TOR: The Less Secure Side With Potential Vulnerabilities

Beneath the surface of Internet that we use everyday lies a secret world of encrypted websites. This is the Dark Web. A collection of websites that use encryption technology to hide in plain sight. Users seeking to access these sites use a specialized tool called the Tor Browser to create connections to Dark Websites using strong encryption that protects their communications from prying eyes. The main benefit of Tor connections is that they guarantee anonymity. Not only are you protected against eavesdroppers, but if you use Tor properly, even the websites you visit will not have any way of knowing your identity. Website owners don’t know the true identities of their users, and users don’t know the true identity of website owners. It’s a completely anonymized version of the Internet, hidden in plain sight. While criminals certainly find a home on the Dark Web, so do privacy-minded citizens, journalists, political dissidents and others.

The fact that while Tor provides a valuable tool for privacy and anonymity of internet traffic, it is not invincible. Users still must take precautions to protect their communications because sophisticated adversaries may be able to exploit vulnerabilities to undermine the security of communication sent over the Tor network. Lets discuss some of the ways, your anonymity over TOR can be compromised.

The first of these attacks uses a series of techniques that exploit failures in user behavior that jeopardize the security of their communications. The Edward Snowden presentation also discusses these techniques. The NSA called this vulnerability “Dumb Users” and gave it the code name EPICFAIL. These techniques work by simply watching the traffic of anonymized users leaving Tor exit nodes, and tying that traffic to other identifying information. This may be as simple as observing the user of an anonymized network connection logging into a personal account that identifies them, or it may be more sophisticated. If the observer has access to other network traffic from outside the Tor network, they might be able to compare characteristics of the anonymized and non-anonymized traffic. For example, it’s probably no surprise to you that websites and advertising networks around the internet use cookies to track user behavior, and that web browsers automatically send these cookies to participating websites. These cookies uniquely identify a user. If someone eavesdropping on Tor communications notices a cookie being sent over the Tor network, and also sees that same cookie being used on the regular internet, they can then tie the two sessions together and de-anonymize the Tor user.

Second Method involves Passive traffic analysis to follow a pattern that is quite similar to user behavior analysis to tie together traffic from the regular internet and anonymized Tor traffic. The major difference between the two techniques is that user behavior analysis depends upon insecure user activity, or, as the NSA called them, dumb users. Passive traffic analysis looks for patterns in the way that a computer, browser, or network behaves. For example, an analyst might notice that the web request sent by a certain user contain a combination of unique attributes added by the combination of operating system, hardware, and patch level. If those characteristics appear in both Tor traffic and regular internet traffic, it may be possible to tie the two together. Now, if that sounds challenging and far-fetched, that’s because it is. The basic idea behind passive traffic analysis is that, while Tor traffic is anonymized, there are two points of vulnerability: the traffic headed to the entry node, and the traffic leaving the exit node. If an eavesdropper is monitoring large portions of the Tor network, they may be able to use passive traffic analysis to correlate traffic coming into an entry node with traffic leaving an exit node, thus making it irrelevant what happened between the two nodes. There’s not much that individual users can do to protect themselves against this type of attack.

The attacks that I’ve discussed so far, all depend upon eavesdropping on user activity, entering, or leaving the Tor network. They assume that the inner core of the Tor network is well-designed and impenetrable. While Tor may be well-designed, that doesn’t mean that it’s impossible to reach inside that secure core. Remember, the identities of nodes on the Tor network are anonymous. We don’t know who’s running them. The nodes that you’re using might be run by a hobbyist, a nonprofit focused on electronic privacy, or the IT person at a company with some extra servers. They also might be run by an intelligence agency. Anyone can set up a Tor node and begin accepting traffic. However a node handling a Tor connection only knows the identity of the node that it receives traffic from, and the node that it is sending traffic to. If you’re operating the entry node, you do know the identity of the user, but you can’t read the traffic or see the final destination. If you’re the exit node, you know the final destination and the content of the traffic, if it’s not encrypted at the application layer, but you don’t know the identity of the user. If you’re a relay node in the middle of the circuit, you don’t really know much. You know the identity of the node that sent you the traffic, and the identity of the next node in the circuit, but you don’t know who originated the traffic, where it’s going, or what it contains. An adversary seeking to compromise Tor traffic could try to create malicious nodes that eavesdrop on communications, but they would only gain valuable intelligence if they controlled all of the nodes in a Tor circuit. The user’s browser randomly selects those nodes from the directory, so that’s unlikely. But what if a sophisticated and well-funded adversary created many powerful Tor nodes and added them to the network. Remember, there are only several thousand nodes on the Tor network. It’s not unimaginable that a sophisticated attacker could create 3000 Tor nodes and add them to the network over time. This is the third and what is called a circuit reconstruction attack. Let’s say that there are 9000 Tor nodes in total, and an adversary controls 3000 of them. This means that there is now a 30% chance that any randomly selected Tor node is controlled by the adversary. If a user chooses a three-node circuit, then there is a 30% chance that each of those nodes individually is compromised. Similarly,more the number of infected nodes, more will be the probability of compromised anonymity.