The Trouble with Tor

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

For over a decade, people all over the world have used Tor (formerly known as the Onion Router) to protect their privacy. The U.S. Naval Research Laboratory developed the system using open source technology, to protect U.S. government communications.

It is used by people living under restrictive regimes who want to access forbidden information or data on the Internet, whistle-blowers and dissidents who want to communicate with journalists, and anyone who wants to use the Internet without being tracked or to publish information on the Net without compromising their privacy.

How Tor Works

Tor works by sending traffic from its source to its destination via a random series of Tor relays around the world. Traffic is encrypted each time it goes from one relay to the next, and any given relay only knows where it got the traffic from and its next stop. Only the last, exit node knows the ultimate destination; it decrypts the traffic as it leaves the Tor network.

Using Tor “rendezvous points” it is also possible to offer a “hidden service” such as an anonymous website whose owners and location can’t be traced.

There are thousands of Tor relays around the world and millions of people rely on them. (Anyone can set one up.) NSA documents leaked in 2013 describe Tor as “… the king of high secure, low latency Internet Anonymity,” adding that …”there are no contenders for the throne in waiting.”

That was then. But now Tor appears to have problems.

Tor’s Travails

Perhaps the most obvious illustration of this is the seizure of the Silk Road 2.0 drugs marketplace and the arrest of a San Francisco man thought to be behind the site, which operated as a hidden Tor service. It’s believed that Silk Road 2.0 was compromised by a Homeland Security Investigations undercover agent rather than a technical weakness in the Tor system, but the arrest highlights the fact that using Tor does not guarantee anonymity.

In fact, using Tor can actually attract interest from law enforcement and security agencies. Earlier this year it was revealed that the NSA’s XKeyScore program is likely to place Internet users who use Tor, or who visit its website to learn about it, on a list of extremists. So, ironically, by attempting to be anonymous on the Internet you may well put yourself directly in the NSA’s spotlight.

There are almost certainly technical weaknesses in Tor and how it is used as well.

In July Tor announced in a blog post that unknown attackers had set up a number of Tor relays and modified the traffic passing through these relays to attempt to identify users of hidden services. Users who had accessed or operated hidden services from a period of about five months to July 4, 2014 should assume that their identity had been compromised, the blog post advised.

Another problem with using Tor is that if the user’s machine is compromised by malware, then using Tor is no longer enough to stay anonymous. This was illustrated in August 2013, when a piece of malware called Magneto was discovered which exploited a hitherto unknown vulnerability in the Tor browser  which is commonly used to visit websites using Tor.

Not So Anonymous

The JavaScript exploit is widely believed to have been the work of the FBI, because it doesn’t do anything to the compromised machine except send the machine’s MAC address and Windows hostname to a server in Virginia using the machine’s real IP address. The idea that the FBI could be involved with malware is not too outlandish; revelations from Edward Snowden have already revealed that the NSA does much the same thing.

More recently, a former researcher at Columbia University co-published research that claims that it is possible to identify 81 percent of Tor users using a variation of a technique called traffic analysis. Essentially it involves setting up a modified Tor relay, and then injecting traffic into a TCP connection and analyzing router flow records.

This is complicated stuff, but not so complicated that it would require the enormous resources of the NSA to carry it out, according to Professor Sambuddho Chakravarty.

That’s a concern because some Tor relays on the Internet are very large and handle a huge volume of traffic, making them expensive to operate and maintain. An obvious question then is this: Who is picking up the bill? Given that many governments would like to know more about what people are doing on Tor, it doesn’t take a huge stretch of the imagination to think that some of these may be operated by the national intelligence services of foreign governments.

Tor Alternatives

Despite the NSA saying there are no contenders to Tor’s throne as king of Internet anonymity, alternatives do exist, including:

The Invisible Internet Project (I2P) is an anonymous overlay network, a network within a network. It is intended to protect communication from dragnet surveillance and monitoring by third parties such as ISPs.

To anonymize the messages sent, each client application has their I2P “router” build a few inbound and outbound “tunnels” – a sequence of peers that pass messages in one direction (to and from the client, respectively). In turn, when a client wants to send a message to another client, the client passes that message out one of their outbound tunnels targeting one of the other client’s inbound tunnels, eventually reaching the destination.

The project website for the open source I2P software warns that “no network can be ‘perfectly anonymous.’” It says the continued goal of I2P is to make attacks more and more difficult to mount. “Its anonymity will get stronger as the size of the network increases and with ongoing academic review,” it adds.

Freenet is free software which purports to let you anonymously share files, browse and publish “freesites” (websites accessible only through Freenet) and chat on forums. According to the project, an important recent development, which few other networks have, is a “darknet.” By only connecting to people they trust, users can greatly reduce their vulnerability and yet still connect to a global network through their friends’ friends and so on.

VPN services don’t offer strong anonymity, because most require that you sign up with a service provider before using them; even those that don’t require this can keep logs of the IP address where you connect from and which sites you visit.

Nonetheless, a VPN service does mask your IP address from websites you visit, providing a low level of anonymity. A VPN should be used with caution because a website may still be able to identify you through the use of cookies or other identifiers, especially if you visit an associated site without masking your IP address with a VPN.

Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Paul Rubens Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis