An intro to the Onion Routing (TOR)
What is Tor? How it works? Is it legal? Is it really anonymous? I hope that at the end of this story, you know a little bit more about Onion Routing. So let’s start from the beginning.
What is Tor ?
TOR comes from the name The Onion Router, and it is a network technology developed by the US Navy (“United States Naval Research Laboratory”) in the early 2000s to challenge standard communications over the internet; designed to route packets through a chain of proxies, working as an onion’s layer and it is coded in C.
In his origins, TOR was a project designed to obfuscate and hide the traffic and location of the source, making it easier for intelligence services to communicate without revealing their position, and harder for counter-intelligence teams to detect and locate the source. Lately, Tor has changed far from his origins. In the year 2001 Tor was released to the public and then managed first by the “EFF”(Electronic Frontier Foundation) from 2004 to 2005 and then by “The Tor Project”. Both foundations changed the use of the onion routing to increase their focus on avoiding and bypassing censorship and ISP surveillance around the world, making the internet more free. There is of course a bad use of this platform, which is probably the cause of its infamous reputation: using the onion routing to hide their identity to commit crimes.
You are now probably wondering…
Why a US military platform is released, and why is it doing it for free to the public to avoid censorship if it was useful for Intel?
Well, as always, in the US intelligence [programs|budget] there are some
complicated relationships between the budget dedicated to “break things” and the one to “create ‘n spread things”. We can also see this duality when institutions like NSA designs and supports the use of strong ciphers and algorithms for encryption while, at the same time, they try to break it.
Because of that, in my point of view, this decision is motivated by the support of any kind of technology that can screw up US traditional enemies plans, who by the way have strong censorship inside their borders, for example China and the Russian Federation .
Therefore, this basically means that every year US budget dedicates an amount of money to “The Tor Project” foundation.
< Technology />
As I said before, the technology is based on a 3 phase public proxy chain, using TCP protocol (only), but there is a lot more to learn about this, so let’s go inside of it.
Tor platform is based in a volunteering platform and there’s a lot of people and organisations who participate: volunteers, non-profit orgs, VPN providers, Universities and, of course, Government Agencies, who also have servers to route traffic into the Tor Network.
Why? Because the more servers are online, the faster will be. These servers are what we call a “Tor Relay”. Relays are usually non-dedicated servers, who just run the tor daemon and use a port (tor listening port (OR), sometimes along with a directory port), usually on the 9001 or 443 to listen for (only tor) traffic and then route it to the internet; inside the tor network, or into the so called deep web.
Imagine this: I’m using Tor right now. So, as we already know, random people set up servers and they route my traffic. Moreover, we know (or should know) that proxies are not safe for anyone’s privacy or security, they only could be useful as “anonimization” tool and not in all cases. This means that, literally, anyone even in Tor community could sniff and read my internet traffic, right?
But the answer is no. The onion routing is designed to provide anonymity to their users, but also some cool features in security that work well (and it’s getting better).
Tor Relays, initially, listen to traffic routed by an application, like Tor Browser, no matter if we talk about IPv4 or IPv6 use. Then your computer starts to encrypt the data into a TLS/SSLv3 tunnel. This means that nobody can read your traffic since it is encrypted in origin with decent ciphers, making any volunteer unable to spy into your communications.
On the one hand, there is a problem. There is a relay in the 3rd phase chain we talked previously, who can read the traffic but not to identify the user. It is the Exit Relay/Node, the last relay in the chain and it is always capable of reading the traffic because it needs to decrypt the traffic to reach the origin.
On the other hand, there are some ways to avoid it, and I will probably talk about it on a next post, but the easiest way is to use Tor + HTTPS, because that means that the traffic is from end to end protected and anonymous.
Using HTTPS we also add an extra layer of security, which is always good, but makes the traffic a little bit slower as you may probably think.
< Onions in depth />
As I said before, we identify a proxy inside the chain as a Relay or Node.
There are different types of relays. Depending on the phase in the chain they are working for we can talk about Entry Relays, Middle Relays, Exit Relays and Bridges.
Entry Relays/Nodes: This is our first step reached when connecting to the Tor network. These are very high available relays that works very well during a good amount of time with high speed. These nodes have the highest availability and trust by the Tor Authority.
Middle Relays/Nodes: These are just the “anonymizer”. Middle relays are used to re-route the traffic, and separates the Entry Node from the Exit Node. These relays (the entry and the middle) are just relays who don’t allow exits for traffic, only connections inside the Tor network. Then depending on the availability time and the average speed along the time, the Tor directory, set a relay as entry, or as middle relay. A relay can be Entry only if is a really good mid relay.
Exit Relays/Nodes: Decrypts the traffic (I mean the Tor encrypted security layer I mentioned before) and it sends the traffic to their destination.
Bridges: These servers are only used when are needed, and add an extra step into the onion routing phase. These servers are really useful when the user is in a country with censorship (proxies, filters, firewalls…). Bridges unlike any standard relay, are not public for security reasons. They have also the ability to obfuscate the traffic and make it appear like standard HTTPS traffic. This features together are also good because:
Can avoid correlation attacks and also obfuscate the traffic, avoiding ISP censorship and masquerades the use of Tor, making the traffic looks like the standard one.
< Security and Encryption />
About security, there are some ways to ensure we are doing it right. Tor Browser is a modified Firefox and comes with lot of interesting features like the add-on “HTTPs Everywhere” and “No Script”, forcing Tor to use only HTTPS and deactivating JavaScript.
Tor Browser has also the extra feature on Security Settings. This works in levels depending on the OpSec profile you want. By default, medium-high security levels adds a script blocker and removes parts from the website (canvas) that could be dangerous. Into privacy-security, Tor (browser or not) has the same issues than any VPN could have: DNS leaks.
DNS Leaks are information leaks caused by the DNS request when it goes out of our Tor network traffic.
As you would already probably know, before visiting any website the computer requests the site to the DNS, and then get the resolved name with the IP address. This means that the ISP in this case would know what are you looking for and probably Tor traffic would be disclosed. One option to stop leaking, is to use specific DNS servers that not leak your information to the ISP or use the DNS request through Tor network. This could be done even in Firefox into the Network options. For public DNS, I recommend to use OpenDNS servers, Mullvad’s public DNS, or Google’s DNS (if we want to use DNSSEC).
About encryption, Tor has changed recently his cryptographic standards, but the current version uses a similar ones to https traffic. Tor circuits use TLS/SSLv3 layers from “TLS_DHE_RSA_WITH_AES_256_CBC_SHA” to “SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA”. Tor has always used RSA 1024 keys, a relatively small keys compared with the 2048 bit keys of any SSL Certificate or SSH service; Diffie-Hellman key exchange group 2 and SHA1.
The reason behind this, is that Tor circuits can’t use UDP protocol, and all the traffic is forced to get through the onion routing, with each relay located in different parts of the world, with probably low-mid shared bandwidth, causing high latency. If Tor was programmed to use bigger keys, probably Tor circuits wouldn’t be useful. However, new Tor versions are getting prepared to use instead, elliptic curve cryptography (an awesome crypto!) because curves are based in different mathematical problems and unlike RSA keypairs, the security is not “directly related” with the length of the key.
This will allow to accelerate the traffic using even stronger algorithms because the use of smaller keys. I will talk more about the next generation of Tor, crypto and the onion services in detail on future posts.
To finish this section, just let you know that relays are not fix once you start your browsing, because this would cause unimaginable problems since relays could learn about you, so instead, relays are assigned for an amount of time to a client and then are switched to another one. There are no permanent circuits.
< About Hidden Services />
To close this story about onion routing, I will explain a bit about what hidden services are and what are they used for. So, how it works?
Hidden Services is a feature that allows your machine to offer services using specific address range with the .onion domain which only can be reached by Tor users using this network.
The domain name is generated in Base32 with 16 characters length automatically, hashing the public key from the keypair generated with the service. Then, domain names looks like “https://3g2upl4pq6kufc4m.onion/” (onion site from the search engine duckduckgo), but can be modified later.
The good thing about Hidden Services, is that you can offer a service in a onion site no matter what service you want if supports TCP, like a SSH, Telnet, FTP, IRC or just a website, and it could be reached but also published anonymously. One more thing you could do is to setup an Apache web server listening to Tor in a virtual machine and even inside NAT. Easy and secure.
Hidden Services works inside the Tor Relay chain and are hosted this way:
The onion site creates a self-circuit around him with Tor relays. These are then assigned as Introduction Points. Proxies to protect the machine identity, and then the address will be stored in a Tor descriptor, a database used for clients to get info about “abcdexample12345.onion” address, how to reach it, what public key should use.
Then client set one random relay from the network to act as intermediate between him and the Introduction Point relays. We know this relay as Rendezvous Point. This is the table where “client and server sit and talk”. These relays connect from end-to-end to each other encrypting traffic from client to service and vice-versa.
As you could think, hidden services are not reached directly from an Exit Node, as usual into a “browser=>Tor=>ClearNet website” relationship. Instead, the hidden services work in a different way and are offered inside a protected and anonymous space for the Administrator, but also for the clients who visit the website. This is how for example dissidents can read newspapers or just use search engines without “direct consequences”. Notice that the traffic is still encrypted even in HTTP. But if it’s possible use always HTTPS no matter if you are a client or web server admin. An extra security layer in your website is always good!
More about this topic:
Hope it wasn’t too heavy, and hope you like it.
