Posted on 12/17/2014 3:45:46 AM PST by ShadowAce
For over a decade, people all over the world have used Tor (formerly known as the Onion Router) to protect their privacy. The U.S. Naval Research Laboratory developed the system using open source technology, to protect U.S. government communications.
It is used by people living under restrictive regimes who want to access forbidden information or data on the Internet, whistle-blowers and dissidents who want to communicate with journalists, and anyone who wants to use the Internet without being tracked or to publish information on the Net without compromising their privacy.
Tor works by sending traffic from its source to its destination via a random series of Tor relays around the world. Traffic is encrypted each time it goes from one relay to the next, and any given relay only knows where it got the traffic from and its next stop. Only the last, exit node knows the ultimate destination; it decrypts the traffic as it leaves the Tor network.
Using Tor "rendezvous points" it is also possible to offer a "hidden service" such as an anonymous website whose owners and location can't be traced.
There are thousands of Tor relays around the world and millions of people rely on them. (Anyone can set one up.) NSA documents leaked in 2013 describe Tor as "… the king of high secure, low latency Internet Anonymity," adding that …"there are no contenders for the throne in waiting."
That was then. But now Tor appears to have problems.
Perhaps the most obvious illustration of this is the seizure of the Silk Road 2.0 drugs marketplace and the arrest of a San Francisco man thought to be behind the site, which operated as a hidden Tor service. It's believed that Silk Road 2.0 was compromised by a Homeland Security Investigations undercover agent rather than a technical weakness in the Tor system, but the arrest highlights the fact that using Tor does not guarantee anonymity.
In fact, using Tor can actually attract interest from law enforcement and security agencies. Earlier this year it was revealed that the NSA's XKeyScore program is likely to place Internet users who use Tor, or who visit its website to learn about it, on a list of extremists. So, ironically, by attempting to be anonymous on the Internet you may well put yourself directly in the NSA's spotlight.
There are almost certainly technical weaknesses in Tor and how it is used as well.
In July Tor announced in a blog post that unknown attackers had set up a number of Tor relays and modified the traffic passing through these relays to attempt to identify users of hidden services. Users who had accessed or operated hidden services from a period of about five months to July 4, 2014 should assume that their identity had been compromised, the blog post advised.
Another problem with using Tor is that if the user's machine is compromised by malware, then using Tor is no longer enough to stay anonymous. This was illustrated in August 2013, when a piece of malware called Magneto was discovered which exploited a hitherto unknown vulnerability in the Tor browser which is commonly used to visit websites using Tor.
The JavaScript exploit is widely believed to have been the work of the FBI, because it doesn't do anything to the compromised machine except send the machine's MAC address and Windows hostname to a server in Virginia using the machine's real IP address. The idea that the FBI could be involved with malware is not too outlandish; revelations from Edward Snowden have already revealed that the NSA does much the same thing.
More recently, a former researcher at Columbia University co-published research that claims that it is possible to identify 81 percent of Tor users using a variation of a technique called traffic analysis. Essentially it involves setting up a modified Tor relay, and then injecting traffic into a TCP connection and analyzing router flow records.
This is complicated stuff, but not so complicated that it would require the enormous resources of the NSA to carry it out, according to Professor Sambuddho Chakravarty.
That's a concern because some Tor relays on the Internet are very large and handle a huge volume of traffic, making them expensive to operate and maintain. An obvious question then is this: Who is picking up the bill? Given that many governments would like to know more about what people are doing on Tor, it doesn't take a huge stretch of the imagination to think that some of these may be operated by the national intelligence services of foreign governments.
Despite the NSA saying there are no contenders to Tor's throne as king of Internet anonymity, alternatives do exist, including:
The Invisible Internet Project (I2P) is an anonymous overlay network, a network within a network. It is intended to protect communication from dragnet surveillance and monitoring by third parties such as ISPs.
To anonymize the messages sent, each client application has their I2P "router" build a few inbound and outbound "tunnels" - a sequence of peers that pass messages in one direction (to and from the client, respectively). In turn, when a client wants to send a message to another client, the client passes that message out one of their outbound tunnels targeting one of the other client's inbound tunnels, eventually reaching the destination.
The project website for the open source I2P software warns that "no network can be 'perfectly anonymous.'" It says the continued goal of I2P is to make attacks more and more difficult to mount. "Its anonymity will get stronger as the size of the network increases and with ongoing academic review," it adds.
Freenet is free software which purports to let you anonymously share files, browse and publish "freesites" (websites accessible only through Freenet) and chat on forums. According to the project, an important recent development, which few other networks have, is a "darknet." By only connecting to people they trust, users can greatly reduce their vulnerability and yet still connect to a global network through their friends' friends and so on.
VPN services don't offer strong anonymity, because most require that you sign up with a service provider before using them; even those that don't require this can keep logs of the IP address where you connect from and which sites you visit.
Nonetheless, a VPN service does mask your IP address from websites you visit, providing a low level of anonymity. A VPN should be used with caution because a website may still be able to identify you through the use of cookies or other identifiers, especially if you visit an associated site without masking your IP address with a VPN.
Play safe out there.
Yeah—Once I realized that anyone could set up an exit node, I figured the whole network was compromised.
The onion router works well enough to defeat the Facebook police and other intrusive social media sites that keep tabs on users ip addresses.
It's believed that Silk Road 2.0 was compromised by a Homeland Security Investigations undercover agent rather than a technical weakness in the Tor system
Moral of the story: if you think you're invulnerable and act like you're invulnerable, you're not.
Another problem with using Tor is that if the user's machine is compromised by malware
First: see my previous comment. Second: if the Feds are injecting malware into computers on your network, you're gonna have a bad time.
Tor is an amazing tool, and you can bet that the Feds are not going to usurp a tool that they still use for secure communications until there's a better option. With all of the vulnerability announcements with SSL and TLS, it's only a matter of time before some university compsci lab comes out with new security standards that the Feds want to snoop into.
Fact is, guys, the Internet is a dangerous place. If you're not using a VPN, Tor, or, at a minimum, SSL, you can guarantee that you're being watched, tracked, and your behavior cataloged.
I’ve tried Tor in the past but I am left with questions. First and foremost is, the setup comes with a Tor browser...a variant of Firefox. It is a lot slower and klugdey. Does this HAVE to be used or can Tor be set up for use with your browser of choice?
There are Tor-specific plugins for FF and other browsers. Go to TorProject and DL their browser. And yes, it’s going to be slow, it’s deliberately obfuscating your connections, so it’s not a direct connection like usual.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.