Skip navigation

The Onion Router Downside

Two weeks ago, I wrote about a portable Web browser, Torpark, that's designed to keep you relatively anonymous as you browse. Torpark is based on the Mozilla Firefox source code, and you might recall that one of the big advantages of using Torpark is that it comes with The Onion Router (Tor) built in. So you don't need to install and configure that separately. If you missed that editorial, you can read it at the URL below.

Tor is a client and server SOCKS-based proxy that's designed to route traffic through a series of anonymous servers, the number of which varies depending on how you configure the Tor client. Anyone can run a Tor client or server without having to reveal anything to the outside world except an IP address, and that address is made known only to the first Tor server your traffic passes through.

Traffic is encrypted by Tor along the route, and Tor routers know only about the hops of the routers immediately before and after them. Tor handles its own traffic encryption, so in theory, Tor server operators shouldn't be able to snoop on the contents of your network traffic.

The exception is the Tor server operator of the exit router--the last hop along your traffic's route through Tor servers. Other servers on the Internet don't understand Tor encryption, so obviously they can't receive and process traffic that originates from a Tor network. Therefore the traffic must be decrypted before being passed on to its final destination. And therein resides Tor's inherent weakness. You must trust an unknown Tor server operator to not snoop on your traffic as it exits the Tor network. Inevitably, some Tor server operators do snoop on traffic. That's why I said that Tor provides "relative" anonymity. It protects your actual IP address but not the nature of what you're doing on the Internet.

Anyone that can see your Internet traffic can also manipulate it. This certainly holds true for Tor exit server operators. This presents another danger of using Tor. In one of many possible scenarios, someone could monitor for traffic destined for port 80, typically used for Web traffic, and then manipulate Web pages, cookies, headers, and so on in just about any way you can image. Now someone has proven just how easy it is to use this weakness to discover your real IP address, which in effect destroys your anonymity and thus defeats the purpose of using Tor.

"Practical Onion Hacking, Finding the real address of Tor clients" (at the URL below), is a white paper produced by the FortConsult Security Research Team and published on the Packet Storm Security Web site. The paper shows, step by step, how the researchers were able to use readily available scripts and software packages to inject a "Web bug" into Web traffic. The Web bug is a typical cookie designed and used in conjunction with browsers that have JavaScript or Adobe Flash enabled. When Tor is used directly (i.e., without a go-between, which I'll explain in a moment), either of those two technologies will reveal the cookie and thus the real IP address of the user.

JavaScript code can be written to collect a system's IP address, and the address can be placed in a cookie that can be read by a Web server. Flash doesn't understand the SOCKS protocol at all, so if a Flash object requires network connectivity for whatever reason, it completely bypasses the Tor network.

As I suggested earlier, there is a way to eliminate both of these weaknesses--by using a standard proxy server as a go-between between client applications and the Tor client. One such proxy server is Privoxy, which can strip out JavaScript, cookies, and other unwanted content. Privoxy understands the SOCKS protocol, so it can be configured to send traffic through Tor. With Privoxy as a go-between, even Flash would run its connectivity needs through Tor.

If you're interested in Tor's weaknesses, or even in how easy it is to manipulate network traffic, then be sure to read the white paper.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.