TOR may actually reduce your privacy
WikiLeaks seeded its database of documents by intercepting traffic through a TOR node they were operating.
This article at Wired highlights an almost buried section of this New Yorker interview with one of the founders of WikiLeaks.
Before the WikiLeaks site went live, the founders noticed that hackers were transferring stolen government documents over the TOR network. They captured over a million of these documents to form the initial core of the WikiLeaks archive.
This shows once again what I have been saying for a long time. Any privacy system that allows any untrusted and unknown person to become part of the infrastructure and have access to cleartext information is fundamentally flawed.
Any person with malicious intent can easily set up a TOR node and begin exactly the same kind of data collection that the WikiLeaks folks practiced.
Reputation is everything in this business. It is not practical for typical individuals to properly vet their providers. Track record, reputation, and respected third party endorsements are your best bet when choosing a privacy or security provider. Look for those for everyone who has access to your information.
- Lance Cottrell
June 2nd, 2010 at 11:16 am
Lance, that is correct. Everybody should know, one would use Tor for privacy and not for security (or speed
.
However, I would like to mention that Anonymizer has the “same” fatal flaw. If the Anonymizer server gets too busy (or for any other reason), the connection gets disconnected, the Anonymizer switches to the “regular” network and sends documents unprotected. Obviously hackers or anyone could intercept your traffic easily.
PS
I trust your reputation!
June 4th, 2010 at 12:48 am
This article makes no sense. It says nothing that you can’t find in the Tor project page. Tor goal is to anonymize traffic not to provide end-to-end security. Tor is supposed to be used in conjunction with some end-to-end security protocol like SSL.
https://blog.torproject.org/blog/plaintext-over-tor-still-plaintext
June 4th, 2010 at 2:31 am
You are quite correct that this vulnerability is mentioned in the Tor page, and that they suggest that Tor should always be used to protect communications that are protected with end to end encryption. The reality is that almost none of the users actually use it that way. Tor is an amazing screwdriver that people keep trying to use to hammer nails.
Because the vast majority of people are looking for anonymity for general Internet activity (mostly for un-encrypted web access), my purpose is to make people aware of this issue. As is the case with many kinds of security tools (like seat belts and airbags) the presence of the tool makes people act in a more risky way. In this case it can leave the user in a worse security posture than before.
June 4th, 2010 at 7:02 am
Yes, but related with the article about wikileaks, we are not talking about ordinary people nor general Internet activity. We are talking about embassy’s and corporations that exchange sensitive data over Tor. They are supposed to have a good IT department. Not one that tells them “you don’t need security, just relay that through Tor and you should be fine”.
June 4th, 2010 at 9:29 am
The article suggested that the intercepted traffic was from hackers who had stolen the documents. Never the less, I have personal experience with just how lax the advice from IT departments can be, and know that Tor is being used in exactly this kind of way.
I am not suggesting that a random Tor user will see her information show up on WikiLeaks, but rather that this is an example of a very easy attack that could be used to harvest information against the vast majority of those users.
June 4th, 2010 at 11:18 am
That’s true but that is not the goal of Tor. Although the payload can be seen in plaintext, the packet itself is anonymized. Now if the client sent a plaintext packet into the Tor network he will get a plaintext packet at the exit of the Tor network, and if the payload contains identifiable or critical information too bad. That’s a matter of security not anonymization.
June 4th, 2010 at 11:53 am
I absolutely disagree. This argument only makes sense from a pure engineering perspective. “It is not part of the requirements so it is not my problem.”
I am interested in actually protecting people in the real world. Most users don’t understand these subtleties and use Tor incorrectly. They are vulnerable and exposed. This is a problem. What they “should” do hardly matters. Reality is what is important.
June 4th, 2010 at 6:15 pm
I don’t understand your view on Tor. Tor is what it is and there are no subtleties. It is a p2p overlay newtwork who’s goal is to anonymize TCP streams. As any other solution it as pros and cons. Tor project people warn about this problem in a dozen different places in their documentation, faqs, etc… And I believe that most of the people using Tor are aware of this problem.
At most and article like this may help create awareness about what Tor does and doesn’t do.
June 4th, 2010 at 6:27 pm
This type of news are almost as old as Tor
http://www.schneier.com/blog/archives/2007/09/anonymity_and_t_1.html
June 5th, 2010 at 5:26 am
It may not be new, but I know for a fact that it is little known out side of the small privacy / security expert community.
I suppose the only way for me to really prove this would be to set up some Tor nodes and intercept and analyze the traffic.
June 5th, 2010 at 7:00 am
You don’t need to setup a Tor node for that. You don’t need to prove anything. There is no lie in what was said. If you setup a Tor exit node you will be able to read any traffic that comes in plaintext. But this is a problem like any other. A client could for instance go to a website with a piece of js code that would obtain its ip address and the only way to protect from this is to disable javascript in your browswer. That does not mean that it is a flaw from Tor
June 6th, 2010 at 10:45 am
I think we will have to agree to disagree. I think that if it encourages (in actual practice) behavior which creates significant risk then it is a flaw, even if it is fully disclosed. It is like an attractive nuisance. Even though there are safe ways of using lawn darts (and the risks were disclosed), it is now illegal to sell them because too many kids got them embedded in their heads anyway.
June 24th, 2010 at 4:31 pm
the post is pretty informative. it actually provide me what im searching for. Thank you for Posting
October 20th, 2010 at 5:02 pm
Both Lance and Rodmar make points which are valid with their own limitations.
Theoretically, one important point in favour of tor is as the traffic is routed from server to server each node only sees one sender and one recipient. Some servers keep a log, some servers to do not keep a log. The one big advantage for tor over a proprietary network is that in a proprietary network all the nodes are known, use some what more complex security protocols, but in the end are still known and tangible and theoretically a log can be created linking the actual user to the content accessed or sent. In a network like tor that chain may not exist and the system tends closer to being theoretically more anonymous.
I think Rodmar makes the important distinction between being secure and being anonymous. A piece of information or communication can have different meaning depending on the source and the recipient.
In fairness on Tor’s website it does not paper over these issues and in fact distinctly gives the example of transferring information which is important regardless of context and information which becomes sensitive only because of context and generally advises against using the network for content which is absolutely, rather than relatively, sensitive.
The users who still use the network for such content tend to fall in two categories one who do not understand the distinction and the other who are relying on security in obscurity.
As far as user information is concerned it does not make sense using Tor if one only wants to access his/her email (unless the person is accessing it from a geographical location where direct access is not possible). One can use it to access anonymous or off the record accounts and keep such access private and without a tangible connection with the end user.
For the users who are relying on obscurity one good work around would be to periodically switch networks and use new identities if they are transmitting sensitive information. That way even if one of the nodes is performing traffic analysis, it will receive incomplete information and considering the alternative, the damage will be lesser for the end user.
Traffic analysis is something which can be performed in any setting. On a public network like Tor one only has to focus on the analysis. On a private secure network, one has to solve the problem of cryptography and the traffic analysis.
The wikileaks case was a rather simple task where all they had to do was route traffic and look for keywords in the data being transmitted. From the perspective of intelligence it was more of a scattershot and they were looking for something, anything which is of value. Although if the users were using a private network, wikileaks would have to know what they were looking for and the network which the users were using, who was using it, trace the data through the various nodes all the while breaking the cryptography at each point as servers in such networks tend to use different algorithms and finally look at the data. Both the tasks are equally tedious computationally. So if someone is monitoring a specific individual a private network would be less anonymous that a public one as given the absence of logs there would always be culpable deniability while using the public ones. Rather it would not be anonymous at all and the only thing standing between the intruder and the information linked to the user is the encryption.
Any intelligence gathering exercise would have four categories
1. Known user, known nature of data.
2. Known user unknown nature of data.
3. Unknown user known nature of data.
4. Unknown user and unknown nature of data.
There will also be variation of the data being context specific or not.
If the information is context and user specific then tor is a very good alternative. But
In fairness it would be relatively easier to do what wikileaks did and something like that would be more difficult on a public network. But again, even in the bust up Tor succeeded in retaining the anonymity of the actual users who were transferring the information and given the absence of logs at nodes it can never be traced using only data mining and will have be solved in the good old fashioned way.
In the end as I always believe, it is a knife one can cut a fruit one can cut another person, the knife does not change. The context does.
Anon
October 20th, 2010 at 5:07 pm
I mean what wikileaks did would be more difficult on a private network. (Damn, just when I thought I would get through a complete note without a typographical error.)