The Tor Browser (Shavers Brett & Bair John, 2016)

Summary Chapter 2: The Tor Browser

Introduction

· The Onion Router browser, commonly known as “Tor”.

· Sending the data over ‘Tor’ is like peeling a layer of encryption after each node until the data reaches to final destination.

· Its a modified version of Firefox Internet browser, due to which it hides the user Internet Protocol (IP) address while surfing websites or sending emails.

· Tor provides ease of use with anonymity and can be downloaded for free.

· As Tor browser keeps the parties involved anonymous, any one can connect to the websites that mat be blocked by oppressive governments, whistle-blowers can communicate without being known, business and persons can communicate maintaining privacy.

· However, it can also be misused to facilitates criminal activities.

· Initially developed by US government in 2002, but not presently controlled by anyone.

· According to Tor metric portal, there are 750,000 users of Tor using over 6000 relays worldwide.

· The ExoneraTor service maintains a database of IP addresses that have been part of the Tor Network.

Working mechanisms

· Basically, Tor directs the user’s internet traffic route through random relays on the internet.

· The data send by the user is first layered with elliptic curve cryptography, as the encrypted data enters the first relay “entry”, one layer of encryption is stripped and the data is sent to next relay “middle”, another layer is stripped and then the encrypted data is sent to last relay “exit”. This exit relay connects to the user’s target destination with an unencrypted connection. Each relay knows only the traffic route of its previous relay, other than that it is difficult to track the whole internet traffic. Additionally, each relay routes are chosen randomly every 10 minutes, which makes it more difficult for tracking the actual traffic.

More about Tor

· Tor does not create artifacts that are helpful for analysis.

· For most of the users, it is better not to customize Tor browser settings, rather use it as default. As a small misconfiguration may lead to leaking information out of Tor.

· Bypassing the security of Tor requires a lot of resources and time, even though one can only get access to some part of the data by all means. Which again is decrypted and hard to track the origin.

· As the last hop of the Tor data communication is unencrypted. Further, combination of other tools with Tor can make the information encrypted for more security and anonymity.

· Similar to Tor, Tails (The Amnesic Incognito Live System) is a Debian/Linux based complete operating system for anonymous use. TAILS add even more security and anonymity to covert communications and web surfing.

· Hidden services are available on the Tor network. A hidden service is a Tor network server that provides a service, such as email or file hosting, but is not indexed by search engines and is almost undetectable on the internet.

Installing & accessing Tor browser

Following steps were followed while installing and accessing Tor browser in Debian/Linux environment.

· Browse to https://www.torproject.org

· On the right had top corner select the download the browser button.

· A new page with options to choose different downloads based on the operating system is presented.

· Download for Linux was selected, and the file was saved to a directory e.g., downloads.

· An unpack tool needs to be installed in the environment before extracting the downloaded file.

· Following commands were used to download the tool:

· Update: sudo apt-get update

· Install atool: sudo apt-get install atool

· Change to the directory of the downloaded file: cd Downloads

· List the contents of the directory: ls

· Extract the content of the downloaded file

· aunpack tor-browser-linux64-11.0.10_en-US.tar.xz

· Change directory to the extracted folder

· cd tor-browser_en-US/

· Start the Tor desktop client

· ./start-tor-browser.desktop

· When connected to the tor browser

· Search for Ahmia search engine

· Copy & paste the .onion url extension to the tor browser

Browsing Tor network

Compromised anonymity of a Tor User (The FBI TOR Exploit, 2013)

Almost every government agency is striving to deanonymize Tor to track down criminals or prevent citizens from using the internet. Here I discuss one event where FBI were able to track down a child pornography hosting service using Tor network.

Eric Eoin Marques, a 28-year-old American living in Dublin, Ireland, is accused of being the mastermind behind Freedom Hosting, a company that hosts child pornography on 550 servers around Europe.

According to the statement from Tor, the software that powered Freedom hosting was hacked. The breach was exploited to setup the server in such a way that it injected a JavaScript exploit into the web pages served to users. The exploit was used to load a malware payload onto a user’s machine in order to infect it. The malware payload attempted to affect the Firefox 17 ESR exploit, which was the basis of Tor browser.

FBI later took down the hosting service by using an exploit of Firefox. The FBI simply infected the servers of Freedom Hosting, which then infected the Tor browsers of criminal website visitors. From the Tor browser exploit, the exploit [Firefox flaw CVE-2013-1690 in version 17 ESR] recorded the true IP address, MAC address, and Windows hostname. This data was then forwarded to the FBI until the exploit was discovered and fixed. Users of Tor on Linux and those who had updated their Tor versions appeared to be unaffected.

The deanonymization could not be replicated again due to various patches and updates. One of the proofs can be seen as the user who updated the Tor were not affected.

Other Anonymous networks (AlternativeTo, 2022)

I found some of the alternative for the Tor to provide some sort of anonymity. Some of the example of those are: Freenet, ZeroNet, Windscribe, Shadowsocks, Hotspot shield, Psiphon, etc One way or the other all of these networks intend to provide anonymity to their user..

FreeNet: Freenet is free software which lets you anonymously share files, browse and publish "freesites" (web sites accessible only through Freenet) and chat on forums, without fear of censorship.

ZeroNet: ZeroNet uses cryptography (Bitcoin library) and BitTorrent DHT (centralized trackers) to build a distributed censorship-resistant network.

Winscribe: Windscribe is a desktop application and browser extension that work together to block ads and trackers, restore access to blocked content and help you safeguard your privacy online.

Shadowsocks: A secure socks5 proxy, designed to protect user’s Internet traffic with techniques using Asynchronous I/O and Event-driven programming. These proxy has flexible encryption secured with industry level encryption algorithm and are flexible to support custom algorithms.

In terms of browser alternatives some of them are brave, epic, 12p, Vivaldi, subgraphs etc Some of them are open source and some are premium. In comparison with Tor, some of them are centralized too. Some of them lack defense mechanism against DoS attack, consumes too many resources in the system and some are still in beta. e.g. 12p is an alternative anonymity system, with a very different design than Tor, as 12p focuses more on intra 12p communication rather than wider internet communication as Tor.

Anonymity in TOR

Tor is an onion router used by dissidents, cybercriminals, and even ordinary people all around the world to keep their internet activity hidden from governments and corporate stalkers.

Tor attempts to anonymize online activity by encasing it in multiple levels of encryption and transmitting it through a network of nodes that peel back those layers one by one, hence the onion nickname. Each node only decrypts enough information in the packet to determine where it should be sent next, so no node knows both the identity of the users and the identity of the website or server to which they are attempting to connect. Although Tor's high degree of encryption and frequent network traffic balancing make it highly secure, it isn't completely foolproof because users' data must leave the Tor network at some point to go to wherever it's going via an exit node. When user’s data leaves an exit node and is sent to its destination it is no longer necessarily encrypted.

While it's still difficult for the recipient to know which user is connecting, any unencrypted personal information can be seen by both the exit node operator and the site to which that user is connecting. There was even news about some team of researchers harvesting some data, emails, personal information, password ,etc sent over the Tor network (Stone Jeff, 2015). Because anyone can run an exit node, you never know who might be looking at your data on the other end. To help mitigate this problem, the Tor foundation offers the Tor browser for free, which is a modified version of Firefox that tries to use the encrypted HTTP S standard instead of regular HTTP for as much web activity as possible and disables certain plugins that can leak your IP address.

By default, many plugins and other applications for that matter won't run over the Tor network. It is possible to enforce other applications to use in Tor network either by manually configuring them or using some other applications. One can also use VPNs while using Tor network to hide their IP address and create encrypted tunneling at every point on the layer. So, it might be the best idea not to send personally-identifying stuff over Tor network.

Tor also has the limitation of being a rather slow network so it might not be too useful for downloading large amounts of data.

Threat Model for TOR

There isn't a single threat model in use by Tor. It offers several levels of protection against various adversaries, including local observers, malicious node operators, underlying Internet observers, and so on (Tor’s vs 12p’s Threat Model, n.d.). However, in most security evaluations, the stated adversary is one who owns a fraction communication network of the relays, as well as some clients and destinations. With all of these, the adversary can generate traffic, drop traffic, violate protocols, and do anything else that is possible (sometimes computationally, sometimes practically). Some, but certainly not all, Internet connections between relays, clients, and destinations are assumed to be seen by adversaries from watchers at ASes, IXPsc, ISPs, and other locations. This Tor-network-link adversary can be either passive or active, dropping, replaying, or inducing timing signatures and traffic traveling through it. Tor is effectively broken against an opponent who can monitor both the client and destination end of a connection due to its low latency. This is true regardless of whether the opponent is at a Tor relay, the destination, or an Internet observer.

In my opinion, UserThreatModel could fit for TOR (Faroy Alexander, 2021).

Identifying “assets”: Why a user wants to use the TOR, what is she wants to protect. E.g., anonymous talking, sharing small projects, files, trying to access restricted content etc

Identifying adversaries and capabilities: Whom against the user is protecting her assets. What other information that an adversary can extract e.g., ISP, Mac address, etc What else does the adversaries might want e.g., money, time, or other resources etc

Understanding the anonymity set: How likely a user would be targeted by the adversaries among the set of people.

Identifying the attacks and mitigations: A user needs a better understanding of networking and other operation of the computer. For a normal user to browse websites better not use Tor or at least use a trusted VPN while visiting sites over the Tor network. Users need to have an idea about possible attacks scenario like, Local network attacks, Single malicious relays, Local computer attacks, etc

Running relays: If a user gets lucky running multiple relays, a connection can enter through users’ one relay and exit through the other. That can provide enough information to suspect someone.

References

AlternativeTo. (2022, April 13). Tor Alternatives. Https://Alternativeto.Net/Software/Tor/.

Faroy Alexander. (2021). UserThreatModel for Tor. Https://Gitlab.Torproject.Org/Legacy/Trac/-/Wikis/Doc/UserThreatModels.

Shavers Brett, & Bair John. (2016). Hiding behind the keyboard uncovering covert communication methods with forensic analysis (Bair, John Shavers, Brett) (z-lib.org).

Stone Jeff. (2015). MIT researcher have bad news for users of anonymity browser. Https://Www.Businessinsider.Com/Mit-Researchers-Has-Some-Bad-News-for-Users-of-Anonymity-Browser-Tor-2015-8?R=US&IR=T.

The FBI TOR Exploit. (2013, November 29). Https://Resources.Infosecinstitute.Com/Topic/Fbi-Tor-Exploit/.

Tor’s vs 12p’s threat model. (n.d.). Https://Tor.Stackexchange.Com/Questions/27/How-Does-Tors-Threat-Model-Differ-from-I2ps-Threat-Model.