Download The Pros and Cons of Open Source Security

The Pros and Cons of Open
Source Security:
Peeling Back the Layers
of the Tor Network
www.NtrepidCorp.com
The Pros and Cons of Open Source Security
Tor: An Overview
Tor was originally built by the U.S. Naval Research Laboratory’s Onion Routing Program with support from
DARPA (Defense Advanced Research Projects Agency). Currently distributed as an open source project
run by the nonprofit Torproject.org, it is a popular non-attribution system. Tor is intended to allow users to
make connections to Internet services, including websites, without revealing their actual IP addresses to their
destination. When using Tor, all TCP connections (most Internet connections) of any given user are tunneled
through a single circuit, which rotates over time. Typically, a circuit is made up of three nodes or relays, the
first of which is called the entrance Tor relay. From there, the second node is called the middle Tor relay, with
the final and exit node of the circuit referred to as the exit Tor relay. Under ideal circumstances, the entrance
relay is the only one that knows the real IP address of the client, while the exit relay is the only one that
knows the real IP address of the destination. The middle relay is responsible for maintaining the anonymity
between the entrance and exit nodes.
Tor and its Scope of Anonymity
To better understand the technology, one must examine Tor’s threat model and the non-attribution it
attempts to provide. Ideally, a non-attribution solution would protect against global adversaries who have the
ability to observe and/or control an entire network. When Tor was originally planned and built, its designers
chose a lower latency model that would ensure faster transmission across the network. Tor’s trade-off for
speed of transmission is a weaker design that allows global adversaries who simply own numerous nodes
within the Tor network to identify users, network traffic, and destination sites. In essence, any sensitive
emails, plans, and other mission communications could be monitored if they are routed through a network of
nodes that is managed by a single owner or group of cooperating hostile individuals.
To demonstrate the vulnerabilities associated with Tor, one need only look at a well-documented intrusion
that was carried out by Dan Egerstad, a Swedish computer consultant who exposed confidential information
by infiltrating the Tor network. Without even hacking any computers, he obtained critical information on over
1,000 foreign government email accounts by simply monitoring traffic flowing through a Tor node that he
set up. As unencrypted, sensitive government emails were passing through Tor nodes, he gained access to
important information about government field agents like Passport numbers, birth dates, addresses, requests
for Visas, names and passwords to email accounts, and detailed meeting schedules. He later posted 100
sets of usernames and passwords on his website to further demonstrate Tor’s vulnerabilities.
Benefits of Tor
There have been few non-academic examples of Tor user data or identities revealed in practice, and Tor has
been successfully used to get around website censorship in more than 20 countries that censor political and
human rights sites.
www.NtrepidCorp.com
2
The Pros and Cons of Open Source Security
Vulnerabilities Associated with Using Tor
Abusive users can cause relays to be shut down
It is widely known that legitimate exit node operators have a hard time functioning because of the malicious
client behavior of many Tor users. Exit node providers often receive a large number of complaints including
DMCA 512 notices related to copyright infringement, in addition to reports of hacking attempts, IRC bot
network controls, and website defacement.
Increased likelihood of blocking
Websites can easily block content originating from a Tor node because the IP addresses of all Tor nodes are
easy to obtain through Tor’s own directory servers which are necessary to inform the network about other Tor
nodes. All a website administrator has to do is create a simple rule to query a Tor directory server and then
block traffic from all IP addresses that it returns. This is a fairly common practice, as website administrators
know that Tor users are more likely to be attackers. This is particularly true for websites where the service
already knows the user’s true identity, like a bank, brokerage or utility.
The trouble with insecure protocols
If a client uses an insecure protocol like POP or IMAP (typical for email), Telnet, or FTP, or mistakenly enters
any identifying information into a non-secure web page, the exit relay can detect and store login credentials
or critical mission communications. To make matters worse, Tor uses the same circuit for all of each user’s
connections. Therefore, once an exit node observes identifying information, it can trace all traffic on the
circuit back to the client, even if some of the traffic is encrypted. While the circuit does change periodically,
there is plenty of time to launch an attack before it changes.
Susceptible to monitoring
As traffic emerges from the exit Tor relay, it is decrypted for transmission to the target. This enables the
owner of the “exit” node to log or “sniff” all of the traffic that comes through their particular node. It’s widely
believed that some people set up Tor nodes just so that they can monitor traffic to steal passwords, read
secured communications, and gain access to other types of information that will be used for criminal
activities.
Cannot protect against cloaking
Cloaking is a common practice where a website changes the content of a page based on the IP address
or geographic location of the user viewing the site. One example of this is Aljazeera.net, which has from
time to time displayed dramatically different content to users based on the origin of their IP addresses. For
example, users who connect through IP addresses that are recognized to be from the Middle East are shown
dramatically different content than those that originate from a Western IP address. Since Tor doesn’t allow
users to easily choose an exit relay or location, it’s not possible to ensure that a user is seeing a site from
their geographic preference. It’s also unlikely that a Tor exit relay exists in a region where you would want your
traffic to appear to originate from, as the vast majority of the network’s exit nodes are located in Germany, the
United States, France, Switzerland, the Netherlands, and Finland.
www.NtrepidCorp.com
3
The Pros and Cons of Open Source Security
It’s easy to break non-attribution with a little bit of funding
Five percent of all Tor relays transport fifty percent of all traffic. This means that if an adversary controls a set
of the highest performing relays, they have a high probability of determining the real identity of the user, the
content of the user’s traffic, and the target destination. In essence, they can monitor any user’s traffic they
choose.
Conclusion
While it is up to each individual user to determine if Tor is the right solution for his or her needs, a vulnerability
assessment of the types of information and investigations that will communicate through the Tor network is
critical. For casual users, Tor provides a level of security that may be enough, but government and business
organizations should examine the ramifications of operating through Tor nodes that may or may not be
monitored by nefarious individuals who can attribute mission communications back to any given user’s actual
IP address.
Contact us to learn more:
[email protected]
or 800.921.2414
©2014 Ntrepid Corporation. All rights reserved. Ntrepid is a trademark of Ntrepid Corporation. 12-14-002
www.NtrepidCorp.com
4