The world wide web is teeming with promises of Internet anonymity. Search engines are replete with websites and advertisements promoting various anonymity services, with web proxies being the most conspicuous. Web proxies are extremely appealing: they require no software, no special configurations, no technical skills, and rarely require subscriptions. Instead, users are requested to visit a domain and use a web interface to search the world wide web anonymously. Web proxies then redirect web traffic to one of the servers of the proxy network and thereby replace users’ IP addresses with the proxy server’s IP address. Despite the various superficial advantages web proxies offer, there are many subtle and not so subtle disadvantages:
- Web proxies are only applicable to the web. They cannot redirect network traffic of other applications, including email clients, for example.
- Web proxies are slow and sometimes substantially slow.
- We proxies have poor privacy policies. An overwhelming amount of services log all network traffic, including the IP addresses of users. It would not be inaccurate to suggest that most web proxies are honeypots of governments and other criminals.
- Virtually all web proxies fail proxy server tests, including the Header Test, the DNS Test, the DNSBL Test, the Loc Test, the rDNS Test, the WIMIA Test, and active content tests.
- Web proxies are single hop networks. Single hop networks are not architecturally anonymous, not private, and offer no additional protections than a direct Internet connection.
- Web proxies are rarely encrypted. Encrypted web browsing is essential to prevent eavesdroppers, including Internet service providers, from sniffing data traffic. Unencrypted traffic is extremely dangerous.
Although web proxies redirect IP addresses with relative ease, they are inherently insecure and extremely dangerous. Individuals interested in serious anonymity should not consider web proxies. Instead, for serious anonymity, they should consider open source applications that utilize an encrypted multihop network, which bounces communications between two or more remote random servers for strong anonymity. The most famous example of which is the Tor Project.
The Onion Router (Tor) was originally a research project of the US Naval Research Laboratory and was developed as a third generation anonymity software. Today, the Tor Project is an open source application and is used worldwide by private citizens, the military, journalists, law enforcement officers, and activists.
Tor is arguably one of the most anonymous Internet anonymizers available. As the above diagram illustrates, users via a Tor client make a random connection to the first of three remote servers. The remote servers can be operated by anyone – virtually anywhere in the world. The three servers, also known as nodes, are encrypted to prevent eavesdropping of data communications. The first server operator can see users’ IP addresses but forwards their data anonymously to the second server with the IP address of the first server. The second server operator can only see the IP address of the first node and then tunnels the data to the third remote node with the IP address of the second server. The third server operator, which is generally the last node, can see users with the IP address of the second server and forwards the data to web servers with the IP address of the third node. Before reaching its destination, however, exit nodes must decrypt the exit data. It is this last node that is most critical to the security and privacy of the Tor network.
According to the Tor Project:
Tor helps to reduce the risks of both simple and sophisticated traffic analysis by distributing your transactions over several places on the Internet, so no single point can link you to your destination. The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you – and then periodically erasing your footprints. Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several relays that cover your tracks so no observer at any single point can tell where the data came from or where it’s going.
While the above scenario may be true, it is not without controversy. Since Tor node operators are independent and decentralized, anyone can operate nodes – including some rather nefarious persons, organizations, and governments. While the decentralized nature of the Tor network may seem to offer little possibility of collusion between Tor node operators, as we shall see later, the open nature of the Tor network can be very easily circumvented by a strong opponent.
Nevertheless, to enhance the anonymity of connections, the Tor client is preprogrammed to automatically reload IP addresses every ten minutes. Thus, it is not uncommon to exit out of one country one minute and another country or continent nine minutes later. Because this is such a powerful feature against surveillance, users can manually reload their IP addresses by utilizing the command line or the Tor client before every new web page.
Because Tor is an onion router, it is a more powerful anonymizer than Virtual Private Networks, especially single hop Virtual Private Networks, though nowhere near as complete out of the box. Like all network proxies, Tor has its limitations on what traffic it can anonymize. Unlike web proxies, which can only “anonymize” the web, Tor can be used to anonymize most Transmission Control Protocol (TCP) applications.
Tor is also not known for its speed.
More importantly, however, there is increasing chatter on the Internet concerning the safety and security of the Tor network. Not surprisingly, most of this chatter comes from competing Internet anonymization services, including Virtual Private Networks. It has been widely reported on the Internet, for instance, that Tor exit nodes are dangerous because they can be operated by anyone, including criminals, hackers, and government agencies. Since exit traffic is unencrypted, malicious operators can “sniff” data traffic. Sniffed exit traffic can lead to identity theft, fraud, blackmail, and a whole host of potential problems, for example.
Tor Exit Node Myth?
There is little reason to doubt that there are dangers inherent in the Tor network. As already intimated heretofore, Tor relay servers, called “nodes,” can be operated by anyone. Operators are not required by law to protect the privacy of data traffic. Because of the open nature of the network, Tor exit nodes are vulnerable to abuse. Recent studies suggest that many Tor exit nodes are operated by U.S., Chinese, and Russian intelligence agencies. In addition, there is considerable evidence that criminal networks and private hackers operate Tor exit nodes to steal personal data. But despite some serious problems with the Tor network, few realize that most Internet traffic is liable to similar attacks.
Contrary to the claims by some, exit traffic from Virtual Private Networks can be sniffed in transit. Consequently, all unencrypted exit traffic, regardless of the ISP or anonymization service, can be sniffed in transit. Therefore, this is not unique to Tor. More importantly, all encrypted exit traffic, regardless of the ISP or anonymization service, cannot be sniffed in transit, unless the digital certificate of a web server is compromised in one form or another.
Nevertheless, Virtual Private Networks have one serious security advantage over Tor – the networks are owned and operated by VPN administrators, which is a separate security issue in and of itself. Therefore, no one other than authorized persons can gain access to the network. Although a closed network may be more secure, it is less anonymous than an open network like Tor, for example.
Despite some wild and misguided asseverations on the Internet, the Tor network can be secure and anonymous, if used properly. Tor is a dynamic based anonymization service, which basically means it changes IP addresses every ten minutes. A dynamic service is well conducive to anonymity but not so conducive for sensitive logins. Logging into some encrypted websites, including online banking, credit cards, financial accounts, and other professional and/or university accounts via Tor may not be prudent. Some services utilize strict IP security, which can flag users logging into online services from different IP addresses. Some services may even suspend users’ accounts.
More importantly, however, Tor is for anonymity – accessing online services via Tor is generally not logical, because financial, professional, and/or academic institutions already know their clients’ identities. Endeavoring to obfuscate personal information from online services, if they already know the true identities of their clients, is generally irrational. Therefore, Tor should not generally be used for such activities. However, since virtually all sensitive websites incorporate a digital certificate to protect personal, financial, and/or medical records of clients, it is generally not insecure to log in with Tor.
When utilizing anonymization services, readers must be cognizant of three very important things. First, never submit sensitive information in unencrypted websites, with or without Tor, as this information can easily be sniffed in transit. Second, even if unencrypted exit traffic is readable, Tor exit nodes, with few exceptions, still have no idea which traffic belongs to which user. Third, even though encrypted websites can thwart eavesdropping, there is still some inherent danger to connect to encrypted websites from Tor exit nodes.
According to the Electronic Frontier Foundation:
Finally, government agencies with particularly vast resources, such as the NSA, may be able to circumvent the protection provided by Tor through what is known as the “Global Network Adversary” attack. If the Global Network Adversary (GNA) controls the relay through which you enter the Tor network and the relay through which you exit, the GNA can correlate the size and timing of your traffic to identify you on the Tor network. In this scenario, the GNA will have the origin and destination of your traffic, but if you are using HTTPS, they will not be able to read the content. You can help combat the GNA by running a Tor relay, adding to the strength and diversity of the Tor network.
Although the dangers against Tor exit nodes are present, Tor exit nodes can be secure and anonymous if properly utilized. The Tor network should not be used for sensitive content, unless encrypted, and even then should be limited to few activities. Arguably the greatest threat against the Tor network, however, is a Global Network Adversary, whereby powerful government agencies control vast proportions of the Tor nodes to monitor network traffic. Users, however, are not powerless to defeat this measure.