Is TOR Still Anonymous?

Michael In the News

I’ve said it before, and I’ll say it again:

There is no proverbial magical bullet for your complete privacy or anonymity on the web.

This fact is disheartening. We, as humans, imagine that there must be some haven, some courtesy on the internet- kind of like not having cameras in restrooms. However, sadly, this is not the case. For every layer of security, privacy, or anonymity developed there are numerous people (especially governments) trying to find a way in. If, for no other reason, then for the hell of it.

LiquidVPN provides a great no-log service that masks your internet traffic beautifully, but it- like all VPN services- is imperfect.

Another widely used program known as TOR, an abbreviation for The Onion Router, provides an anonymizer for you as you surf the web. But even this excellent service is not without its faults.

What is This Onion You Speak of?

The Onion Router that is now used by journalists, whistleblowers, privacy-minded individuals, terrorists, and criminals alike was- interestingly enough- first developed by the US military. It is free software (or plugin) on an open network that serves as a way to anonymize users as well as website hosts.

It does this by routing traffic through a network of roughly 5,000 computers and servers called nodes. Of course, not all of the nodes are used every time you access a site. When a node receives a request for a website, it is wrapped in several layers of encryption. Each node then, one by one, unwraps a single layer of encryption (like layers in an onion, get it now?) and sends information to the next node. Therefore, no single node knows the information of the user and destination, or the data that is being sent.

At any one time, there are approximately 2.5 million users on TOR.

While using TOR, websites that are inaccessible through the regular browsing are available. This is called the dark web. You may have heard of sites like Silk Road which was famous for selling narcotics until it got shut down by the FBI. Other shady sites on the dark web are basically marketplaces for criminals where hit men, sports betting, counterfeit goods, firearms, and hacking can all be bought and sold under the pretense of anonymity.

The dark web is sometimes confused with the deep web. The two may sound similar but the deep web is less ominous. It’s simply the rest of the internet, actually about 95% of it, that is not indexed by search engines like Bing, Yahoo, and Google.

It’s important to note that although the dark web becomes available through TOR, most of its users just use the software to browse legitimate websites anonymously.

Questions About the Integrity of TOR

Similar to every other type of software that attempts to anonymize or privatize your internet browsing TOR is not without its faults.

In the past, there have been several queries into the strength of TOR’s anonymity. One of the biggest vulnerabilities comes from the exit nodes or exit relays. As the name term suggests, exit relays are the final way station that unwraps the last layer and sends the information to its destination.

If the website is not protected by HTTPS or some other type of encryption, then the information is vulnerable to being read by this exit node. Of course, in a perfect world, all exit nodes would behave with the utmost integrity and only pass on the information without doing anything shady.

In a perfect world.

But we live in the real world. All nodes are volunteers and are not necessarily vetted: integrity can’t be guaranteed. In fact, even if the site does have a valid SSL certificate there are ways around that (every layer of security, privacy, and anonymity has someone trying to break it).

A new study from MIT introduced a new method to deanonymize TOR. They use a standard technique called fingerprinting. This method has also been used by Citizen Lab to track the misuse of Hacking Team’s software.

The goal of the study was to:

… assume that the attacker is able to monitor the traffic between the user and the Tor network. The attacker’s goal is to identify that a user is either operating or connected to a hidden service. In addition, the attacker then aims to identify the hidden service associated with the user

The gist of it is that given the layer upon layer of security inherently used in TOR, the amount of data passing back and forth is significant. By designing computer algorithms (classifiers) and essentially ‘training’ the computer to look for patterns in the number of data packets the researchers at MIT could determine the kind of traffic (onion related or not) passing through their controlled node with 99% accuracy.

This means, that without breaking TOR’s encryption they could differentiate regular web browsing from that sent through TOR’s onion routing.

Furthermore, with a slightly less accuracy, 88%, the machine-learning algorithm could then identify the user and the site the user was accessing.

The Anonymity that TOR Provides Should Still be Considered Strong

However, this method of reading TOR’s traffic is not without its own limits. First, the person spying must have a node used in TOR. The more nodes, the better because the spy would have to gather a lot of information before he/she could begin classifying traffic. Secondly, if going after a particular user that spy would have to be lucky enough to be chosen as a relay in the path of the target’s traffic. The two biggest limiting factors are time and the amount of nodes in use.

However, for an organization like the NSA or FBI time and resources are not much of an issue. After all, there was likely some kind of massive vulnerability in the system that led to the global initiative Operation Onymous that took down 400 hidden services like Silk Road 2.0

Also, TOR responded to the study. Tor project leader Roger Dingledine pointed out two key factors that suggest the TOR classifier attack is not as strong as the numbers suggest.

First, the study only takes into account 1000 front pages. Whereas various crawlers used in ‘onion-space’ have found millions of pages beyond the front pages. This makes the relatively ‘small’ 2.9% false positive rate in the study quite large.

Secondly, the classifiers rely on the different looking packets to make their determination. If TOR wore to ‘pad’ some regular traffic to simulate data being sent to onion sites, then the classifiers may well become useless.

Conclusion

At the end of the day using proven software like TOR to protect your anonymity; or LiquidVPN to protect your privacy will significantly improve your online browsing experience. However, there are vulnerabilities in every system: and governments hate anonymity.

If you take your privacy as seriously as we do, then you should follow @LiquidVPN

You can follow the author @FreelanceTony

You can also share this post