Collaboration

Anonymous does not mean secure…


While browsing interesting stories on Slashdot.org I found reference to an astonishing blog entry over at derangedsecurity.com; in this blog, the author gives out a list of 100 government e-mail accounts and their passwords. Mainly belonging to Asian and Eastern European embassies, the account details were captured by simply sniffing unencrypted network traffic. Following the story further, the Web site hosting the blog was taken offline at the request of U.S. law enforcement officials! Interesting, seeing as no details of U.S. accounts were divulged! Later on, the author explained how he had collected the information without any hacking, cracking, or decryption. The data had exited the anonymous routed network known as Tor in plain text!

What is Tor? Tor is a free software application that uses an onion-routing system, enabling users to communicate anonymously on the Internet. Users run a Tor proxy on their machine; this creates an encrypted connection to the Tor server where the connection passes from router to router and finally out to the Internet via an exit node. As the exit node does not know who owns the outgoing connection, the user is able to anonymously access Internet services. The server hosting Internet services or anyone in between the two will only see the connection coming from a Tor exit node, not the end user who will remain hidden.

Tor has a few vulnerabilities that may enable the identity of a user to be traced. If traffic is being watched on both sides of the connection, then statistical analysis could be used to verify the identity a match. It is usually only governments and ISP's who would have this power. If the users' client is poorly configured, then DNS queries may be sent out directly rather than proxied via Tor; this could easily undermine any anonymity the network has provided.

What interested me about this particular breach was that it underlines people's misapprehension of ‘anonymous' and ‘secure'. As the blog at derangedsecurity points out, methods used to collect the information in question did not involve any hacking, cracking, or decryption. Tor exit nodes can be hosted by anyone and the owner of an exit node can easily analyse the traffic that passes through. Simple tools like tcpdump, driftnet, and dsniff are more than adequate for the purpose, and I would be very surprised if the majority of exit node owners were not keeping an eye on what their server is being used for. This is all very well and, in itself, does not breach the anonymity of the Tor network-while it may mean that somebody knows what is being accessed, they cannot work out who is accessing it.

The real issue highlighted by derangedsecurity's blog is the assumption that ‘anonymity means secure'; as we can see, it very obviously does not! If the users accessing these e-mail accounts had been using a secure protocol like POP3S, IMAPS, or HTTPS then their login information and accompanying data would have been protected as the exit nodes would be handling encrypted data-streams rather than login details being transported as plain text!

There doesn't seem to be any doubt that both government agencies and criminals are both using the Tor network: exit nodes are known to be hosted by:

  • An ‘anonymous' organisation in Washington DC handling well in excess of 10TB data per month.
  • A space research institute controlled by the Russian Government.
  • Various underground hacking groups and identity thieves.
  • The Chinese government.
  • Taiwanese Ministry of Education.

I wonder whether the people accessing these accounts at the times their credentials were captured were the official users or some other people who should not have been accessing them at all? The Tor network would certainly be a good way of hiding their identity should one of the institutions discover the unauthorised access. I'll be keeping a lookout for any official statements made by the institutions involved; if you come across any then please leave a comment and let me know.

15 comments
dventer
dventer

Amazing. If you use a service offering anonymity the truth is you may have something worth hiding. The unfortunate reality here is howsoever you choose to obscure connection information, you place a lot of faith in the folks that deliver on the service (not to mention their peers)... folks that in many cases are located in jurisdictions that are difficult to exact justice and retribution from by virtue of the fact that they have the spirit and practice of non-compliance with foreign court orders - the very thing that made them attractive in the first place. Why draw attention to yourself by using this service? You may as well shout that you have something to hide from the rooftops. If that was the point of this article it was well made.

JDThompson
JDThompson

Please keep in mind that the tor documentation makes it clear that you need to use end-to-end encryption to protect your traffic from snooping by the exit nodes. Regarding your comment "If you use a service offering anonymity the truth is you may have something worth hiding" I have to ask -- do you put your regular mail correspondence in an envelope, or do you use postcards for all your regular mail? If you don't use postcards, does it mean that you "have something worth hiding?" Privacy should be a basic assumption regardless of the content of your communication. Finally, using tor does not mean that you are "shout[ing] that you have something to hide from the rooftops;" it just means that it is nobody else's business what you're doing on the web. With tor, only the entry node and exit node know the final destination and contents of your communication. If you run a tor client on your local machine, then only the exit node can really know what you're doing, and if you use end-to-end encryption the exit node will not be able to either the content of your communication or even where or who initiated it. Moral of the story: read the manual and practice safe surfing.

support
support

Unfortunatly the wrong crowd is there once again.

Arun Tiwari
Arun Tiwari

I would totally agree on Selena views. - Arun

unhappyuser
unhappyuser

I think I'll change careers and become a potatoe farmer. It's geting too complex out there! EMD

shava
shava

Dan's list of Tor exit servers is really engineered to scare people. I don't honestly know exactly which servers he's referring to, but: * An ?anonymous? organisation in Washington DC handling well in excess of 10TB data per month. ...could be the International Broadcasting Bureau, the folks who fund Voice of America and Radio Free [continent] -- and are major funders of The Tor Project. Radio Free Asia correspondents (as well as NPR and many other journalists) use Tor to file their stories from inside the Chinese "great firewall." * A space research institute controlled by the Russian Government. Like NASA. Which makes them sinister, why, today? They are a research institution full of computer geeks. That there's an exit server there doesn't even necessarily mean that it's being run on behalf of the agency. * Various underground hacking groups and identity thieves. Um. One of these "hacking groups" is probably the Chaos Computer Club, a major Internet civil liberties group. * The Chinese government. We have several servers located at Chinese agencies and universities. Sinister folks who operate state funded universities, similar to University of Massachusetts, say. We also have major servers at MIT, Harvard, and a number of other major institutions in countries all over the world. Servers do includE various government agencies (such as the IBB) who, UNLIKE the embassies, give back to the network by operating a server, and don't just use the software without ever contributing to the infrastructure, giving volunteer time, or dropping us a donation. * Taiwanese Ministry of Education. And this one really confused me. Since when is *Taiwan* a threat to safety? Here we have the group that runs their state kindergarten through higher ed system who say: "We undertake the reform with a vision to realize the fundamental concepts of humanism, fairness, democracy and pluralism, helping all learners to fully realize their creativity in a new knowledge-based environment. We sincerely hope that, through the implementation of holistic education, our next generations can develop their aptitude and various abilities, be inspired to care for others, society and nature, and contribute to the world as much as they can." This is not the "re-education" authority of mainland China, you know. This list was tooled to be bait for media. Now, for anonymity, having a compromised exit node doesn't hurt you -- so long as you encrypt end to end. I'll be happy to go into a technical discussion of that if you want to contact me. Shava Nerad Development Director The Tor Project

netjess
netjess

I don't get that the list implies that the organisations are sinister, but that they are entities that handle sensitive information and the failure to secure that information is alarming. The the alarming part is that "anonymous US goverment authority" taking down the site. Although since he isn't a US citizen the US government has no obligation to identify itself to anyone but the host or ISP of the site and if it was hosted in a foreign country then it would have to go through the country of origin and their government would be responsible to identify them selves.

Doogster
Doogster

Even if the list is engineered to scare users off of TOR, the takeaway is that ANY exit node CAN sniff/analyze and record your data. Even if you shoot down every group on that list you better believe there are private and government groups out there fishing for information as it exits TOR. Yes, end-to-end encryption is really the only way to avoid snooping, but I think that many users just assume that TOR = secure and this article does a great job of blowing that out of the water. Thanks for bringing this to light!

dtsoetanto
dtsoetanto

I am a Tor user and I appreciate the works and results the programmers put in. Then again, I am not a computer whiz, and would like to know if I am 100% secure using Tor network when visiting banking online and other websites that has https. Can I say that any website that starts with https are 100% secure even when using Tor network? Thank you.

apotheon
apotheon

Tor won't affect the security of encrypted traffic, so as long as the entire session (including login and all transactions that occur between that and logout) is encrypted, you'll be just as secure using Tor as you would be without it. Basically, the only real threat created something like Tor is that someone running a Tore exit node has a ready-made listening post for picking up traffic to and from various (essentially random) users. As long as your online activities are secured against packet sniffing and man-in-the-middle attacks, using Tor should present no security problems for you. Now . . . the fact that some banks are apparently technology-stupid when it comes to encryption may mean that your bank's SSL-encrypted online banking may not be as secure as you think. That's not Tor's fault, though, if it's the case.

apotheon
apotheon

Yes -- HTTPS (which is HTTP with SSL encryption) is end-to-end encryption. When the encryption is used for the entire transaction, that's about as safe as you can get on the Internet. Yes -- end-to-end encryption is as safe with Tor as without it. The term "end-to-end encryption" refers to your data being encrypted from the computer at one "end" to the computer at the other "end" in a manner that is not trivially decrypted by some unauthorized party. To achieve end-to-end encryption (also known as "E2EE"), one must know the intended recipient of the data being sent such that some kind of targeted encryption key can be used to encrypt data in a manner that prevents it (at least in theory) from being decrypted by anyone except the intended recipient. There are a number of ways to achieve that without having to know the appropriate encryption key in advance -- your computer can get the necessary key as part of an initial "handshaking" process. For more on the subject, you can search for terms like OTR (for "off the record") and Diffie-Hellman (probably the best-known key exchange process in computer security).

dtsoetanto
dtsoetanto

Yes I am a paranoid. All started when receiving an anonymous email that revealed so much. I used nicknames, free email, but that didn't help. Was told that all because of IP. Anyway, @apotheon, thanks for the reply. And just to reconfirm, end-to-end encrypted connections is equal to opening https site, login, transactions, then logout? With this, even thru Tor exit node, it will be safe?

apotheon
apotheon

It's good to see responses here from people directly involved in the subjects under discussion. I appreciate the extra information and the different perspective on what was presented. Do you have any information to offer specific to the potential risks of using Tor (unencrypted)? Obviously, such poor security practice is not the fault of the Tor project or its software, but I'd still like your take on the fact that Tor apparently provides a means for someone to set up a "listening post" for network sniffing and "man in the middle" attacks -- even if the specific Tor users suggested in the original article are not good examples of such a tactic being put to use.

Editor's Picks