A Swedish security researcher, Dan Egerstad, recently highlighted a
flaw in the way many folks are using Tor,
a tool for internet anonymity. He said that he had captured user names and
passwords for at least 1000 email accounts, posting
the details for 100 of those. Ten days after the initial disclosure,
up with information on how he captured the data.
Tor (aka The Onion Router) is a system designed to hide the source and
destination of internet traffic by routing it through a few intermediate
nodes. Software is available for most operating systems and can run in
either client or server mode. The Tor network consists of many server
nodes that can route this traffic, but it also has special nodes, called
"exit nodes" that are the endpoints for traffic within the Tor network.
Exit nodes are the ones that actually talk to the server the client was
trying to reach, thus they see any traffic exactly as it will be presented
to the destination.
A Tor client picks a random path through the network, using a directory
server to get a list of active nodes. For each hop along that path, it
negotiates a separate session key. It encrypts the packet data, along with
a destination address, once per node in the path, building up a packet with
multiple layers of encrypted information. Each layer can only be
decrypted by the proper intermediate node. Each intermediate node only
knows about its predecessor, the destination, and the key, so with more than
a few nodes, the source and ultimate destination are hidden. The exit node
is the last layer of the onion, what it decrypts is the data bound for the
Running an exit node for Tor has some risks associated with it, as all
traffic that goes to a destination site appears to originate from the exit
node host. If the destination gets attacked by a
denial of service or other exploit, the exit node operator would seem to be
the guilty party. For this reason, Tor servers can determine whether or not they are
willing to be exit nodes. What Egerstad did was to volunteer five servers
as exit nodes and monitor the traffic that went by.
What his exit nodes saw was the traffic bound for various servers, much of
it in the clear. He collected authentication for email servers from many
users, with the ones he released being embassy workers and members of human
rights organizations. He monitored the POP3 and IMAP protocols,
specifically looking for keywords associated with governments. By looking
at those two protocols, he not only was able to capture passwords, his exit
nodes also saw all of the email stream by as it was delivered to the users.
This should come as no real surprise, unencrypted email protocols are a
security hazard; they should probably go the way of telnet,
and be banished from internet usage. What is more surprising, but perhaps
shouldn't be, is that people are using Tor to retrieve their email. Tor is
not supposed to be a complete privacy solution, and it is not
presented that way, but the difference between anonymity and privacy seem
to have gotten lost.
It is a near certainty that others are doing just what Egerstad did.
Governments and criminals – though it can be hard to distinguish
between the two at times – both have an interest in monitoring this
kind of traffic. Egerstad lists a number of suspicious exit nodes in the
Tor network, any or all of which could be scanning the cleartext traffic
that streams by.
In some ways, Tor is really no different than the myriad routers that
internet traffic passes through; each of those presents a point where
traffic could be intercepted. Tor is better in that regard, perhaps,
because all but the last leg (which, of course, traverses any number of
routers) are encrypted. If an encrypted protocol, SSL or an ssh
tunnel for example, were used end-to-end, Egerstad's monitoring would not
have worked. With proper certificate/key handling, no intermediate node, Tor
or router, can decrypt the traffic.
It is a bit ironic that one would use a service meant to provide
anonymity to log in to a system using credentials that are intended to
restrict access to a particular user. It is a bit like renting a room at
the No-Tell Motel using your credit card. Presumably, the users had Tor
installed and running for other reasons and either didn't know or forgot to
turn it off when retrieving their email. Perhaps their email client
helpfully retrieves their email every few minutes without their
It should be noted that Tor does not do anything above the protocol
level to anonymize traffic. Cookies, browser identification strings and
other information can be used to identify who is using the connection to
anyone with access to the traffic. Obviously, logging in makes that
even easier. Another known threat to anonymity using Tor, even with
end-to-end encryption, is timing analysis. If someone can monitor the
timing of the packets at the client and those at
the server, they can make a statistical correlation between the two.
Tor achieved another kind of notoriety, recently, as some of the storm worm spam started pushing
it as a solution for internet anonymity. Unfortunately, users who followed
the link landed on a fake
Tor download page. Downloading the software did not result in any
increase in their privacy, it simply installed one of the storm worm
variants. It is certainly not the publicity that Tor wanted, but it could,
perhaps, lead a few users to the real Tor. It is a dubious honor, but the
storm worm herders must believe that the Tor name has some credibility in
order to use it this way.
Tor is an excellent tool for what it does, but it certainly is not a
solution to all internet communication privacy issues. As with most
things, users need to understand what they are doing before they can gain
the benefits of Tor. By managing the higher level identifying information
correctly (perhaps by using
something like Privoxy), one
can use internet services anonymously with a reasonable level of comfort.
Using end-to-end encryption makes it that much better.
to post comments)