“Honey Onions” probe the Dark Web: at least 3% of Tor nodes are rogues

We’ve written before about anonymity and privacy on Tor.

Tor is short for The Onion Router, an internet service that intercepts the network traffic from one or more apps on your computer, usually your web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination.

This disguises your location, and makes it harder for servers to pick you out on repeat visits, or to tie together separate visits to different sites, thus making tracking and surveillance more difficult.

The computers in the Tor network, known as nodes, are run by thousands of volunteers around the world, and the theory is that as long as most of them are honest, your anonymity in and through the network will be maintained.

Of course, not all Tor nodes are playing by the rules of “see no evil, hear no evil, speak no evil.”

Some are run by crooks; others are run by intelligence services; and others are run by well-meaning individuals whose servers have been hacked by unknown third parties…

…so that numerous tricks and traps have emerged that can make the Tor network a lot less anonymous than you might at first think.

That might not matter so much if all you’re doing is using it to research online prices without being tracked, but it could matter a great deal if you’re a journalist trying to keep in touch with the rest of the world in the middle of an armed insurrection.

Quis custodiet ipsos custodes?

For example, your browser has to connect into Tor at some point, called an entry guard, and that computer at least will know where you are, based on your IP address.

Unsurprisingly, there are tricks that a rogue entry guard can use to learn more about you, even though your traffic through it is encrypted.

For example, if I control the entry guard you happen to use, and I also control the server you connect to, I can look for matches between your network requests into Tor and the requests hitting my server.

From that, I can tie at least some of your Tor browsing to your IP number, essentially stripping off your anonymity.

Likewise, if you use Tor to browse to a regular web server, a rogue exit node knows what you were looking for (if you forget to browse via HTTPS, at least), because it has to decrypt the Tor data one last time before injecting it back into the regular internet.

Even if the exit node doesn’t know exactly who you are, it can learn a lot about you.

Hidden services

That’s why servers that want to stay well-hidden operate inside Tor itself, forming what are known as “hidden services.”

Traffic to hidden services never leaves the Tor network – essentially, the exit node and the hidden service are the same place, so that the operator of the hidden service doesn’t have to trust anyone else’s exit node.

Hidden services are accessed using a feature of Tor called HSDirs, or Hidden Service Directory nodes.

Without going into technical details, HSDir nodes don’t know where your hidden server is, but they know what it’s called, and how to tell the rest of Tor how to hook visitors up to it anonymously. (Tor services have randomly-generated names like OJ2W453JOJWGGIDX.ONION and HA3UMWKOKJ4MUEUY.ONION.)

In theory, then, your hidden service really is hidden; invisible to anyone until you tell them the 80-bit-long random name, which they are unlikely to guess.

That means that crooks (or cops) who want to try and crack into your server to learn about you don’t even know where to start, giving you time to conduct your hidden business and vanish before any hacking attempts start.

In practice, however, the Tor HSDir nodes that allow in-the-know outsiders to connect to your server also know its hidden name, so if rogues are running one of those HSDir nodes…

…they get an early heads-up that there’s probably something worth hacking away at, and they themselves get to use Tor to stay anoymous.

Honey Onions to the rescue

Two researchers from Northeastern University in Boston, Massachussets, recently tried to measure just how many rogue HSDir nodes there might be, out of the 3000 or more scattered around the world.

Detecting that there are rogue nodes is fairly easy: publish a hidden service, tell no one about it except a minimum set of HSDir nodes, and wait for web requests to come in.

If your hidden service is known to, say, six HSDir nodes, and you see one web request come in, you known that one of those nodes is keeping tabs on you.

But if you get twenty, 200 or even 2000 rogue requests, you can’t tell if it’s one HSDir node infringing over and over again, or if all of them are rogues, or somewhere in between.

With 1500 specially-created hidden services, amusingly called “Honey Onions,” or just Honions, deployed over about two months, the researchers measured 40,000 requests that they assume came from one or more rogue nodes. (Only HSDir nodes ever knew the name of each Honion, so the researchers could assume that all connections must have been initiated by a rogue node.)

Thanks to some clever mathematics about who knew what about which Honions at what time, they calculated that these rogue requests came from at least 110 different HSDir nodes in the Tor network.

Some of the requests were of the “are you there” sort, while others were probes overtly looking for known vulnerabilities to exploit.

110 rogue nodes may not sound a lot, but there are around 7000 Tor nodes altogether, of which about half are HSDir nodes, and the number 110 is the lowest possible number of rogues (what mathematicians call a lower bound).

That’s about 3%.

In other words, if you’re relying entirely on Tor for your anonymity and privacy, and it’s a matter of life and death if you get unmasked…

…use additional security procedures, too!