Have the Pleasure of Anonymous Communication Using Tor
By Elnaz Mehrzadeh.
Are you concerned about your online privacy? Do you want to communicate over the Internet and not being tracked? Well, we are all on the same boat!
It used to happen to me a lot when I was in Iran and wanted to check a political website or an international news channel such as BBC or CNN. They are all censored there and not only do you want to access such websites, but really avoid being tracked by the government. I would use Tor as a great solution and many people (e.g., activists, journalists, and military professionals) have also found it a great way to protect personal privacy and keep their Internet activities unmonitored at the same time.
What is Tor?
Tor is a free and open-source software project which is intended to make it more difficult to trace users’ Internet activities. On its official website, it is claimed that it “blocks trackers”, “defends against surveillance”, “resists fingerprinting”, provides you with “multi-layered encryption”, and enables you “browse freely”; And it really does!
Privacy vs. Anonymity definitions
When you encrypt your message, you are protecting your privacy since no one else can read or understand your messages other than you and your destination. But your messages also have some metadata (e.g., Who you’re talking to, when, for how long, how many messages, size of attachments, etc.). Encryption does not encompass these sorts of metadata and hence these metadata are easily discoverable by hackers or governments. When we talk about anonymity, it means making sure that such metadata are not discoverable by anyone.
How does Tor work?
It encrypts your Internet traffic in multiple layers and circulates your data through multiple volunteer computers (called nodes or relays) chosen randomly from all across the world. Each node is an individual layer of encryption. Therefore, it would be super difficult for anybody to trace your connection from the source to the destination. Neither the volunteer computers, nor the websites you visit, nor your Internet Service Provider (ISP) can monitor your activities.
When and how to use it?
If you are an average Internet user and want to only check Instagram or Facebook, you probably will not need to use Tor. However, If you want to bypass the Internet filters imposed by your government, or if you are a journalist living under a repressive government, or say if you are a hacker who wants to stay hidden, then Tor is for you. Note that if you want to download a large file from the Internet and not being tracked (e.g., from BitTorrent), Tor won’t keep you anonymous. Furthermore, you will be slowing down all users’ speed (you included). Use another method (like a VPN) instead.
To get connected to the Tor network, there are various ways. The easiest and most common way is to use the Tor Browser application. There are about 2 million daily users from all around the world who get connected to the network. Most of them are from the United States (22.59%), Russia (17.23%), and Germany (7.91%). (Source: https://metrics.torproject.org/userstats-relay-table.html)
If using the Tor network is blocked in your country, you can use a bridge to bypass it:
“Bridge relays (or “bridges” for short) are Tor relays that aren’t listed in the main Tor directory. Since there is no complete public list of them, even if your ISP is filtering connections to all the known Tor relays, they probably won’t be able to block all the bridges.” — Tor’s official Website
Bridge users are mostly from Iran (33.22%), Russia(14.46%), and the United States (7.46%). (Source: https://metrics.torproject.org/userstats-relay-table.html)
A) Web browsing
After downloading the Tor Browser from the Tor Project’s website, you are essentially able to get connected to the Tor network (directly or through a bridge) and surf the internet securely. Your connection is automatically sent through the network using this browser. Only note that you are not supposed to use add-ons and extensions on this browser, it is suggested you do not open JavaScript and Flash multimedia, and do not maximize the window size (i.e., do not make the browser full-screen). Otherwise, you are breaking the security chain brought to you and you may be exposed to a man-in-the-middle attack.
B) Messaging
Besides web browsing, you can send and receive instant messages through Tor’s network. You need to either use the Tor messenger or connect your own messenger to the network. For the latter, have a SOCKS5 proxy on your messenger turned on with the hostname 127.0.0.1 and the port number 9150 while the Tor Browser is running. In fact, all applications listening on TCP port 9150 at the localhost can use the network while the TorBrowser is running.
How secure is Tor?
If properly used, the chance of being de-anonymized on the Tor network is extremely low. In fact, there are three levels of security provided by Tor Browser. According to Wikipedia, the security levels are:
- Standard (default): at this security level, all browser features are enabled. This level provides the most usable experience and the lowest level of security.
- Safer: at this security level, the following changes apply:
- JavaScript is disabled on non-HTTPS sites.
- On sites where JavaScript is enabled, performance optimizations are disabled. Scripts on some sites may run slower.
- Some mechanisms of displaying math equations are disabled.
- Audio and video (HTML5 media), and WebGL are click-to-play.
3. Safest: at this security level, these additional changes apply:
- JavaScript is disabled by default on all sites.
- Some fonts, icons, math symbols, and images are disabled.
- Audio and video (HTML5 media), and WebGL are click-to-play.
However, absolute security does not exist. There are certain weaknesses in the Tor Browser as well:
- Tor protects users’ privacy, but it does not hide the fact that you are using Tor. In other words, it is difficult to track your activities, but it is easy to understand that you are using Tor. Even knowing the fact that you are using Tor can be controversial in some places.
- According to the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), “Redirecting users to special servers via telecoms operators can constitute a man-in-the-middle attack, as an example. It can be done by intercepting the traffic between a Tor user and the legitimate server, although it has been argued that only the US National Security Agency (NSA) has this sort of capability.”
- Tor encrypts data on each layer, except that the last layer (so-called the exit node). The exit node removes the final layer of encryption; So if you visit an unsecured HTTP website (i.e., not an HTTPS website), it is possible for the exit node to spy on your activity.
- According to the Tor’s official website, “Tor does not provide protection against end-to-end timing attacks: if an attacker can watch the traffic coming out of the target computer, and also the traffic arriving at the target’s chosen destination (e.g., a server hosting a .onion site), that attacker can use statistical analysis to discover that they are part of the same circuit.”
- Finally, Tor Browser is based on Firefox, so it is vulnerable to the same attacks that Firefox is.
What are the disadvantages of using Tor?
The most serious drawback is speed. Since your data need to travel through a long network of volunteers, browsing can be very slow.
Another drawback is it can draw attention to you. Governments can easily understand you are using Tor and therefore it is more likely to target you and try to monitor your activities.
Using Tor and VPN together
Virtual Private Network (known as VPN) is a way to extend a private network over a public network. When using a VPN, all of the data is secured through end-to-end encryption. Your privacy, therefore, is held while your anonymity is not. Tor Browser is on the other hand used to obtain anonymity. It uses a completely different procedure. Luckily, one can use both to gain maximum security (Privacy + Anonymity). There are two main ways to use Tor and VPN together:
A) Using Tor over VPN
In this case, you simply turn on your VPN first and then use the Tor Browser. This method is simply doable and results in government not knowing that you are using the Tor network. But your VPN provider can still detect you are using Tor. In this method, you are not also protected against the espionage of the exit node.
B) Using VPN over Tor
This is a more complicated situation since you first need to connect to the Tor network and then in most cases manually configure the settings of your VPN to get connected over the Tor network. In this case, you are protected against the exit node, therefore, it’s the best way to transmit sensitive data, but your ISP and therefore your government still can detect you are using Tor.
Tor and the deep web
The deep web is a part of the Internet that is not visible for people by default and is not indexed by search engines. Special software is usually needed to access such websites. The reason is to protect both the website provider’s and the users’ privacy. It is possible to buy guns, drugs, hacked information or hire hackers to attack computers for you on the deep web. But there are good sides too. For example, you can join a chess club on the deep web! Tor can assist people in accessing this part of the web’s .onion websites.
Is using Tor legal?
For most people reading this article, it is completely legal to use Tor (although it might put you in more suspicion). In some countries (e.g., China) it is illegal to use it. In some other countries, despite not being illegal, the Tor traffic is blocked by the government (e.g., Iran, Russia, Saudi Arabia, etc.)
Doesn’t Tor enable criminals to do bad things?
As the Tor FAQ points out:
“Criminals can already do bad things. Since they’re willing to break laws, they already have lots of options available that provide better privacy than Tor provides. They can steal cell phones, use them, and throw them in a ditch; they can crack into computers in Korea or Brazil and use them to launch abusive activities; they can use spyware, viruses, and other techniques to take control of literally millions of Windows machines around the world.
Tor aims to provide protection for ordinary people who want to follow the law. Only criminals have privacy right now, and we need to fix that.”
Other legal challenges
Anonymity, the right to freedom of expression, and the right to privacy are all valuable human rights and are being promoted with Tor. This is why completely banning Tor is not done in most democratic countries. However, it can be a mixed blessing. Tor, on the other hand, can also be used for buying/selling illegal goods or transferring child pornography over a network. Governments have taken different approaches regarding dealing with Tor: Some governments are supporting and even funding the project, while others openly suppress it.
Regardless of governments supporting or suppressing this project, there are clearly some non-trivial or under-research problems in using Tor. Suppose you are the operator of an exit node and some illegal information is passing through your network. What measures do you need to take? For example, In the EU law, as an exit node’s operator, you are protected from liability for the content passing through your node. However, you need to clearly keep your distance from illegal activities. One should know the law in his/her own country while using Tor or being a volunteered node.
