Eggshells

A US judge has put into the public record, during a hearing in Tacoma, Washington, an interesting pair of comments about Tor.

Tor, of course, is the so-called onion router network, originally designed by the US Navy as a technique for using the public internet in an anonymous way.

End-to-end encryption, such as you get when you point your browser at an HTTPS site like Naked Security, is good for confidentiality: eavesdroppers can’t keep track of which pages you’re most interested in, or sneakily sniff out your email address when you publish a comment.

HTTPS is also important for authenticity, so that when you visit Naked Security, you know that you really are reading our site, rather than content provided by a bunch of imposters.

But anonymity depends on more than that: you might not want an eavesdropper to know that you visited Naked Security at all.

That sort of anonymity isn’t just for activists, journalists and crooks. You aren’t under any obligation to broadcast your choice of bank to the world, for example, or to give away your favourite TV channel, or to reveal which takeaway pizza business you’re favouring this month. That sort of information may well be pretty harmless, one data point at a time, but to a crook who wants to impersonate you, or to convince your friends he knows you, or to learn more about you to stalk you, it all adds up.

Tor helps wth anonymity, because your traffic is bounced through three randomly-chosen computers on its way to its target, with multiple layers of encryption used (thus the onion metaphor, geddit?) so that each node knows only the previous and next links in the chain.

The first node knows who you are, but not where you are going; the third node knows where your traffic is going, but not who you are; and the middle node keeps the other two nodes apart.

There are more than 7000 volunteer nodes in Tor, and even though a number of them are run by intelligence agencies or crooks, the theory is that randomly picking three dodgy nodes at the same time is unlikely, and hitting three co-operating dodgy nodes in one go is less likely still.

In practice, however, there are attacks that can strip at least some anonymity away from Tor users, for example when the first node in your Tor Connection (called an entry guard) just so happens to belong to the same crooks whose website you are visiting.

By comparing the timing and pattern of your requests to their entry guard with the access logs on their website, the crooks may very well be able to guess that it was you who came visiting.

There are currently just over 2000 entry nodes, out of about 7000 nodes in total, in the Tor network. Crooks who are willing to put in the effort to run 10 entry guards, perhaps using hacked computers to do the dirty work, therefore have a 0.5% chance that you’ll use one their nodes on your way to visit their website via Tor.

So, given the uncertainty about just how much we can trust Tor, it was unsurprising to hear Judge Robert J. Bryan offer the following aside in a recent hearing:

Now, there was [a] very interesting thing that occurred [at a seminar I attended recently] that I wanted to pass on to you. We had a speaker named Ovie Carroll, who is with the Cybercrime Laboratory of the Department of Justice. He talked to us about data breaches and cybercrimes, etc.

I was surprised to hear him urge the federal judges present, a hundred or so of them, that they should use the Tor network to protect their personal information on their computers, like work or home computers, against data breaches and the like.

I did not respond to that. I almost felt like saying, “That’s not a good way to protect stuff, because the FBI can go through that like eggshells.”

Interestingly, this is the same judge who suppressed the FBI’s evidence in a recent child abuse case – evidence that was acquired even though the defendants allegedly used Tor to “protect” themselves from being tracked down.

Part of the controversy in that case was the FBI’s understandable reluctance to reveal the so-called Network Investigative Technique (NIT) that was used, which would have described the exact way that the FBI had side-stepped Tor to collect its evidence.

Did the FBI hack the child abuse website and implant its NIT in a fake video on that very site, and thereby reveal a list of IP numbers that could be used to establish probably cause for a bunch of search warrants?

Or did it exploit a general security hole in Tor itself, and therefore perhaps pick up accidental visitors during the investigation?

What to do?

In fact, the issue isn’t whether the FBI has reduced Tor to mere eggshells or not.

His Honor Robert J. Bryan made a very pertinent point in his judicial aside, namely that using Tor as some sort of silver bullet to “protect your personal information… against data breaches and the like” is definitely not a “good way to protect stuff.”

Prompt patching, active anti-virus protection, encrypting your data both when it’s stored and when it’s moved around, and picking proper passwords, are much more important.

After all, Tor really only exists to mix up your network traffic to make it much harder to trace or to block.

Tor doesn’t stop you sharing the wrong sort of data with the wrong sort of recipients; it doesn’t stop hackers wandering onto your network and snooping around; and it doesn’t stop crooks from serving you up a dish of web-borne malware to infect your computer.

At the very least, if you plan to use Tor, we strongly suggest that you Read The Manual first.