Using Tor: Assume Exit Nodes are Monitored

Ars Technica is reporting that a security specialist was able to grab a bunch of login/passwords after running Tor nodes to illustrate proper and improper use of the widely-used anonymity network. In this particular case, Dan Egerstad volunteered to be part of the Tor network by running “exit nodes,” and boy did he grab a bunch of sensitive logins and passwords.

Particularly embarrassing is the fact the list contained use by embassy staff of Uzbekistan, Kazakhstan, Iran and India among others. There seems to be no other explanation other than the IT departments of these governments actually recommending Tor as standard operating procedure to access their accounts from abroad.

That’s not an appropriate use for Tor at all.

When this story broke in India, one of the news outlets tested the username/password to get into the account of a government official (which is of questionable journalistic ethics):

To check the authenticity, The Indian Express sent a test mail to the Indian Ambassador in China on her official email ID and, using the password posted online, was able to access it. The email account of the Indian Ambassador to China contained details of a visit by Rajya Sabha member Arjun Sengupta to Beijing earlier this month for an ILO conference. There was also a transcript of a meeting this evening which a senior Indian official had with the Chinese Foreign Minister.

Also on this list of shame were Hong Kong political parties and Legislative Council members. Being a former resident of HK, this is particularly bizarre since the HK government has prided itself on being IT savvy on the world stage, even bragging about being the first in the world to use E-certificates on the Smart-ID cards all Hong Kongers carry. It’s ironic the E-cert system is so secure, complex and unusable in HK, while politicians are using cleartext mail protocols and sending data through random untrusted computers.

Egerstad has taken special attention to HK (SCMP, Sep 9, 2007, subscription):

Swedish computer security consultant Dan Egerstad hopes to come to Hong Kong next month and visit some of the legislators and NGOs he exposed on his website as having weak internet security – but only if the police promise not to arrest him at the airport.

Mr Egerstad, 21, published the e-mail passwords of prominent legislators such as the Democratic Party’s Sin Chung-kai and Liberal Party vice-chairman Miriam Lau Kin-yee on the website dErangedsecurity.com. He also published the IP addresses of the e-mail servers.

Mr Egerstad trawled through the e-mails of the One Country Two Systems Research Institute of China and the Liaison Office of the Dalai Lama for Japan and East Asia, as well as the Hong Kong Human Rights Monitor.

How Tor Works

A quick recap: the Tor system works by using a volunteer network of computers that offer to relay your Web traffic, encrypted and anonymously, through the Tor network. It relays your traffic through three Tor intermediary nodes, the idea being that each relay node knows which neighboring node packets are coming from and going to, but no one knows the entire path to the final destination address. There are some really smart people behind Tor like Roger Dingledine, and most experts agree that for anonymity, it does a very good job.

The problem is, people are using Tor without understanding exactly what it does and does not provide.

The weak link is when a user’s data finally emerges at the last computer (the exit node) which relays the request to the public Internet. Anyone operating a final exit node can see what you’re sending and receiving. So while Tor provides for end-user anonymity at the network/packet level (IP address), it does not provide for end-to-end data secrecy. The traffic coming off the the exit node on your behalf is exactly what protocol and data your application (Web browser, mail program, instant messenger, etc) sent out.

If it’s a cleartext data stream like HTTP or mail (IMAP or POP3) then anyone running a Tor exit node can see and capture it. And that’s what Egerstad did — he monitored his exit nodes for:

“gov, government, embassy, military, war, terrorism, passport, visa” as well as domains belonging to governments.

Tor uses the SOCKS proxy protocol to receive transactions for the Tor network. SOCKS has been around a long time and is a solid generic protocol. It handles HTTP (Web) requests as well as other data streams, so yes, it can support end-to-end encrypted sessions using HTTPS or secure sockets. So if you use Tor, combine it with a secure protocol if you need data secrecy! This is where people may get confused — data is encrypted within the Tor network, but it exits the Tor network exactly as your browser or application requested — most likely unencrypted. So use an end-to-end encryption solution in addition to Tor, if that’s what you need.

If you’re surfing CNN or ESPN to get the latest sports scores, no problem. If you’re logging into a system or sending/receiving e-mail, you better make sure it’s encrypted.

Tor has also been in the news related to a phishing/trojan scheme, where spam email asked folks to download Tor, but it really pointed to a trojan program instead.

It’s important to note in both instances, Tor is not the one at fault. The trojan problem is your typical phishing problem — never click on any hyperlink ever sent to you in email, and don’t trust any sites you didn’t find or search yourself.

Tor is a great program, but it’s not a cure-all. You need a wide spectrum of tools to do it right, or you can also do what many corporations do — require the use of a Virtual Private Network, and all your data packets are routed and encrypted back to a trusted corporate home base.

Egerstad had this final harsh warning on his blog:

These governments told their users to use ToR, a software that sends all your traffic through not one but three other servers that you know absolutely nothing about. Yes, two are getting encrypted traffic but that last exit node is not. There are hundreds of thousands ToR-users but finding these kinds of accounts was… hmm… chocking! The person who wrote the security policy on these accounts should reconsider changing profession, start cleaning toilets! These administrators are responsible for giving away their own countries secrets to foreigners. I can’t call it a mistake, this is pure stupidity and not forgivable!

ToR isn’t the problem, just use it for what it’s made for.

Tor is very good for anonymity, but does nothing for adding any data security. In fact, it’s likely more risky, because you are handing traffic over to a stranger (exit node) in cleartext.

I don’t use Tor much, as I don’t often need anonymity. It’s also a sluggish performer because of the three relays for traffic. But when I do use it, I make sure to use Firefox with a virgin clean profile — no cookies, no stored data, no caching, no browsing history. (You can configure Firefox to ask for what profile you want on startup.)

So the big headline? This is not a Tor insecurity. You wouldn’t complain to Home Depot that masking tape failed to seal your PVC pipes. You have to use the right tool for the right job, and the Uzbek government is learning this the hard way.

20 thoughts on “Using Tor: Assume Exit Nodes are Monitored

  1. Pingback: Random notes « Twofish’s Blog

  2. Pingback: www.verstecken.net

  3. “which is of questionable journalistic ethics”

    You should put a disclaimer that this is according to your inherited western civilization (USA?) norms. Realize that the social role of what you call a journalist might differ from society to society and even not every society needs some types of journalists or journalists at all.

  4. Why can’t we just respect privacy. Encrypted or not, pass worded or not when it does not belong to you then you have no business looking at them. leave the spy work to the spies and the intelligence networks to do their job under a court order.Journalism should be responsible enough to respect these also.

  5. If piracy is an offense, How do we call stealing of passwords? While we may blame them for using a software with a whole, we should realize that there is no such thing as a perfectly secures=d system, it is just a matter of time and chance to decipher their codes. I just hope that like Very said, “respect privacy”.

    From Gian of hd digital media player

  6. unfortunately i agree with the comment above, no matter how secure a system is someone will always try to penetrate it. I think that with tor, it is an amazing idea and it does provide amazing security but some will always try hacking the end nodes or monitoring them.

  7. An interesting dialogue is worth a comment. I feel that it’s best to write extra on this matter, it may not be a taboo topic however generally people are not brave enough to talk on such topics. To the next. Cheers

  8. It’s not that I want to copy your web page, but I really like the style and design. Could you tell me which style are you using? Or was it tailor made?

  9. I thank you God for this most amazing day, for the leaping greenly spirits of trees, and for the blue dream of sky and for everything which is natural, which is infinite, which is yes.=e. e. cummings

  10. I’ve been surfing online more than 3 hours today, yet I never found any interesting article like yours. It’s pretty worth enough for me. Personally, if all site owners and bloggers made good content as you did, the internet will be much more useful than ever before.

  11. Why does everyone think this article is great. How is it special? what information was given that is not covered elsewhere? If you make a decision to use Tor or I2p etc, you’re assumed to have done your homework. Why in the world would a person trust their security to software or in this case, a clever p2p anonymity network, without first learning how to use it efficiently. Apparently, people still don’t understand Tor and for that I am grateful that this article exists, but for christ sake, you guys act like this guy just stumbled on to the most important information ever published to clearnet. I would be looking for Dan Egerstad to give props.

    And good lord hostpapa, the theme is Twenty Eleven, i.e. the default wordpress theme… There is nothing “cool” about it. Why are people so lame anymore.

    I know, I know, go away troll. Why say anything at all if it isn’t something nice. The internet is vast, you people need to research instead of watching videos all the time.

  12. There are quite a few Recruiting Agents who have a pool of financial experts. These experts not only stay-put from the laws in the financial practices, but also hold track of all of the capability changes that consume place inside the financial vineyard.

  13. Check out the names & sentence structure of the posters. Most all of them come from the same users. Sad.

    Tor leaks through the end node and gives you away if you don’t use https. Check.
    People in the government are crazy incompetent. Check.
    If you run buck naked through a tunnel that leads directly to the steps of the police station… you’re gonna have a bad time. Check.

  14. Awesome blog you have here but I was curious about if you knew of any user discussion forums that cover the
    same topics talked about in this article? I’d really love to be a
    part of online community where I can get suggestions
    from other experienced individuals that share the same interest.
    If you have any recommendations, please let me
    know. Kudos!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>