Privacy and the TOR network: why do we need it and how does it work?

[miljaker]

As part of an school assignment I had to write an article related to privacy & security and post it somewhere where people could read it and discus about the topic. So I figured I might as well post it here. I'm not sure if its in the right section so if it gets moved could an admin notify me about it so I can provide the new link to my teacher?

 

Privacy and the TOR network: why do we need it and how does it work?

I’m sure some of you have heard about the TOR network and what it is. According to Wikipedia, TOR (previously an acronym for The Onion Router) directs Internet traffic through a free, worldwide, volunteer network consisting of more than five thousand relays to conceal a user’s location or usage from anyone conducting network surveillance or traffic analysis.

 

What exactly is the benefit of using TOR? Why do we need it? And how does it exactly work? Before we can answer these questions we need to know what privacy exactly is and how it affects us.

 

Privacy

How would you define privacy? Asking this question results in a variety of answers. “The right to be left alone”, “The right to be forgotten”, “The right to decide what information about myself is shared” and “The right to live a life without being spied on”. According to all of these definitions you have NO privacy on the internet. Companies and governments use the internet to collect data about you, make profiles about you and share (sell) this data with other companies.

 

Most of you probably have a Google account and use some Google service. But most of you probably didn’t read the privacy policy, it wouldn’t even surprise me if NONE of you did. Here is a part of the list of what data Google collects about you:

1. Information you give Google (name, email, phone numbers, credit cards, birthdays, etc)
2. Information you get from using their services (how you use them, when you use them, the way you interact with them)
   1. Device information
      1. hardware model
      2. operating system
      3. unique device identifiers
      4. mobile network information (including your phone number)
   2. Log information
      1. search queries
      2. telephone log ( number called, forwarding numbers, time and date of calls, duration of calls, routing information)
      3. IP addresses
      4. Device information (crashes, system activity, hardware settings, browser type, language, date and time)
      5. Cookies that uniquely identify you
   3. Location information (GPS, wifi access points, cell towers)

You can find the complete list in the Google privacy policy. And this is just what Google collects, combine every website you visit and what information they can collect about you and think about what they can do with that information.

 

Profiling

Not only facts are stored but assumptions are made as well. Youtube for example has a gender and age account setting. This is not the age and gender they use to target you however. If you watch a lot of Minecraft lets plays it will probably be assumed you are a 12 year old boy. This data will be shared with advertisers and others. They might not know your exact name and address but does that really matter if they can target you based on other identifiers such as your IP address? What if this profiling became a bit more extreme? Watching someone make fireworks on Youtube profiles you with “likes creating explosives”. Imagine if the NSA is doing its usual business and is tapping the line and finds out about this. They might decide to keep a closer eye on you for “public safety”. This already happens to some degree, so what happened to innocent until proven guilty? This data is out of your hands, you don’t know what they have on you, what exactly they do with it and (until recently if you are in Europe) you can’t ask them to delete it.

 

Privacy is not something we should enjoy having, it is something we require to develop who we are without direct or indirect influences based on assumptions or old data. And in the current state of the internet you pretty much have no privacy.

 

TOR

This brings us to the TOR network, an anonymous network that keeps your privacy, both as a user and as a service provider. TOR was created to be used in the military, protecting government communications. Today it is used by a much larger userbase. Activists, journalist, law enforcement, military, and even normal people use TOR for its anonymity and security.

 

TOR protects its users from traffic analysis. Traffic analysis is used to look at who is “talking” to who over the internet. When you visit a website it is logged where the request came from and using that data others can track your behaviour and data previously mentioned. This works because all the data you send whether it’s encrypted or not contains headers with information. These headers contain things like source, destination, time send, size, etc.

 

The TOR network distributes your transactions over several places on the internet so no one knows exactly where it came from. Imagine walking through the snow from your house to a shoe store to buy some boots. Without TOR you would walk through the snow leaving footprints directly to the shoe store. Others can track exactly where you came from and could show up next year at your door with boots for sale. With the TOR network you would walk through the snow removing your footprints as you go to the supermarket first, then you take a stop at a clothes store, a few more stores and finally arriving at the shoe store. When the shoe store, or someone in the middle who is trying to find your footprints tries to find where you came from they won’t be able to find where you live.

 

When you connect to the TOR network you obtain a list of TOR nodes. When you make a connection to something a random path through these nodes is created all data between these nodes is encrypted and unreadable to people on those nodes. When the final node is reached the data is decrypted and visible to the server or user looking at it.

 

Deciding these paths can take quite some time so once a connection is made it stays the same for around 10 minutes before automatically changing and giving you a new “identity”. Try visiting a movie recommendation website with the TOR network. The recommendations will reset every 10 minutes to the default unless you specifically told the website what movies you like. Page visits and the like are meaningless now because they can’t identify who requested those pages.

 

Hidden services

TOR doesn’t just hide user data, it can also provide hidden services. Let’s be honest, if you heard about the TOR network you have probably heard how it is the place you should be looking if you need a hitman, drugs, money laundering, child pornography and other illegal things. These services exists only on the TOR network because just like users, no one can find their origin. The same goes the other way, the providers of these hidden services are unable to find who visited their website.

 

These hidden services work a bit different to “normal” services. Hidden services advertise their existence to the TOR network and created circuits to a few random relays and turns them into introduction points with its public key. TOR circuits don’t tell the introduction points (or anyone else) what the servers IP address is so it’s extremely hard to associate an introduction point to a server’s location.

 

Every hidden service uses a descriptor with the public key and a summary of all the introduction points. This descriptor is then signed with the private key. The descriptor is uploaded to distributed hash table. You can find the descriptor by sending a request to an .onion domain. kpvz7ki2v5agwt35.onion is the “hidden wiki” (a good place to start for anyone visiting the TOR network for the first time). “kpvz7ki2v5agwt35” is a 16 character name derived from the services public key. DuckDuckGo (an anonymous search engine) for example uses “3g2upl4pq6kufc4m”. Using this system everyone can verify if the service is the correct hidden service.

 

When a client wants to connect to a hidden service he must first know the .onion domain. When the request is send to the domain the descriptor is downloaded and the client knows all the introduction points and the right key that is required. The client also creates another random relay and turns it into a “rendezvous point”.

 

If everything works correctly the clients sends a message through the introduction points telling the server what the rendezvous point is. Everything still goes through the TOR circuits so no one knows what address the messages are coming from. Both the client and server stay anonymous.

 

When the server receives this message it connects to the rendezvous point. A message is then send through the rendezvous point telling the client the connection is successful. Encrypted communication is now possible between the server and the client.

 

There are a total of 6 relays used (unless more are requested) 2 relays are randomly picked by the client and 3 are randomly picked by the server. The last relay is the rendezvous point randomly picked by the client.

 

Why is TOR used?

The TOR network isn’t perfect. It’s a lot slower than using the “normal internet” because of all the random paths and encryption that’s going on and hidden services usually lack the usability and usefulness “normal services” have. It is filled with disgusting websites that shouldn’t exists and are harming to others (murder, human experiments, child pornography, gore and more). But the TOR network also gives people freedom of speech, anonymity and security.

 

The TOR network provides a lot of people access to information they otherwise wouldn’t be able to get. Some countries for example block the request for information about birth control, religion, diseases, communism and war. With the TOR network you are able to access this information freely without anyone finding out what you are doing. Reporters and journalists such as reporters without borders use TOR when they are publishing to avoid getting targeted by people who don’t want their information visible to the public.

 

TOR is not only used to circumvent government and law but is also used to help them by things such as truly anonymous tipping. Whistleblowers and activists use TOR hidden services to publish data without people knowing how to take the information down. Reports about Chinese internet censorship and human rights violation are popular topics.

 

Using TOR

If you would like to try TOR and see what kind of hidden services there are and what kind of information you can find, you should start off by downloading the TOR browser bundle at https://www.torproject.org/projects/torbrowser.html.en and visiting the hidden wiki. The TOR browser bundle allows you to visit hidden websites and hide your identity from not so hidden websites. There are no other official TOR applications but it is possible to “torify” specific applications. The last link in the sources links to a document that can help you with that.

 

Keep in mind that just using TOR and hidden services doesn’t keep you completely anonymous. You have to carefully think about what information you are giving to services providers. If you fill in your name and email in a web form people will obviously know who you are. You should also be careful not to download harmful software. Everything that gets stored on your computer might be accessible to others. Keeping your software up to date is one of the most important things you can do. Disable addons and plugins such as Java and Flash because they usually have unpatched security holes. The TOR browser bundle has these things disabled by default but javascript on the other hand is NOT disabled by default. A flaw was recently found that put hidden services and clients at risk of both malware attacks and allowed law enforcement to find the location of hidden services. It might be a good idea to disable it if you want to be completely anonymous.

 

Conclusion

The TOR network and privacy are two important things in this world and people should become a bit more aware of the current situation. Do you have any experience with the TOR network and hidden services? Do you feel like your privacy is being invaded by companies and governments? Or do you feel like privacy is a thing of the past and simply don’t care what information and assumptions others have on you? I would love to hear your thoughts on this matter.

 

Sources:

·         http://en.wikipedia.org/wiki/Tor_(anonymity_network)

·         http://en.wikipedia.org/wiki/Privacy

·         http://www.theatlantic.com/technology/archive/2013/02/why-does-privacy-matter-one-scholars-answer/273521/

·         http://www.google.com/policies/privacy/

·         http://en.wikipedia.org/wiki/Right_to_be_forgotten

·         https://www.torproject.org/about/overview.html.en

·         https://www.torproject.org/docs/hidden-services.html.en

·         https://www.torproject.org/projects/torbrowser.html.en

·         http://arstechnica.com/security/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/

·         https://www.torproject.org/docs/faq.html.en

·         https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO

[miljaker]

Give me a minute to fix the formatting.

 

- all done.

[Nineshadow]

Well, TOR also made the Silk Road possible. Ehehe.

 

Good job OP!

[Volbet]

I have used TOR in the past, but I simply found to slow to use, and the things I could find wasn't much of my interest (I don't really care for CP and terrorism).

 

I would just like to add to the privacy thing. The FBI has been know to collect data on the TOR networks, and even ceased control over Freedom Hosting for a period of time.

Source 1

Source 2

And if you have used TORMail, the FBI has your mails: Source 3

 

So while TOR might be more private than a conventional browser, it's nowhere near private.

[Ssoele]

So while TOR might be more private than a conventional browser, it's nowhere near private.

 

I wouldn't even say it's safer, because most of the exit nodes are managed by surveillance agencies. They don't need to tap any IX any more, they just have it already.

[Almercenary]

TOR is by no means safer. When accessing things such as the deep web you need to plaster up your webcam and turn java off.  I would never download, or put private data in EVEN when TOR is open. It's far from safe.  Quite a good explanation though OP.

[LAwLz]

I wouldn't even say it's safer, because most of the exit nodes are managed by surveillance agencies. They don't need to tap any IX any more, they just have it already.

Having the exit node only allows them to see the traffic (unless you use HTTPS) being requested/provided, not who actually requested the traffic.

 

It still boggles my mind that people are so ill educated about Tor (not looking at you OP, just talking in general). It takes like 10-15 minutes to read how it works and once you have done that you understand the strengths and weaknesses of it. Yet we still have people like Logan who thinks that you send an onion and at the end of the route your whole packet is fully exposed as if you didn't use Tor at all. That's simply not how it works.

 

By the way, it's "Tor" not "TOR".

[AMICLG]

Too bad Tor isn't really secure at all not to mention it's very easy to just reverse DNS somebody using Tor or a Proxy so unless you setup a reverse proxy your easily identifiable.

[LAwLz]

Too bad Tor isn't really secure at all not to mention it's very easy to just reverse DNS somebody using Tor or a Proxy so unless you setup a reverse proxy your easily identifiable.

And that matters... Why? For the users it doesn't matter at all.

At best you could use it to get the IP of a website. For example you could use it to the get IP of Twitter. You can't use it to get the IP of the people visiting Twitter though.

[ForsakenLive]

I've used it before, it was very slow,but I was able to use the websites that I had unavaiable.