Thursday, 20 June 2013

Is Tor Really That Secure?

In the wake of the press stories about government surveillance, many, including me, have pointed to tools such as Tor to protect anonymity. But I wanted to add a note of caution for those seeking a truly private way to access the Internet without anyone being able to monitor your browsing and trace it back to you.

Tor has several important limitations. You should be aware of them before you rely too heavily upon it.

If you are unfamiliar with Tor you can find a good explanation of how it works here.  Basically when you use the Tor network your data is routed via several randomly selected relays until it exits and one of a few thousand exit nodes.  From the point at which your data emerges onto the open Internet (from an exit node) it can be traced. Theoretically tracing back to you via the intervening relays should be impossible.  But, implementation can affect what is theoretically secure.

The most obvious problem is that if you’re accessing an unencrypted website, the exit node can potentially monitor your Internet activity.  The exit node could potentially be keeping track of the web pages you visit, searches you perform, and messages you send.  You do not choose which exit node you use so you cannot guarantee who it is that is actually running that node.  You have some protection in that your path through the Tor network is changed regularly but you need to ask yourself how much you trust someone who you don't know, have no commercial relationship with and probably can't even find who they are.

This isn't just an academic theory. As far back as 2007 researchers were able to intercept passwords and email messages by running Tor exit nodes. One Swedish computer security consultant posted the user names and passwords for hundreds of e-mail accounts as a result of collecting data in this way.

There is a way of avoiding such monitoring by an exit node: encrypt your traffic. If you use a site that uses HTTPS the exit node can intercept but not read your data, just like any other surveillance. So, choose your online services with care to avoid the first bear trap.

Next, is the danger of JavaScript and other add-in applications. Be aware, a browser’s JavaScript engine, plug-ins like Adobe Flash, external applications like Adobe Reader or even a video player could all potentially “leak” your real IP address to a website that tries to acquire it. The Tor browser bundle has JavaScript disabled by default and plug-ins can’t run. If you try to download and open a file on another application the browser will warn you.  However, anyone who has spent any time browsing the web knows that there is a great temptation to install add-ins or enable JavaScript in order to access content. Don’t succumb to the temptation if you are serious about remaining anonymous.

Again this is not simply a theoretical risk. In 2011, researchers were able to determine the IP addresses of 10,000 people who were using a BitTorrent client through Tor. The users thought that they were avoiding detection when accessing material that might be suspect but the BitTorrent client was exposing their IP addresses.

So what's the lesson here. Simply that if all you wish to do is view plain HTML pages then Tor might well protect you, assuming you trust the exit node operators.  Ideally you'd use encrypted services only and not use services that required browser plug-ins. As ever, Tor is useful but it's not the panacea many believe it to be.