Schneier on Security
A blog covering security and security technology.
« Civil War Message Decoded |
| Friday Squid Blogging: Research into Squid Skin »
December 31, 2010
Home routers that automatically run Tor.
Posted on December 31, 2010 at 6:14 AM
• 44 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I have noticed suspicious behaviour with my home routers in last couple of weeks. I think you are right.
This puts a whole new set of questions out there:
- How do the ISPs like having TOR traffic going ind and out of their networks?
- What are the legal aspects of this setup, being potentially a TOR endpoint?
In any case I would like to get my hands on the firmware and try it out.
ISPs make the common carrier argument so what's xmited isn't their concern but there are rules about log retention for LE purposes ...these routers will really need a close audit.
in short the blogpost is conspiracy theory that Tor is a NSA project and Big Brother is using it to specifically to track people who dont want to be tracked. Is there an credibility in that argument?
It gets really funny once a remote exploit is found on these devices and 10% of all households have one.
Conspiracy theories aside, I wonder how many Tor clients are actually owned by TLAs? IMO it would make sense for them to at least have a small ear to the ground there, just to get a feel for what's being transmitted.
I tried Tor over a year ago and found it horrible because of how much is slowed down my browsing. That being said, I think this article makes a statement that is not true. The article states that Tor is used to encrypt what users do on the internet. I thought that Tor does not encrypt anything; however, does allow anonymity. As a matter of fact, wasn’t there an article a while ago about how users could spy on content passing through Tor routers? Users didn’t know where the traffic came from; however, because it wasn’t encrypted, it could easily be read.
Am I wrong here? Does Tor automatically encrypt traffic?
Yes, Tor encrypts traffic, but maybe not as you would expect. Consider the following example:
Your Tor client selects two intermediate nodes and one exit node for routing the traffic. The plaintext data and the plaintext destination address is first encrypted with the key of the exit node (node 3):
The encrypted packet and the address of the exit node is then encrypted with the key of the second intermediate node:
Finally, this double encrypted packet and the address of node 2 is encrypted with the key of the first node:
Your Tor client forwards this packet to node 1. Node 1 decrypts the outer layer:
Node 1 then forwards the packet to node 2. Node 2 decrypts the outer layer:
Node 2 forwards the packet to node 3. Node 3 decrypts the plaintext packet and forwards it to the destination:
As you can see, node 3 (the exit node) can read the plaintext unless you use end-to-end encryption in addition to Tor. However, unless the plaintext contains information that identifies you or your computer, node 3 does not know from whom it received the plaintext.
@RF From the wikipedia article on Tor:
The Tor software periodically negotiates a virtual circuit through the Tor network, using multi-layer encryption, ensuring perfect forward secrecy...
Once inside a Tor network, the traffic is sent from router to router, ultimately reaching an exit node at which point the cleartext packet is available and is forwarded on to its original destination. Viewed from the destination, the traffic appears to originate at the Tor exit node.
Tor cannot and does not attempt to protect against monitoring of traffic at the boundaries of the Tor network, i.e., the traffic entering and exiting the network. While Tor does provide protection against traffic analysis, it cannot prevent traffic confirmation (also called end-to-end correlation)
As Tor does not, and by design cannot, encrypt the traffic between an exit node and the target server, any exit node is in a position to capture any traffic passing through it which does not use end-to-end encryption such as TLS
Nonetheless, Tor and the alternative network system JonDonym (JAP) are considered more resilient than alternatives such as VPNs. Were a local observer on an ISP or WLAN to attempt to analyze the size and timing of the encrypted data stream going through the VPN, TOR or JonDo system, the latter two would be harder to analyze as demonstrated by a 2009 study.[
Tor encrypts between nodes, but not from the endpoints- so the first and second nodes you hit don't know what you are seeing, but the exit node can and usually does spy on what you are doing. You can use https to mitigate this somewhat - there are some attacks that involve replacing the ssl certificates with one of your own, but in general browsing https over Tor is much safer.
I'm pretty sure all nodes in the chain are encrypted, except the last node, which has to make your actual request. Since the last node is effectively acting as you, it could "view" your requests. But remember, the last node doesn't know who "you" are unless something about the data or request identifies "you".
"As Tor does not, and by design cannot, encrypt the traffic between an exit node and the target server, any exit node is in a position to capture any traffic passing through it which does not use end-to-end encryption such as TLS"
Using TLS, however, can have unintended consequences. TLS can use public-key certificates that contain your identity as part of the authentication process. Password-based authentication protocols usually transmit the user name in the clear. This means that end-to-end authenticated encryption in many cases will break the anonymity protection of Tor, since the exit node can read the public key certificate and/or user name used for authentication.
It is possible to construct protocols that preserve both anonymity, authenticity and confidentiality, but using standard Internet protocols such as TLS together with Tor might not give you the intended results.
@tobi "It gets really funny once a remote exploit is found on these devices and 10% of all households have one."
Have you checked out your own router's security? The only reason routers haven't been hacked to pieces is because they're all different. Polyculture and all that.
@Martin: Yes, that's a well known limitation of Tor.
There is no credibility to the rumors.
The software is open source, and not terribly complex, either. It is easy to examine, and does not appear to have any back doors.
There are two ways to show credibility to such a rumor. First, an actual source who is "in the know", or at least who has credibility in the field. There is no such source. Second, technical expertise to show that it is true, or at least demonstrate that it is likely. If this were the case, there would be no "rumor", there would be an exposé.
Now, does this mean that the NSA isn't trying to spy on Tor traffic? Of course they are. It's their *job*. If they are not, they should be fired.
But they would have to be incompetent to try to put a back door in the project. It would be too difficult (because the incoming code is reviewed before it is added to the project), too easy to catch (open source, popular and well-scrutinized), and would, once found, ruin a project currently used by US authorities for their own purposes.
Everyone: Thanks for the clarification on encryption w/ Tor. Bottom line: While Tor does provide anonymity, it does not provide point to point encryption. Exit node sniffing is a threat. Thanks.
He doesn't know what an "ad hominem" argument is, and produces a straw-man argument to make it look like he does and has proven it false. He ignores the obvious reasons the US Navy released the Tor code (it is utterly useless unless it is used by a lot of people *utterly unrelated to you*, the more the better), and declares without evidence that there has to be other secret reasons why it was released. He slanders the people who first worked on Tor after the Navy ("NSA collaborators"), without the slightest evidence, as if his suspicions make things true. He tells us irrelevant things, like the fact that probably bogus accusations made recently scared people, as if the fact that people can be frighten by crap accusations make his crap accusations more valid. He points out that there is a code challenge to make hard to detect malicious code, while not mentioning how hard it is to insert it and remain undetected in actual use. And all of this is full of utterly unsubstantiated paranoia that he tells us is obviously true.
So, all in all, I'm not impressed. Poor logic touted as if it proved he was smarter than those who actually created formal logic, paranoid ramblings stated as facts, and slander. I'm going to ignore him.
Very cool. Unfortunately the article doesn't say where one can get one, or if not yet available, when/where they will be. Oh well. It is interesting in any case. Thanks for the article link.
Running an exit-node for Tor is one of the sure-fire ways to guarantee anonymity on the net, so sayeth the Tor team.
Problem with Tor, that I found and hence why I dont use it, is its too slow and the programs needed to use it are bloatware. You need like, 3 programs running to use it, plus an add-on in firefox. Plus remember that if anything happens because of a bad-apple on that network, and you arent running an exit node, they could have your ip address on file somewhere. There's also been a few reported cases of exit-node owners spying on their clients using the service.
VPN's are nice and dont require any installations, I know Itshidden has received good reviews, and openvpn is another good service, and its also open source. Ultravpn is another good one.
As others have pointed out, TOR tends to discourage users because it means your system grinds to a halt. If this can be avoided then maybe more people would be interested in running it.
(and as with lots of things, the more people who use it, the better it is for everyone)
Looks like it will be a fork of the OpenWRT code, and will run on Buffalo gear. The Buffalo stuff is available at, for example, Fry's. I assume the Tor people will publicize a download location for the modified firmware.
"It is possible to get around such a block, however, by configuring the Tor software to act as a "bridge," or a private relay, that can only be discovered by word of mouth. A Tor router can also act as a bridge, and Appelbaum is considering making that a default setting."
This isn't really true. Tor doesn't have scanning resistance, so opening tons of bridges just means China will begin scanning for bridges by connecting to common Tor ports and asking "Are you Tor?" Then they just block those ips. While it's definitely more expensive to do this, I don't believe it's out of the realm of possibilities.
(a) Tor is hardly a resource hog compared to anything else that might run on your system.
@RSX: you certainly do not "need like, 3 programs running to use it, plus an add-on in firefox."
(b) Tor is hardly a bandwidth hog: you can limit the maximum and average bandwidth usage within tor configuration (as far as I recall). But, even if you couldn't, you could still use QOS on any decent router to prioritize your web browsing, etc.
This isn't rocket science, it's traffic shaping.
People have been building Tor routers for a while now. I'm surprised the main group is just now getting around to this. A nice example of existing work is the Gumstix Tor appliance: plug open internet in one end and your system in the other, then it transparently moves everything through Tor.
Resulting Commercial Product
The blog pointed out that if an entity owns all the nodes in the selected TOR route, then it is relatively easy to connect the dots and monitor usage.
People have supposed that the NSA and such run a large number of TOR nodes in order to catch a statistically large number of complete TOR routes in their system.
The blog also mentions "Project Vigilant" with 600-1500 volunteers, who are all hackers.
Since non-honeypot TOR routers are uncommon, the likelihood is that virtually all TOR traffic is vulnerable.
It's a chicken-and-egg problem at present.
This kind of router might actually solve one problem I have at the moment:
I would like to share my wireless network with others (tourists, passers-by, neighbors), but in the current legal and political climate I do not want to deal with the hassle of someone using that connection for illegal purposes. I do not want the police to confiscate my computers and routers because someone else did something illegal.
If I could easily set up a bandwidth-limited, public wifi network that routes all traffic through Tor then I'll share my wireless network for the benefit of the community.
okian Warrior: "People have supposed that the NSA and such run a large number of TOR nodes in order to catch a statistically large number of complete TOR routes in their system."
This would be an obvious approach. It agrees with the FBI's method of essentially creating terrorists in order to justify their careers. It also agrees with the basic counterintel method of using double agents.
It seems to be this could be avoided if one uses the same techniques used to create botnets on unsuspecting users computers in order to create a TOR net known only to oneself.
"The blog also mentions "Project Vigilant" with 600-1500 volunteers, who are all hackers."
I'm still not sure whether this group actually exists. At the time it was revealed there was considerable controversy over whether it did and who in fact was a member.
"Since non-honeypot TOR routers are uncommon, the likelihood is that virtually all TOR traffic is vulnerable. It's a chicken-and-egg problem at present."
Agreed. It represents the basic problem of trusting someone other than yourself to provide a security solution for you. This almost never works except possibly on the level of basic hardware like a lock. Either that or you have to spend a really significant amount of money to get individual service you can trust based on the reputation of the service provider like, say, a Swiss bank.
I would say the best way to get anonymity on the Internet at this point is to be able to spoof every byte that leaves your machine so that it is sanitized of any identifying information - possibly even including your pattern of use - and then route it through services or individuals known to you that you trust to be secure themselves or machines that you have some (anonymous) control over that cannot be connected to you. And of course any IP traceback should resolve to a wireless location at which you are no longer physically present (and won't use a second time.)
If I were to be a hacker, this is the sort of setup I would use. Otherwise it's just a matter of time before you're compromised - unless your hacking is too petty to be considered worth chasing down by the authorities.
This is why identity theft is a highly profitable crime. The Feds can't pursue any case not costing someone at least $10,000 and indeed most cases are only desultorily pursued unless the loss is $100,000. Keep your crimes under $10,000 and the odds of capture and conviction have been estimated at 700-1000 to one.
@RSX: you certainly do not "need like, 3 programs running to use it, plus an add-on in firefox."
If you dont want to use the browser version (Which means an entire new browser just for that purpose), you need the Vidalia Bundle @ 8.5mb. Which has Vidalia, Tor, Polipo, and Torbutton.
So it's actually 4-in-1, not three.
There are more efficient ways to achieve a better form of protection.
@ Richard Steven Hack
Nice post. Most crooks actually use something more like ur method. The common choice is using neighborhood wifi with privoxy, MAC changer, and RAM based linux livecd. Private Tor-like networks are a possibility but Freenet is currently the favorite friend-to-friend protocol for anonymity.
Another recent trend is using botneted computers as disposable proxies, with the first relay being a wifi hotspot as described above.
@RSX: The presence of 4 combined packages is a convenience, not a necessity.
Tor itself is a SOCKS4a proxy; you can configure every browser I know of to use SOCKS4 for outgoing connections. That's all that's required for basic functionality.
If you want to mask DNS requests via Tor as well (seeing SOCKS4 is IP level), then you need something that can do SOCKS4a, which is where Polipo fits. It's an optional way of proxying normal HTTP/HTTPS connections to SOCKS4a rather than the SOCKS4 that browsers do without additional software.
Vidalia is a control panel. Edit the torrc file yourself if you don't want it. Or use the default which is ok for a localhost only setup.
I use tor on my border as part of the web proxying stack. No polipo, no torbutton, no vidalia. The web proxying stack is a mess, because SOCKS support in squid is nonexistent, so I use 3proxy instead of polipo.
the "performance problems" (in my experience) of Tor come from the fact the the network is choked for bandwidth (not enough exit nodes or bandwidth between nodes, also your basic consumer grade connection tends to have very limited upstream bandwidth) and of course latency can add up when your requests bounce around the world.
Nice Christmas present for your less computer literate loved ones. Would probably be a hit on Thinkgeek too. Torifying your traffic does come in handy from time to time. I'm using Tor and Vidalia in combination with Privoxy on some of my machines, and it works like a charm.
Some observations of reality.
*Browsing* using tor can be done from one simple package called "Tor Browser". It's a directory, not an install, and it includes everything you need in one place.
Throw that on your hard disk, or onto a thumb drive and you're good to go. One click starts up everything, the included browser goes immediately to the "Tor test" page to let you know it's working.
It's a complete package for anonymous browsing that's easy to install and starts up with 1 click.
If you want to run a Tor *router* so that other people can browse, that's a different story. Last I checked was a year ago, but the install and configuration was complex, and I just-didn't-want-to-spend-the-time-to-learn-yet-another system of options and issues. Eventually you just get tired of having to learn all this stuff.
As to legal aspects, news articles I've read suggest that running a Tor router or an open wireless access point actually *helps* your legal position, at least in the US. If the police don't find incriminating evidence on the hard drive, you can claim that the infringing behaviour was actually someone else using your system.
There are recent cases of people doing just that - for instance using someone else's internet access to make threatening posts - which adds to "reasonable doubt".
With regards "sheddingbikes", I'm not sure what their actual issue is, but it has the hallmarks of a veiled attack on an individual (that is a specific person is named who has TOR & Wikileaks connection).
However it needs to be said TOR has many problems.
The first main issue (1) is most users do not understand how it works and make false assumptions about what it potentially does for them.
The second main issue (2) is TOR as currently implemented does not provide as much protection as you would expect.
The third main issue (3) is that the Internet topology is not what people assume it is.
The implications of the first issue are very many and put simply people are going to get hurt by them. There is not enough space to mention even a few of the implications but the important one is to remember TOR is effectivly a "many to one" protocol. That is you get to chose many inputs to use but the destination service protocol usually requires just one output either per connection or worse per session.
Which means things like Man in The Middle (MiTM) attacks still work provided they are between the exit point and the service in use. Now one assumption most people have is that if they are going to be "observed" by a three letter agency (TLA) the agency is going to be looking specifficaly at them that is at their IP address. Whilst this might be true for a local Law Enforcment Agency (LEA) such as the police in reality the oposit is likley to be the case for the likes of the NSA.
This alows them to do various forms of traffic analaysis which can strip TOR's obsfication routing right off, which brings you into the second major isssue...
There are quite a few ways a major TLA can do this because TOR is not a store and forward anonymity network (AN) and worse it also tries to achieve a low latency.
However I'm going to describe the least likley method as it's easiest to visualize and also the easiest to fix. And some of the fixes I'm going to suggest have some very interesting further implications for Privacy Enhancing Techniques (PET) and the reduction of the effectivness of Traffic Flow Analysis (TFA).
When you make a connection to a webserver that a major TLA has under observation. Although your request to the server might only be a single packet (actually quite unlikley) the reply from the server might be many many packets for many different objects. The number of part and full packets for each object and the number of objects provides a partial "fingerprint" for the page. Due to the low latency of TOR this fingerprint remains fairly intact at your Internet Service Provider (ISP) within a very small time window. Thus as ISP's are required to keep logs of connections (but usually not content) a sufficiently fine grained time for each packet will enable the latent partial fingerprint of the page to be seen. Over a fairly short period of your usage of the website the TLA will have enough latent fingerprint matches to be able to say with a very very high degree of certainty which requests where yours. And if the so wished very easily convince a judge and jury of this fact.
Even with packet stuffing and other size changing tricks there are various other ways of generating fingerprints such as fuzzing the network latency using Direct Sequence Spread Spectrum (DSSS) techniques to make One Time Watermarks that are provably unique for each webpage request.
The fingerprints are to traffic analysis what plain text statistics are to cryptanalysis, and the likes of the NSA GCHQ et al are experts at this and have been for over seventy years. They have also employ the majority of the pure and applied maths graduates that have worked in this area untill quite recently (now the likes of Google are offering beter renumeration packages).
Thus TOR as an AN is not that good at obsficating it's main use of interactive web browsing....
There are a number of ways to fix this one of which is to up the latency and add significant time jitter to it within the AN it's self. Effectivly this further obsficates the web page statistics but does not remove them. It's the TFA equivalent of the cryptographic fix of using AES as opposed to DES. However it has a major downside in that it degrades user experiance in an almost linear relationship to the increase in obsfication.
Another simple way to remove the externaly fingerprint is to put the webservice in the AN it's self in some way (although without care this does not prevvent a fingerprint being formed).
One potential trick to do this is to make the webserver it's self TOR aware that is it sends responses to page requests over multiple TOR input nodes, thus making the client server relationship many to many. However this would put a large load on the server.
More effectivly is to look at ways to make the AN effectivly a store and forward network.
This can be by putting web caches within ANs so that you only get the "deltas" of dynamic webpages and static web page requests come from the cache not the webservice so no directly correlateable fingerprint is seen on the user side from the web server side.
Another method which I've not seen explicitly mentioned by anybody else anywhere is to decentralise the webservice. That is to take a leaf out of the P2P network book and put each "object" in many different places in many small parts, likewise the webservice pages (this would make a nice PhD project). This then makes the relationship "many to many" not TORs current "Many to One". This effectivly destroys any fingerprint because of the 0.5(n^2-n) issue on the number of objects or part objects in the decentralised web service.
The third major issue is one that makes TFA so much easier than expected. Many people assume that the Internet is a web of many possible routes via thousands of nodes. The reality is very much different the Internet consists of a few major back bones and nodes owned and operated by very few companies.
Thus without care you could be using many TOR nodes that are all in one network providers network and thus they can see and easily monitor all entry and exit points...
Provided you understand the limitations of TOR as an AN and work within them then you are not likley to have you privacy stripped away.
However if you don't understand the limitations you can have your privacy stripped away by the use of TFA on ISP and network operator logs not just at the time of usage but long into the future.
Now one of the things we do know about the NSA is they never throw anything away and they grab every piece of information they can. The issue with this is that even though there might not currently be a TFA technique that can be used against TOR there almost certainly will be in the future as resources become available to develop one. So those logs are sitting there like so many little file boxes simply awaiting someone to come along and look through them...
At present I would say TOR as an AN has a very long way to go befor it can be considered for anything that might get you more than a slap on the wrist. However this not just a TOR issue it is true of many ANs currently.
The reason for this is TOR is just one very small part of the solution, that is it's just one small cog in the PET machine. PET needs to be applied at all levels of the stack at all points to be effective against the likes of TFA and we are a long way away from it currently.
Further de-anonymisation is a branch of analytical techniques that has been a bit of a back water because there has not been much "commercial" advantage in it. This is nolonger true and the field is advancing very rapidly and is now offering very good renumeration packages to those who can "cut the mustard".
I'm going to stick my neck out a little bit and make a prediction as it's new year ;)
Somebody very soon is going to realise the potential of TFA and other de-anonymisation techniques when allied to covert "bot nets" to negate PET such as ANs (if they have not already).
This is likely to be by some small startup that uses malware of the form of a "backdoored / trojaned" app (see proto class action law suits filed against Apple last month) or as a series of zero day attacks based on the AN (think those RIAA inspired companies who have gone afterfile P2P file sharers).
For instance the malware being of a form that adds a covert side channel to add a unique fingerprint or watermark to all your network traffic via say via adding jitter to your network packet times that can be seen in say Googles or other major services server logs etc that are currently available in "anonymised" format.
> (and as with lots of things, the more people
> who use it, the better it is for everyone)
How does that work, exactly?
Tor's properties, as I understand them, are such that increasing the number of nodes doesn't really improve the system much.
Okay, you could argue that the level of anonymity provided would be improved by an increase in the number of nodes, but the level of anonymity provided isn't one of Tor's weaknesses. Tor suffers from performance lag and from a lack of encryption at the endpoints, and adding more nodes won't fix these things. Adding more nodes only fixes the part of the system that isn't broken.
The lack of encryption won't change, because that's inherent to the design of the system.
Performance isn't improved either, because the ratio of traffic to nodes will be (about) the same. In fact, if the routers are low-end hardware, they could have the net effect of significantly worsening performance in the average case, because the average node won't be able to handle as much traffic as fast.
So I'm not sure how Tor will be "better for everyone" if there are more nodes. Can you explain the reasoning that leads you to that conclusion?
As I understand it Torbutton is the recommended method due to it's turning off the items that can cause information/IP leaking.
Are you sure you aren't thinking of the network itself rather than the software? The network tends to be rather slow and unless I'm serious about wanting my privacy I generally don't use it because of that.
"So I'm not sure how Tor will be "better for everyone" if there are more nodes. Can you explain the reasoning that leads you to that conclusion?"
Shouldn't these routes be configured as exit nodes per default? If so that explains why they would improve the network.
You must be quite disappointed that all the IPs you collect are 127.0.0.1
Kiran: It's quite conceivable some geek in the bowels of the national security state would come up with such an idea. But can you imagine their difficulty selling it to the pointy-haired bosses in the national security community?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.