What is Tor?
Tor is a software that enables anonymous communication. Pioneered by the United States Naval Research Laboratory in the 90s, Tor initially protected U.S. intelligence communications online. The technology was later taken over by DARPA who made it open-source and available to the public.
The Tor browser is commonly deemed as safe, but that is not true.
Tor was built for anonymity, not security. Understanding the difference is important if you want to protect your users and organization.
How it Works
The Tor browser works by employing a practice called “onion routing”. Onion routing makes communication over the network anonymous. Tor is actually an acronym for “The Onion Router”. Onion routing works by encapsulating messages in layers of encryptions (kind of like an onion). The messages are encrypted and transmitted through a series of nodes called “onion routers”.
At each node, a layer of encryption is peeled away. This includes information about the next node the packet is destined for. The message arrives at its destination when the final layer is decrypted.
The sender remains anonymous because each node only knows the location of the immediately preceding and following nodes. The nodes do not know anything about the sender’s identity or what the encrypted message says.
Why People Think Tor is More Secure
Since the messages sent are encrypted and the sender remains anonymous, many assume that Tor is secure.
In some ways, it is. Except, anonymity is not the same as security.
And Tor, like all software, has vulnerabilities.
When used properly, Tor may offer some additional security over other browsers. But there are still A LOT of caveats.
- Tor only protects applications configured to send their Internet traffic through the browser. Tor recommends using the browser to protect privacy and anonymity, but does not mention security.
- File-sharing applications on Tor notoriously ignore proxy settings and de-anonymize your torrent and other web traffic when you do.
- Users cannot use browser plugins.
- Only visiting HTTPS websites is allowed.
- You cannot open documents downloaded through Tor while online.
- You must use a bridge relay rather than connecting directly to the public Tor network.
Can you imagine the average user reading this entire list and actually following it?
Remember, the military built this software to complete a narrow range of use cases. They did not build it for the average user.
If that’s not enough, there are still other weaknesses to consider.
Tor Exit Node Eavesdropping
Exit nodes are the point in the network where an encrypted communication leaves the network for the target server. Attackers identifying nodes can then monitor the traffic and inject malicious code in presumably safe, encrypted transmissions.
In reality, nodes are not that hard to set up. In 2014, a group of Playstation hackers showed how easy it was to spin up nodes.
Sure, Tor has improved since then, but hackers have gotten more sophisticated too.
The point is, exit nodes are vulnerable and the network is hostile.
The Tor “Community”
The U.S. intelligence services initially built Tor to communicate anonymously across the Internet. Other countries use it for the same purpose.
And state-sponsored actors watch state-sponsored actors on the network.
On the Georgian Impact Podcast, one security expert said, “You should assume that when you’re sending traffic in the Tor network, that there’s somebody that’s looking at it.”
Part of the reason has to do with how “easy” it is to set yourself up as an exit node. As described on the podcast:
I can sit down and I can run a Tor exit node. I can offer to the Tor Foundation, like, “Hey, I have, you know, a box of co-lo and I’d be happy to let you pump like 10 megabits per second of traffic through it. Here’s what you need to hook me up. Go ahead and send some traffic.”
I can do that and I can get access to tens of thousands of people’s network traffic that way. What I can’t do is I can’t call up Verizon and say, “Hey, can you route customer x, y, z’s Web browsing through my machine now?” I would have to break into Verizon to do that.
While you may not be hiding state secrets, the reality is that there are several people on the network who have a vested interest in actively monitoring and trying to “hack” the network.
Additionally, up to 30% of the total and 57% of the active services on the Tor network belong to organizations that carry out illicit activity such as selling drugs, credit card information, violence-for-pay, or child pornography.
It’s not called “the dark web” for nothing. As mom always said, ‘you are the company you keep.’ Hang out with this company and you may come back with a virus.
Traffic Analysis Attack
Although the sender and messaging information propagated through the network is encrypted, there are ways to use what’s called “timing analysis” to monitor traffic, anticipate it flows through the network, and break the anonymity of the chain as it reaches an exit node.
There have been times when other weaknesses have exploited vulnerabilities in the Tor network.
In many cases, attackers have been able to exploit weaknesses in the Tor architecture or an exit node to uncover IP addresses, decrypt messages, or hijack communications.
How to Protect Your Organization
Use of the Tor browser and Tor network can expose uninformed users to malvertising, drive-by-download attacks, or worse.
It is not, contrary to what some people think, a secure experience.
In general, you likely don’t need anyone in your organization on the Tor network or using the Tor browser.
So, don’t enable it.
If you do, then make sure to heed the Tor project’s warnings. Maybe separate them from your organization’s core network.
You should also make sure you have a high-quality SIEM backed by a security operations team. They can help monitor the traffic in the hidden regions of your network. They can also identify aberrations and respond to security events before they become incidents.