Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

The Dark Web: just how dark is it?

06 Jul 2016 5 Cryptography, Privacy

Post navigation

Previous: FBI lets off “extremely careless” Hillary Clinton
Next: Street View car allegedly torched by man who feared Google was watching him
by Paul Ducklin

The headline image above is a cool visualisation from OnionScan #3.
It represents the surprising degree of “connectedness” inside Tor.

These days, most of us are well aware of how readily we can be tracked online.

Let’s ignore for the moment all the concerns we have about data breaches, surveillance, nation-state hackers, backdoors and so on.

Even in the most honest and well-meaning parts of the online world, we leave behind digital breadcrumbs that give away plenty of information about our likes, our pet peeves, the bus we usually take to work, and the browser we like best.

A few simple behaviours can limit the extent that we get tracked, such as turning off location services on our phones, regularly clearing our browser cookies, and taking the trouble to log out of our favourite social network sites when we’re not actually using them.

Occasionally however, we want to be really anonymous, and to keep our heads well below the parapet.

Indeed, online anonymity isn’t just for crooks, activists and whistleblowers.

Why use Tor?

If you think a web site is legitimate, but you’re not completely sure and would like to “try before you buy,” why not take an incognito look first, shielding your name, your IP number, even your country?

If you’re investigating a website that you think has ripped off your intellectual property, why advertise who you are?

If you want to know more about unexceptionable topics that it would nevertheless be best to keep private, such as medical issues, lifestyle choices or a new job, why shouldn’t you keep your identity to yourself?

Similarly, if you want to offer online services to help people with those very issues, you’d like them to feel confident that you’ll do your best to uphold their privacy and anonymity.

As we’ve mentioned many times on Naked Security, Tor (short for The Onion Router) is one popular tool for doing just that.

Tor’s “onion routing” deliberately and randomly bounces your web browsing traffic through a widely distributed network of nodes run by volunteers, so that no indiviual node in the Tor network knows both where your traffic started and where it finished up.

Crooks love Tor, of course, because it helps them hide in plain sight, and it helps them keep their servers going even after law enforcement investigators start searching for them to knock them offline or confiscate the data.

(If you are running a ransomware racket, for example, you lose hundreds of dollars for every victim who tries to contact you to pay up but can’t connect.)

How private and anonymous is Tor?

We’ve already written about the damage to your privacy that can be caused by Tor nodes that aren’t honest, or that have been hacked by dishonest users.

When your Tor traffic goes into the “onion network,” the first node in the list that you connect to, known as an “entry guard,” knows where you’re connecting from; you can’t easily avoid that.

And if your traffic emerges out of the onion network at the other end, the last Tor hop, or “exit node“, knows where you went, even if it doesn’t know who you are yet.

But that’s not all.

Tor is the onion router, and its job is to look after the journey that your network traffic takes along the way, whether you’re running a browser that’s making requests, or operating a server that’s generating replies.

Tor doesn’t look after the contents of your network traffic.

If you give away your name in a web form, or if your server identifies its location in one of its replies, Tor won’t dig into your traffic and “fix” the offending data.

In fact, for as long as your traffic is inside the onion network, Tor can’t see what’s in your packets at all, thanks to encryption.

That makes it hard to tell how careful the operators of your favourite dark web services are.

OnionScan #3

With this in mind, a privacy researcher in Canada recently published the third in a series of reports known as OnionScans:

The aim of these reports is to provide an accurate and up-to-date analysis of how anonymity networks are being used in the real world.

If you use Tor, even for completely uncontroversial online activity, you should take a look at this report.

There are some interesting surprises in there.

By connecting to as many Dark Web services as they could find and looking for common factors in the boilerplate details of the replies that came back, the researchers were able to figure out which servers shared the same hosting company.

For example, when you login to a remote server using the SSH protocol (short for Secure Shell), the server sends you a public encryption key to use in keeping your traffic confidential.

Ideally, when a single server farm is providing SSH services for multiple customers, it will use a unique public/private keypair for each customer, but that’s always not what happens: a single private key is often shared amongst all the SSH instances.

As long as the server keeps its one-size-fits all private key secure, everyone is safe against eavesdroppers, so this is an acceptable convenience.

But it’s not much good inside Tor, because the shared public key ties those customers needlessly together in a way that is bad for privacy and anonymity.

(In OnionScan #3, nearly a quarter of the SSH servers found within the Tor network shared a single SSH key, and were therefore hosted by a single operator – a much less varied ecosystem than you might have thought.)

Similarly, the researchers found that many FTP servers inside Tor had left identifying details in their login banners – the “welcome message” that the server displays when you first connect.

That’s a bit like answering your telephone to someone who’s never called you before by giving your full name slowly and clearly, instead of just saying “Hello,” and then wondering how the caller knows who you are.

What to do?

If you’re planning to use Tor, whether to run a client or a server, remember an old but simple saying: “Loose lips sink ships.”

Tor disguises the route that your traffic takes, but it doesn’t stop you saying or giving away things you didn’t mean to.

A good place to start for advice is Tor’s own FAQ, notably the section entitled Does Tor remove personal information from the data my application sends?

As for whether you should read the Tor FAQ using Tor itself…

…that’s one to decide for yourself.


  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: FBI lets off “extremely careless” Hillary Clinton
Next: Street View car allegedly torched by man who feared Google was watching him

5 comments on “The Dark Web: just how dark is it?”

  1. Larry M says:
    July 6, 2016 at 7:20 pm

    If you merely want to view a doubtful web site, why not simply use a web proxy? Google lists hundreds of them, mostly free. No need to install special software. Simply navigate to the web proxy and enter the suspicious URL there.

    Reply
    • Mark Stockley says:
      July 6, 2016 at 7:29 pm

      A free web proxy *is* a doubtful website ; )

      Reply
    • Paul Ducklin says:
      July 6, 2016 at 10:17 pm

      Yes, you could use a proxy.

      But if your goal includes avoiding being tracked (which is where this article started), please remember that whoever operates the proxy ends up with a blow-by-blow record of your entire web browsing history – every URL, and, for unencrypted traffic, all the content, too. You’d better trust that free proxy you found on Google an awful lot!

      Using Tor, your traffic goes through three randomly chosen nodes each time, so (a) the nodes change regularly and (b) no node knows both where your packets started *and* where they ended up. The entry node knows only that you browsed somewhere, but not what you looked at or where. The exit node knows where someone browsed to, but not that it was you. The middle node keeps the entry and the exit node apart and ignorant of each other so they can’t “compare notes” while your traffic is in transit.

      As for complexity, installing the Tor Browser app, at least on OS X, is actually less hassle than changing your browser proxy, at least on Firefox 🙂

      Lastly, the default configuration of the Tor Browser app’s actual web browsing component (it’s the Firefox Extended Support Release) is almost certainly stricter than the settings in your usual browser, making it less likely that you’ll give away personal data by mistake during your most sensitive browsing.

      Reply
  2. Bryan says:
    July 6, 2016 at 9:44 pm

    “many FTP servers inside Tor had left identifying details in their login banners”
    I nearly snorted my water at reading this; that’s pretty funny.

    You cannot trace us. You cannot find us.
    Sincerely, Calvin

    Reply
    • Paul Ducklin says:
      August 4, 2016 at 10:03 pm

      For UK readers:

      What is your name?
      
      Don't tell him, Pike.
      Reply

What do you think? Cancel reply

Recommended reads

Jan16
by Paul Ducklin
0

Multi-million investment scammers busted in four-country Europol raid

Jan20
by Paul Ducklin
3

T-Mobile admits to 37,000,000 customer records stolen by “bad actor”

Feb28
by Paul Ducklin
18

LastPass: Keylogger on home PC led to cracked corporate password vault

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP