In this short lecture, I will explain some things about Tor.
Namely: what it is, what it was meant to be, why it’s still secure, how to use it safely, and why FBI exit nodes don’t mean a damn thing.
So, what exactly is TOR?
Tor is a low-latency anonymity network, designed primarily to provide anonymity and nothing more. Tor today is run almost entirely by volunteers and the Electronic Frontier Foundation, whose homepage can be found at http://eff.org The concept of onion routing, which is the core of the Tor network and what makes it function, was originally designed by the United States Navy for their own private usage, and later recreated in a more refined form by the Tor Project. It is not meant to be a full security solution.
Tor alone can, in most cases, provide strong anonymity to its user through the use of onion routing and RSA encryption.
How does onion routing work?
Onion routing was developed by Michael G. Reed (formerly of Extreme Networks), Paul F. Syverson, and David M. Goldschlag, and patented by the United States Navy in US Patent No. 6266704 (credit for this information: Wikipedia)
In an onion routing circuit, RSA encryption is used in layers. Each node can only decrypt one layer, because the layers involve encrypting the data with each node’s public key.
Only the node’s private key can see the data. This makes it very hard to correlate what traffic is being sent where, and to make any one node able to tell both the origin and content of the data.
But can’t my exit node tell who I am?
No. No it cannot.
Your exit node can only tell what you’re doing, not who you are.
Your entry node, on the other hand, can tell who you are but not what you’re doing.
The chances of BOTH of these nodes being run by the same, or cooperating, adversaries is slim to none.
Even if they were, there is also a middle node to help stop correlation-related attacks.
The worst case scenario, an exit node injecting malicious code into your stream, can be solved simply by good data hygiene and BLOCKING SCRIPTS.
Seriously. Block scripts. For the good of mankind, block fucking scripts. It’s worth the 5 seconds inconvenience.
Also, if you’re that worried about the exit seeing the content you’re sending and receiving, use TLS between yourself and your destination.
There is no magical TLS/SSL break that can be done without being noticed by a keen eye. Trust me on this one.
But… but what about Freedom Hosting?
The Freedom Hosting hack, some say, should be an example of why not to use Tor.
I, on the other hand, see it as a testament to Tor’s security.
This attack was carried out because the FBI could not attack the Tor network directly.
They were forced to compromise not the network itself, but a single hidden service host.
Not only that, but the malware injected into the pages was JavaScript-based and only affected Windows users, using the official Tor Browser.
For this reason, this operation should be upheld as proof that the Tor network is safe. If it were not, things would’ve gone much more smoothly for our Federal friends.
There are more ways to connect an application to Tor than by using the official TBB. We should all know this by now.
OMG FBI EXIT NODES!!
Stop spreading fear, uncertainty and doubt. An FBI exit node is no different from any other exit node.
They may collect data, yes, but what determines what data they receive, and if they can trace it back to you, is you.
An exit node can see what you’re sending, but not who you are. Use this to your advantage.
Due diligence while using Tor can thwart literally any attempt to trace you.
Sandbox your browser, use SSL/TLS, use an outbound firewall, make sure you’re not executing any possibly malicious code and you’re golden.
(x) doesn’t support Tor!
Deal with it. More specifically, deal with it by transparently proxying the application using ADVor, or iptables on Linux.
There’s a great Wiki page about this written by the Tor devs themselves, hosted here: https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
Conclusion/questions/comments/missed stuff?
Thanks for reading, and I know this isn’t much of a “tutorial” so to speak, as it is a correction of your mindset about Tor.
Please feel free to contact me or correct me on things I posted in this article, and I will update it as soon as I can.
Truth Is Heard 