SecureWorld News

Privacy and TOR

Written by Joel Weise | Tue | Feb 17, 2015 | 7:40 PM Z

In our last article we discussed the challenges of privacy and anonymity for individuals. I think it's safe to say that today, maintaining one's privacy and anonymity is not that easy; certainly not without some level of effort. That is to say, one must be proactive if they desire to maintain some semblance of privacy and anonymity.

There are different ways to maintain your privacy and anonymity. Some are easier than others. One can simply opt-out from social media, turn off cookies on your browser, stop providing details about yourself for the sake of a $5 discount on something and basically do not take advantage of much that the Internet has to offer. For many, this is not really a choice or their desire, so let's look at two primary alternatives, proxy services and TOR. Let's also keep in mind my basic premise is that if you have some level of anonymity then you can likewise achieve some level of privacy. As a side note, for those that are curious, no, having some level of privacy does not mean having anonymity.

A proxy service is typically used to disassociate your IP address by allowing you to connect through the service, usually with an encrypted VPN. Proxy services are certainly useful but they do have limitations. In order to connect a session the proxy service must know your true IP address so they can route network traffic accordingly. The risk here is that depending upon where your proxy service resides, it could be subject to legal orders mandating the service to turn over your actual IP address. This is in my humble opinion not the best solution as you may not be able to maintain your desired anonymity.

Let's now turn to TOR. TOR is a good way to obtain a high degree of anonymity for reasons that should shortly become clear. So what is TOR? TOR is an acronym for The Onion Router. To the surprise of some, an underground consortium of hackers did not originally develop TOR. Rather the U.S. Navel Research Laboratory developed it in the mid-1990. What TOR provides are the tools to actually realize some level of privacy and anonymity. According to torproject.org, TOR:

"... protects you against a common form of Internet surveillance known as 'traffic analysis.' Traffic analysis can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behavior and interests."

In other words, TOR provides anonymity.

Without going into too much detail, imagine TOR as a series of proxies, each of which does not know the complete network path your data traverses. As do proxy services TOR also encrypts traffic but does so uniquely between the different nodes that make up your network path. TOR uses three classes of nodes, relay nodes, exit nodes and bridge nodes. For simplicity we will discuss the first two. Assuming one has downloaded and installed the TOR software, TOR randomly creates a circuit through which a user's network traffic will flow. The first node is the entry node and the only node that actually communicates or has knowledge of the user. A series of relay nodes is then used to route network traffic, each of which are only aware of the adjacent nodes they communicate with, until it reaches an exit node. Further, these nodes change over time and thus your network path with likewise change. These make determining your origination point very difficult.

It should be obvious why I recommend TOR over other mechanisms. With the wide and varied distribution of nodes and the use of encryption, we no longer must rely on a single point of failure as we do in a standard proxy service. More importantly, there is no one single entity that runs the TOR network and thus there is really no one entity that can be served with and respond to a CALEA or similar order.

A few last notes on TOR. I stated that TOR provides the tools to enable one to maintain some level of privacy and anonymity. What users must keep in mind, even when using TOR it is very easy to disclose data about yourself, for example, on a site you are visiting. Doing so defeats the purpose of using any anonymity tool. The other thing users should understand is very simple, nothing is perfect and like any system there are attacks that could affect the security and integrity of TOR. For example, it can be possible for someone running an exit node to eavesdrop on the network traffic using that node. We will save the discussion on TOR attacks for another day.

For those interested in testing TOR, it can be downloaded from: https://www.torproject.org