Has Tor been bugged by the NSA?
Last week I recommended people use Tor to anonymize their Web surfing. Some people think that's a dangerous idea.
About a week ago I posted an item about the NinjaStik, a USB thumb drive that uses The Onion Routing (Tor) to anonymize your Web surfing and otherwise protect you from the prying eyes of scary Three Letter Agencies. This post prompted the following comment from a (naturally) anonymous reader:
tor is not privacy. you have no idea who is running that node and they can collect your data quite easily. very dangerous article
In the past I have been accused of being a danger to myself and others, most often by my wife and typically while using power tools. But this is the first time I’ve been accused of writing anything dangerous. So it gave me pause. Is Tor actually unsafe? In other words, is that Tor node you just logged on to really being operated by the NSA? Am I just another unwitting tool of the Industrial Surveillance Complex?
Without getting excessively geeky and/or making my brain hurt, I decided to try and find out. Here’s my Tor Anonymity for Dummies explanation (which I’m sure some reader will write to tell me is totally wrong):
When you use Tor, it routes your traffic through three nodes, aka machines on the Tor network, chosen at random. The entry node knows your IP address but encrypts it and passes it on to the second node; the second node only knows the IP address of the first node, and passes it on to a third machine. The last machine in the chain (aka the exit node) decrypts the data, so it knows where to send your request, but it only knows the IP address of the last machine it touched, not the original IP address where the request was made.
This is why Tor is called The Onion Routing – it forces all traffic to pass through multiple layers.
Are there spooks operating Tor nodes? We can’t say for sure, but let’s assume they are.
If spook organization A happens to operate both the entry node and the exit node for your traffic, they could unravel your identity fairly easily. I don’t know what the odds are of that happening, but I can’t imagine they’re very high. And if you’re a particular kind of geek, you can manually select both the entry and exit nodes to pick ones you know are secure (or, at least, you think you know are secure).
If you are using Tor to send unencrypted information about yourself – like your email address or password – it could be captured by the spook’s exit node. The solution there is to use an encrypted connection.
Many sites like Google and Facebook allow you to connect using Secure Socket Layer (SSL), which is indicated by the https: in the URL address bar, and millions more have followed suit. The NinjaStik uses HTTPS Everywhere, a free browser extension developed by the Electronic Frontier Foundation that uses secure Web connections by default when available.
But there’s an exception here too. A very clever spook can strip out the SSL encryption but fool you into thinking it’s still there, as has been demonstrated by uber security geek Moxie Marlinspike, who despite that name is not actually a Marvel Comics supervillain.
There’s a 48-minute video of Marlinspike describing the hack here, if you’ve got the time. Frankly, the hair alone is worth it.
So is Tor safe?
Yes, says Andrew (no last name given) of the Tor Project, when I asked him.
Not necessarily, says Ashkan Soltani, independent security researcher of note.
“It ultimately depends on your threat model,” says Soltani. “Tor gives you one level of anonymity -- which is IP anonymity. It doesn't protect you from rogue exit nodes, transport layer security (sniffing on the entry/exit nodes), or correlation attacks from a very 'all seeing' adversary.”
You can look those up yourself, my brain is starting to throb.
To summarize, using Tor doesn’t protect you against any and all threats. Then again, nothing on this planet does. A determined adversary could theoretically defeat it. (Though if the spooks were that determined to spy on you in particular, they’d probably just secretly install a keylogger on your computer and capture everything you type.) In the overwhelming majority of cases, though, Tor is clearly more secure than going naked into the InterWebs.
Remember, Tor is an onion, which means it is very much like Shrek.
Any more questions?
Got a question about social media or privacy? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.