Tor Security for Android and Desktop Linux

After the browser check is complete, examine the Tor console. This will provide some reference as I discuss the theory of the network.

Tor Network: Theory of Operation

Tor is designed to be penetrated by hostile parties with vast resources. This is critical to understand and is required for safe use of the network. Do not use Tor to connect to clear-text services hosting sensitive content. If you use Tor for clear-text pop, imap, ftp, telnet, smb or http, be aware that your traffic likely will be recorded by a hostile agent, and your credentials (passwords) may well be used by parties acting against your interests, as has been established in honeypot trials by researcher Chloe. Tor is designed to trust nearly nothing and almost no one—you must do the same to use it safely.

If you have no interest in cryptography, skip this paragraph. Tor communication begins with an "ed25519 handshake" that is based upon renowned cryptographer Daniel J. Berstein and his famous prime (2255 – 19). Symmetric exchanges appear to use AES-CTR, but AES-CCM and chacha20-poly1305 have surfaced in recent release notes. As amazingly forward thinking as the Tor network is for its age, sha1 was chosen for a number of MAC functions, but remediation efforts are well underway.

It now will be useful to present a graphic aid (with our old friends, Alice and Bob), which simply begs for greater detail.

Attribution: By Electronic Frontier Foundation, minor modifications by me. (https://www.torproject.org/about/overview.html.en) [CC BY 3.0 (http://creativecommons.org/licenses/by/3.0)], via Wikimedia Commons

The first column of servers above are known as Guard Nodes (variously referred to elsewhere as entry points or entrance nodes). They are the servers that communicate directly with Alice, and they are supposed to be the only servers in the chain with any detailed knowledge about her.

The second column of servers are known as Relay Nodes—there is an entry in the Orbot configuration menu to become a relay node. You are encouraged to do so if you have a hard connection to the internet and extra bandwidth. Relay Nodes that demonstrate high and reliable network bandwidth are promoted to Guard Nodes by Consensus Votes, which I will discuss shortly.

The third column of servers are known as Exit Nodes. Unencrypted traffic that emerges from Tor will appear to come from Exit Nodes. This includes hostile attacks, harassment, and sundry illegal and immoral activity. Some Exit Node operators are altruistic individuals and groups that value privacy at all costs. Others are hostile actors. Exit Nodes are commonly involved in legal action, and Tor will provide exoneration services for Exit Node operators and otherwise make every attempt to legally assist those who are called before a judge.

The Tor software running on Alice's computer will build a Circuit through systems in each of the columns. The Circuit will involve at least three separate servers. By virtue of the ed25519 keys, Alice will be able to send secret messages to each separate server in her Circuit. Alice will send a secret message to the Relay Node containing the identity of the Exit Node, and in so doing she will prevent the Guard Node from learning where her traffic will exit Tor. Alice will send a secret message to the Exit Node containing the session password to her AES traffic, and in so doing prevent both the Guard and Relay nodes from seeing her encrypted network data. Circuits are broken and rebuilt constantly to maximize privacy. This stepwise removal/addition of encryption as traffic moves through the Circuit is known generally as Onion Routing.

Not shown in this graphic aid are Directory Authority Nodes, which are analogous to DNS root servers. DA nodes operate in several countries, and Tor is built to survive up to four of the ten Directory Authority Nodes falling into the hands of a hostile party. Note that the United States appears to host four DA nodes. DA nodes conduct a vote once per hour, then publish a Consensus that promotes/demotes Guard Nodes and sets policies for a number of other Tor activities.

Purposefully hidden from the graphic aid are Bridge Nodes. These are "unpublished" Guard Nodes that are made available by automated request for users under carriers, ISPs and other forces who block traffic to the published Guard Nodes in order to ban access to Tor. There are a number of procedures to request access to a Bridge Node. Anyone making such a request should use great caution in choosing public/anonymous networks for Tor access in order to avoid detection and punishment.

***Note: the URL below (http://3g2upl4pq6kufc4m.onion/) doesn't work. emailed Charles 4/11. Also not shown in the graphic aid are Hidden Services, which are informally known as a "dark web". These services are visible only within the Tor network. Tor circuits involving Hidden Services never reach an Exit Node. As an example, the Duck Duck Go search engine operates as a Tor Hidden Service as the site http://3g2upl4pq6kufc4m.onion—anything ending in the .onion suffix is a Tor Hidden Service that is not visible on the open internet. A short list of popular Hidden Services can be found at https://thehiddenwiki.org. Tor is designed to prevent users from learning the identity or location of the providers of Hidden Services. Guard Nodes are given no direct information that a user is seeking access to a Hidden Service versus an Exit Node, but they can conduct traffic analysis to loosly determine this.

With this vocabulary for Tor out of the way, now I'll address specific security concerns:

  • Guard Nodes communicate with you for a short time through an established Circuit. You cannot trust them, and you must assume that one will port-scan your computer and attempt to break in eventually, so keep your security patches up to date if at all possible. Guard Nodes are also free to analyze your traffic to loosly identify what you are doing.

  • Exit Nodes remove the last layer of Tor encryption and are free to analyze and record all of your traffic. Once again, do not use Tor to connect to clear-text services hosting sensitive content. Malicious Exit Nodes were caught stealing and using passwords in honeypot trials by researcher Chloe.

  • The bittorrent protocol is unsafe and discouraged over Tor.

  • JavaScript is disabled in the Tor browser. If you enable it, or use another browser where it is enabled, your anonymity might be broken. If your sole goal is to deprive your carrier or ISP of tracking data, this might be a reasonable sacrifice.

  • The Tor browser is the only reviewed and highly assured program to use with Tor that will not reveal your IP address or other private data unintentionally when traffic leaves an Exit Node. Such confidence is diminished if you use other programs with Tor. Tor is able to hide the activity of most programs from your carrier or ISP with equal ability—the concern is the path from the Exit Node to the destination.

  • It is important to keep your system up to date with security patches. The FBI is known to exploit users of Tor who do not. It has seized the machines behind Hidden Services and installed its "Operation Torpedo" malware to break the anonymity of Tor. The NSA has used zero-day exploits and in-house Tor nodes for these purposes.

Again, Tor is designed to trust nearly nothing and almost no one—you must do the same to use it safely.

______________________

Charles Fisher has an electrical engineering degree from the University of Iowa and works as a systems and database administrator for a Fortune 500 mining and manufacturing corporation.