a high-quality SIEM backed by a security operations team. They can help monitor the traffic in the hidden regions of your network. They can also identify aberrations and respond to security events before they become incidents.