Video Screencast Help
Security Response

You Can Hide, but You Can't Run

Created: 23 Oct 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:55:53 GMT
Josh Harriman's picture
0 0 Votes
Login to vote

Privacy is a big concern when surfing the Internet. One major application has attempted to make Internet activities somewhat anonymous. “Tor” is an anonymous Internet communication system that allows users to surf the Web, send email, and use IM; all the while attempting to avoid network surveillance, traffic analysis, and state security. Tor users’ IP addresses (a computer’s basic identity) and exact locations are kept secret as the users read important stories on the Web, send their grandmother an email, or chat with their new best friend.

Unfortunately, Tor also opens up other avenues of attack and one must be aware of the risk, in return for the benefit of being partly anonymous. The way Tor works is that packets sent from your computer actually go to someone else’s computer, then to someone else’s computer, and so on. Eventually, your data reaches what is known as an “exit node” (which is just another person’s computer), which connects to the website you were trying to reach. The data then comes back to you in a similar fashion. This way, when you browse websites, the remote website only sees the exit node and doesn’t know that your machine initiated the original request.

However, as your data traverses the Tor network it can easily be modified, in particular at exit nodes. This differs when the average user doesn’t use Tor. For example, when you surf to symantec.com, you expect to get data back from Symantec. You trust that your ISP and the ISPs in-between don’t modify the data as it travels between you and symantec.com. And, for the most part, that is true; although, this may not always be the case—especially in some countries. But, when you use Tor, you are not going through a trusted ISP anymore. You are going through random users on the Internet, located all over the world, with quite a few of them being exit nodes. So, now when you go to symantec.com, the person serving up the requested data from symantec.com has the ability the send you back whatever they want.This, of course, could be with malicious intent.

This can be used as a mechanism to inject exploit code, worms, or any other malicious entity from an exit node out onto the Tor network.A recent study even used this technique to inject code to determine the originating machine’s IP address. Furthermore, be aware that while your data is encrypted in the middle of the Tor network, at the exit nodes it must be decrypted and, depending on what you are doing, you may not be as anonymous as you think (for example, don’t search for your own name). These risks are actually well documented on the Tor Web site.

So, when using Tor, be sure you understand the risks involved. Tor does defend against traffic analysis, but it also opens your data up to be easily sniffed by random users and those users can inject malicious code. In this case, closing one door opens up another.