Sophos Cloud Optix
We’ve written before about anonymity and privacy on Tor.
Tor is short for The Onion Router, an internet service that intercepts the network traffic from one or more apps on your computer, usually your web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination.
This disguises your location, and makes it harder for servers to pick you out on repeat visits, or to tie together separate visits to different sites, thus making tracking and surveillance more difficult.
The computers in the Tor network, known as nodes, are run by thousands of volunteers around the world, and the theory is that as long as most of them are honest, your anonymity in and through the network will be maintained.
Of course, not all Tor nodes are playing by the rules of “see no evil, hear no evil, speak no evil.”
Some are run by crooks; others are run by intelligence services; and others are run by well-meaning individuals whose servers have been hacked by unknown third parties…
…so that numerous tricks and traps have emerged that can make the Tor network a lot less anonymous than you might at first think.
That might not matter so much if all you’re doing is using it to research online prices without being tracked, but it could matter a great deal if you’re a journalist trying to keep in touch with the rest of the world in the middle of an armed insurrection.
Quis custodiet ipsos custodes?
For example, your browser has to connect into Tor at some point, called an entry guard, and that computer at least will know where you are, based on your IP address.
Unsurprisingly, there are tricks that a rogue entry guard can use to learn more about you, even though your traffic through it is encrypted.
For example, if I control the entry guard you happen to use, and I also control the server you connect to, I can look for matches between your network requests into Tor and the requests hitting my server.
From that, I can tie at least some of your Tor browsing to your IP number, essentially stripping off your anonymity.
Likewise, if you use Tor to browse to a regular web server, a rogue exit node knows what you were looking for (if you forget to browse via HTTPS, at least), because it has to decrypt the Tor data one last time before injecting it back into the regular internet.
Even if the exit node doesn’t know exactly who you are, it can learn a lot about you.
Hidden services
That’s why servers that want to stay well-hidden operate inside Tor itself, forming what are known as “hidden services.”
Traffic to hidden services never leaves the Tor network – essentially, the exit node and the hidden service are the same place, so that the operator of the hidden service doesn’t have to trust anyone else’s exit node.
Hidden services are accessed using a feature of Tor called HSDirs, or Hidden Service Directory nodes.
Without going into technical details, HSDir nodes don’t know where your hidden server is, but they know what it’s called, and how to tell the rest of Tor how to hook visitors up to it anonymously. (Tor services have randomly-generated names like OJ2W453JOJWGGIDX.ONION and HA3UMWKOKJ4MUEUY.ONION.)
In theory, then, your hidden service really is hidden; invisible to anyone until you tell them the 80-bit-long random name, which they are unlikely to guess.
That means that crooks (or cops) who want to try and crack into your server to learn about you don’t even know where to start, giving you time to conduct your hidden business and vanish before any hacking attempts start.
In practice, however, the Tor HSDir nodes that allow in-the-know outsiders to connect to your server also know its hidden name, so if rogues are running one of those HSDir nodes…
…they get an early heads-up that there’s probably something worth hacking away at, and they themselves get to use Tor to stay anoymous.
Honey Onions to the rescue
Two researchers from Northeastern University in Boston, Massachussets, recently tried to measure just how many rogue HSDir nodes there might be, out of the 3000 or more scattered around the world.
Detecting that there are rogue nodes is fairly easy: publish a hidden service, tell no one about it except a minimum set of HSDir nodes, and wait for web requests to come in.
If your hidden service is known to, say, six HSDir nodes, and you see one web request come in, you known that one of those nodes is keeping tabs on you.
But if you get twenty, 200 or even 2000 rogue requests, you can’t tell if it’s one HSDir node infringing over and over again, or if all of them are rogues, or somewhere in between.
With 1500 specially-created hidden services, amusingly called “Honey Onions,” or just Honions, deployed over about two months, the researchers measured 40,000 requests that they assume came from one or more rogue nodes. (Only HSDir nodes ever knew the name of each Honion, so the researchers could assume that all connections must have been initiated by a rogue node.)
Thanks to some clever mathematics about who knew what about which Honions at what time, they calculated that these rogue requests came from at least 110 different HSDir nodes in the Tor network.
Some of the requests were of the “are you there” sort, while others were probes overtly looking for known vulnerabilities to exploit.
110 rogue nodes may not sound a lot, but there are around 7000 Tor nodes altogether, of which about half are HSDir nodes, and the number 110 is the lowest possible number of rogues (what mathematicians call a lower bound).
That’s about 3%.
In other words, if you’re relying entirely on Tor for your anonymity and privacy, and it’s a matter of life and death if you get unmasked…
…use additional security procedures, too!
I rarely use Tor anymore. But I did try it on some message boards and even Tumblr. It worked pretty well but you have to allow scripts. But when I use Tor, I always fire up a VPN first. That should take care of the bad entry node, I guess? I always worry too that if I use Tor someone will think I’m up to no good. So that’s another reason I will start a VPN first if I ever use Tor again.
Your approach doesn’t guarantee to make things better. After all, your VPN provider knows whenever you’re using Tor, just like an entry node does. You’ve merely shifted your “locus of trust”.
(If your VPN provider goes rogue or gets hacked by crooks, you’ll be affected just the same…and the VPN provider may well have a lot of collected historical logs about your activities that could be stolen, too.)
The researchers are from Northeastern University in Boston, Massachusetts.
They contacted me 🙂 Got my left and right mixed up…
I’ve fixed it now. Apologies for the mixup.
Tor wrote a blog post about this research–
We’ve been speaking to journalists who are curious about a HotPETS 2016 talk from last week: the HOnions: Towards Detection and Identification of Misbehaving Tor HSDirs research paper conducted by our colleagues at Northeastern University. Here’s a short explanation, written by Donncha O’Cearbhaill and Roger Dingledine.
Internally, Tor has a system for identifying bad relays. When we find a bad relay, we throw it out of the network.
But our techniques for finding bad relays aren’t perfect, so it’s good that there are other researchers also working on this problem. Acting independently, we had already detected and removed many of the suspicious relays that these researchers have found.
The researchers have sent us a list of the other relays that they found, and we’re currently working on confirming that they are bad. (This is tougher than it sounds, since the technique used by the other research group only detects that relays *might* be bad, so we don’t know which ones to blame for sure.)
It’s especially great to have this other research group working on this topic, since their technique for detecting bad relays is different from our technique, and that means better coverage.
As far as we can tell, the misbehaving relays’ goal in this case is just to discover onion addresses that they wouldn’t be able to learn other ways—they aren’t able to identify the IP addresses of hosts or visitors to Tor hidden services.
The authors here are not trying to discover new onion addresses. They are trying to detect other people who are learning about onion addresses by running bad HSDirs/relays.
This activity only allows attackers to discover new onion addresses. It does not impact the anonymity of hidden services or hidden service clients.
We have known about and been defending against this situation for quite some time. The issue will be resolved more thoroughly with the next-generation hidden services design. Check out our blog post, Mission: Montreal!
There is one reason I don’t use tor, I don’t want a target on my back by association.
That’s a strange logic right there. Not invalid, but really strange.
“That’s why I don’t speak up against my corrupt government, don’t want a target in my back”
“That’s why I don’t do journalism, don’t want a target in my back”
“That’s why I don’t go to civil rights marches, don’t want a target in my back”
That’s kind of an oppressor’s dream.
“Detecting that there are rogue nodes is fairly easy: publish a hidden service, tell no one about it except a minimum set of HSDir nodes, and wait for web requests to come in.”
That’s how you detect idiots. It is extremely easy to be passive and never get caught. The same problem in the article before you have now… you’re detecting the IDIOTS who were stupid enough to show their hand before they even know what your hand is.
What if I run a HSDir node, and have a good number of general nodes? Eventually I might get lucky and be both the entry node and HSDir node… sweet! Keep recording data and if I ever need it I’ll go back later for it.
What is more, we do not know how many HSDir nodes are run by the same entity… lets assume that out of those 100 detected, each person was running 5 more nodes just in case one was discovered.
Really, this type of fishing shows ONLY that there is a MAJOR problem of security in the Tor network… anyone who was serious about it wouldn’t be checking every .onion they got and would be gathering information over a long amount of time before making a move.
THAT we have so many people on the easy end only means that there are people just like me who know how to get to the patient and cool end.