Eavesdropping on Tor traffic

A Swedish security researcher, Dan Egerstad, recently highlighted a flaw in the way many folks are using Tor, a tool for internet anonymity. He said that he had captured user names and passwords for at least 1000 email accounts, posting the details for 100 of those. Ten days after the initial disclosure, he followed up with information on how he captured the data.

Tor (aka The Onion Router) is a system designed to hide the source and destination of internet traffic by routing it through a few intermediate nodes. Software is available for most operating systems and can run in either client or server mode. The Tor network consists of many server nodes that can route this traffic, but it also has special nodes, called "exit nodes" that are the endpoints for traffic within the Tor network. Exit nodes are the ones that actually talk to the server the client was trying to reach, thus they see any traffic exactly as it will be presented to the destination.

A Tor client picks a random path through the network, using a directory server to get a list of active nodes. For each hop along that path, it negotiates a separate session key. It encrypts the packet data, along with a destination address, once per node in the path, building up a packet with multiple layers of encrypted information. Each layer can only be decrypted by the proper intermediate node. Each intermediate node only knows about its predecessor, the destination, and the key, so with more than a few nodes, the source and ultimate destination are hidden. The exit node is the last layer of the onion, what it decrypts is the data bound for the destination.

Running an exit node for Tor has some risks associated with it, as all traffic that goes to a destination site appears to originate from the exit node host. If the destination gets attacked by a denial of service or other exploit, the exit node operator would seem to be the guilty party. For this reason, Tor servers can determine whether or not they are willing to be exit nodes. What Egerstad did was to volunteer five servers as exit nodes and monitor the traffic that went by.

What his exit nodes saw was the traffic bound for various servers, much of it in the clear. He collected authentication for email servers from many users, with the ones he released being embassy workers and members of human rights organizations. He monitored the POP3 and IMAP protocols, specifically looking for keywords associated with governments. By looking at those two protocols, he not only was able to capture passwords, his exit nodes also saw all of the email stream by as it was delivered to the users.

This should come as no real surprise, unencrypted email protocols are a security hazard; they should probably go the way of telnet, and be banished from internet usage. What is more surprising, but perhaps shouldn't be, is that people are using Tor to retrieve their email. Tor is not supposed to be a complete privacy solution, and it is not presented that way, but the difference between anonymity and privacy seem to have gotten lost.

It is a near certainty that others are doing just what Egerstad did. Governments and criminals – though it can be hard to distinguish between the two at times – both have an interest in monitoring this kind of traffic. Egerstad lists a number of suspicious exit nodes in the Tor network, any or all of which could be scanning the cleartext traffic that streams by.

In some ways, Tor is really no different than the myriad routers that internet traffic passes through; each of those presents a point where traffic could be intercepted. Tor is better in that regard, perhaps, because all but the last leg (which, of course, traverses any number of routers) are encrypted. If an encrypted protocol, SSL or an ssh tunnel for example, were used end-to-end, Egerstad's monitoring would not have worked. With proper certificate/key handling, no intermediate node, Tor or router, can decrypt the traffic.

It is a bit ironic that one would use a service meant to provide anonymity to log in to a system using credentials that are intended to restrict access to a particular user. It is a bit like renting a room at the No-Tell Motel using your credit card. Presumably, the users had Tor installed and running for other reasons and either didn't know or forgot to turn it off when retrieving their email. Perhaps their email client helpfully retrieves their email every few minutes without their intervention.

It should be noted that Tor does not do anything above the protocol level to anonymize traffic. Cookies, browser identification strings and other information can be used to identify who is using the connection to anyone with access to the traffic. Obviously, logging in makes that even easier. Another known threat to anonymity using Tor, even with end-to-end encryption, is timing analysis. If someone can monitor the timing of the packets at the client and those at the server, they can make a statistical correlation between the two.

Tor achieved another kind of notoriety, recently, as some of the storm worm spam started pushing it as a solution for internet anonymity. Unfortunately, users who followed the link landed on a fake Tor download page. Downloading the software did not result in any increase in their privacy, it simply installed one of the storm worm variants. It is certainly not the publicity that Tor wanted, but it could, perhaps, lead a few users to the real Tor. It is a dubious honor, but the storm worm herders must believe that the Tor name has some credibility in order to use it this way.

Tor is an excellent tool for what it does, but it certainly is not a solution to all internet communication privacy issues. As with most things, users need to understand what they are doing before they can gain the benefits of Tor. By managing the higher level identifying information correctly (perhaps by using something like Privoxy), one can use internet services anonymously with a reasonable level of comfort. Using end-to-end encryption makes it that much better.