Follow us

Threats of Tor: National Security Services Can Track Us

How did Snowden intercept Tor traffic, and how to protect yourself adequately on the darknet (step-by-step guide).

Updated: October 4, 2021 By Dean Chester

One of the most popular anonymization tools on the Internet is the Tor network.

I'll make a statement right away - the article will not contain instructions on how to download and configure Tor Browser - only information about how the National Security Services can control Tor.

For the regular user, the Tor network works quite simply: his data first goes to the guard relay, then passes through a middle relay to the exit relay, and from the exit relay to the destination:

Tor's nodes

Image based on Shutterstock

It is unrealistic to trace the guard relay through the subsequent two relays. Besides, everything looks as if the user data appeared immediately from the exit relay. Considering that a variety of traffic (including illegal) can pass through this node, the owner of this node will be responsible for it.

Let me emphasize! The exit relay is the most vulnerable spot for user traffic. In the case of intercepting data at these relays, it is possible to determine what kind of information is going to a destination, namely unprotected part of the Internet by Tor.

The following is a real-life example of the work of an American intelligence officer monitoring multiple Tor outbound nodes.

We have seen from our own experience that there is a lot of illegal traffic in Tor...

After we installed our own test exit relay and began to accept the passing traffic of the Tor network, the provider turned off our server.

Most hosting providers do not want to be part of the Tor network. Many cybercriminals use it to commit crimes on the regular Internet. In such cases, claims come to the provider whose server is used as the Tor node. And these claims can be severe.

But first things first.

Why has technology designed to provide secure and anonymous access to the Internet become associated with crime, and why do we believe that Tor without additional security measures is not secure enough?

 

Tor and Crime

There are two areas that have created a negative image of the Tor network.

  1. Clandestine online stores selling weapons, drugs, and various criminal services.
  2. Terrorist activity.

The Tor network is designed in such a way that there are sites within it that are not accessible via the indexed web. They have domain addresses always ending with .onion. You can access them only with the help of a special Tor browser.

Thanks to the Tor design, the real physical location of such sites cannot be tracked using conventional methods.

At the same time, technologies do not stand still, and today there are methods to de-anonymize visitors and owners of such sites. We have dedicated a special chapter to show how it can happen.

Tor safety is a good idea, but nothing is perfect

Tor stands for The Onion Router, and here the question arises - where does the onion have to do with it? It's all about the encryption method: it is created on the principle of an onion. So, in order to get access to its center (to your unencrypted data), you need to sequentially remove all consequent layers (encryption).

In fact, it looks like this: the client encrypts the data so that only the exit relay has the decryption key. On it, they are again encrypted, but in such a way that only a middle relay can decrypt them. On it, the data is again encrypted so that only the watchdog node can decrypt it.

It turns out encryption in encryption. Similar to the texture of an onion.

But ... No matter how complex the network is, it needs to interact with the outside world. Exit relays, or we can call them nodes, are responsible for this.

Such a node was configured by Cooltechzone technical specialists (at the time of publication of the article, it was already disabled).

Exit relay or node configured by Cooltechzone team

As you can see on the bottom part of the output logs, the node was successfully connected to the Tor network.

Netstat output showing all established and active connections with other Tor relays

After a short time, traffic began to flow through the node:

Traffic through Cooltechzone’s exit relay

Why did we do it?

To show how vulnerable Tor users can be if they do not use additional methods of protection against detection.

All Tor exit relays register and save user activity. This activity can be monitored by interested parties (intelligence agencies and attackers).

Tor and Snowden

Do you know the name Snowden? A few years ago, he was the most high-profile character associated with the exposure of the activities of American intelligence and the opening of many classified materials.

But few people know that this person was also one of the first who began to use the method of intercepting information on the Tor network and, probably, de-anonymized its participants.

According to the Russian-speaking YouTube channel "Intercepter", owned by the developer of the software of the same name, Edward Snowden, during his work in the CIA, on his own initiative, contained a Tor relay and special software that collected and analyzed information passing through it.

The essence of Intercepter-NG (sniff.su) is that it provides powerful functionality for intercepting data and searching for various information in intercepted unstructured data dumps:

Functionality of Intercepter

The author of the video claims that his software designed to analyze the intercepted data was used by Snowden himself in 2012.

Youtube channel Intercepter

According to the information voiced in one of the videos, a certain English-speaking user has repeatedly contacted the developer directly for some software improvements.

As proof, he cites a screenshot of correspondence with a user called Ed Snowden:

Chat capture of Interceptor’s developer with Ed Snowden

From the correspondence, it follows that Snowden asked for help in processing data dumps larger than 10 gigabytes. When asked by the developer what kind of data it was, Snowden stated that it was "TOR audit logs".

In support of his words, Intercepter cites the fact that they corresponded with Snowden via email. Emails came from [email protected].

Sender address is ed_snowden@lavabit.com

Curiously, the lavabit.com service was shut down a few months after Snowden was exposed for refusing to provide his correspondence.

Also, analyzing the sender's IP address, it turned out that it was located somewhere in Hawaii. And it was there that Snowden worked in the NSA department in 2012.

According to the author of the YouTube channel, Snowden managed several large Tor relays.

Runa Sandvik

The information was confirmed in 2014, when one of the leading developers of Tor, Runa Sandvik, announced that she spoke with Snowden, and he told her that he was the owner of a large exit relay named TheSignal.

What does this all mean?

At least the fact that particular specialists have the ability to track traffic that goes out of the Tor network.

Next, we will look at what this can affect and how you can calculate the current location of a Tor user using exit relay sniffing.

What data did we intercept?

As I said, we also launched our own exit relay, which worked for a total of about 10 days.

Because of the security concerns of Tor, they are suspicious of new nodes and do not direct much traffic to them. Nevertheless, we managed to get about 5 gigabytes of logs. Just imagine how much data goes through the major Tor nodes!

After analyzing the received logs, we did not find any shocking information. Almost all information is encrypted, as most sites on the Internet have switched to secure HTTPS. At the same time, not encrypted data still came across:

Unencrypted part of Tor’s exit relay dump

I want to note that some sites still reuqest credentials to be entered and transmitted in unencrypted form (pure HTTP protocol). In addition, such sites can cause file leaks if their functionality involves downloading some information.

It is imperative to ensure that the sites you visit through Tor are HTTPS encrypted. You can verify this directly in your browser. There should be a lock icon to the left of the address bar.

Indication of encrypted connection between client and server in browser window

We did not pursue the goal of finding somebody’s personal data. It was vital for us to confirm that anyone can relatively easily access gigabytes of other people's data. For this, it was not even necessary to somehow prove the "reliability" of the node in front of the system.

How can even encrypted data de-anonymize you?

So, we got a whole layer of data. Yes, it is mainly encrypted. But all data has the following valuable public parameters:

  • Recipient address (for outgoing data);
  • Time;
  • The size of the data packets.

But even this information will be useless to identify the person if we do not have additional data to compare with.

This can be, for example, the same information, but only from the "input" nodes through which traffic enters the Tor network.

In this case, using powerful software tools, we can compare traffic on the Tor relay and traffic that can be associated with a specific person.

Let me explain with the following example.

Suppose some national security service controls several exit nodes of the Tor network. At the same time, they have access to the equipment of a large Internet provider. Let's say that one of the nodes was illegally penetrated into the protected network. The system automatically starts collecting and comparing data packets intercepted at the output with the data intercepted at the input. Modern methods make it possible to accurately find similarities between connections occurring at the same time in different Internet nodes. If the hacker has not taken additional security measures, then he will be detected.

But what if we dropped conspiracy theories and assumed that the intelligence services had no access to incoming nodes? I'm sure it doesn't change anything. The list of incoming nodes has been known for a long time. It can be assumed that special services can legally or forcefully gain access to the equipment of the provider that hosts the node's server.

There is no guarantee that intelligence agencies do not control the traffic of incoming and outgoing nodes. In addition, they can receive data through the Internet service providers of users within their jurisdiction (and, as Snowden told us, outside of it too).

There is also an even more advanced way to de-anonymize users.

Today, even professional hackers use instant messengers and social networks for personal communication. Every person has a sleep and wake schedule. There are a number of biological characteristics that have subtle influences on our network activity.

For example, if a hacker conditionally breaks into the Pentagon, then he is unlikely to move. Thus, you can discard all people whose mobile phones are in motion at this moment. It is also unlikely that a hacker will post stories on Instagram and so on.

Modern systems for collecting and analyzing Big Data can efficiently process and compare information on user activity in various segments of the Internet and, over time, constantly narrow the circle of "suspects". After some time (month, year, several years), enough matches are accumulated in order to find the culprit.

Darknet and Tor

The situation with the so-called darknet is somewhat more complicated.

These are the most commonly referred to as criminal sites available only on the Tor network. However, in reality, the darknet is a broader concept associated with the onion network only in part.

The darknet in Tor is less vulnerable. Just because it is located inside the network, where it is almost impossible to track the location of sites and user activity.

The successful operations known to me to catch fans of illegal content and drugs were carried out "in reverse":

  • First, the owner of the .onion resource was figured out;
  • The owner and his resource were seized;
  • Then, for some time, accomplices were tracked, and visitors were identified.

In reality, today, there is no guarantee that visitors of darknet sites are not being tracked there.

In developed countries, there are even whole networks of law enforcement officers who control the activities of prohibited sites, turning a blind eye to small customers to catch large suppliers.

How to keep yourself safe

So, we know the following weaknesses in Tor and the darknet:

  1. The openness of exit nodes.
  2. Possible control of guard nodes.
  3. Possible control of .onoin sites

Are there tricks and tools that can protect the user from detection?

Yes, there are some rules and tools that significantly improve the security of Tor. This also applies to the dark web and the onion browser as a means of anonymization and bypassing blocking for visiting regular sites.

The following step-by-step guide will increase your security by 99%. And if you want 100%, then don't do anything on the Internet that could be dangerous for you.

1. Install VPN

It can be both an effective and reliable paid service, a less reliable and slower free VPN, and your own VPN server.

In this article, we will consider the first 2 options. Since your VPN server is less convenient and has less flexible tools, I strongly do not recommend this method.

VPN is perfect for working with Tor, increasing privacy by almost 100% (but don't forget about Big Data).

Paid VPN

VPN is very easy. Virtual Private Network works using a special tunnel, which is additionally encrypted. The tunnel is established between the user's device and the company's VPN server on the Internet. They can be located in dozens of countries around the world. For example, in ExpressVPN, there are servers in 94 countries.

I use a VPN every time I work or watch movies on streaming sites. This does not negatively affect Internet speed or computer performance. But at the same time, I am confident that no matter what site I visit, I will remain incognito, and my Internet provider will not know anything.

In addition, a VPN allows you to remove speed limits on streaming video.

As far as Tor is concerned, the paid VPN application does not affect the speed, which is especially important since the Tor connection is always slower than the regular Internet. And the additional rate-limiting can reduce the speed to a critically low rate, causing the Tor browser to stop opening websites.

Pros
Minuses
  • Maximum reliability
  • Unlimited speed
  • Additional safety features
  • Easy installation in a few clicks
  • Support for all platforms
  • Do not keep logs
  • Requires monthly payment of $2- $12 depending on the service and the duration of the subscription

I would like to emphasize that a paid VPN has such a function as Kill Switch. This technology manages the traffic of the device being used. If something is broken and the VPN connection is interrupted, then all traffic is blocked, which excludes the real data about your location from entering the Tor network. After installation, I recommend that you check in the VPN application settings if Kill Switch is enabled.

Free VPN

Same as a paid VPN, but with restrictions. Usually, a free VPN is a limited paid service plan.

Pros
Minuses
  • Good reliability
  • Easy installation in a few clicks
  • Support for most platforms
  • As a rule, they do not keep logs
  • Speed limiting up to 1-10Mb / s (speed is unstable)
  • Restricted selection of countries (up to 1-3)
  • Traffic volume limits (0,5-10Gb per month)
  • Communication with the server may be disrupted due to its overload

A free VPN is suitable for non-critical tasks when maximum connection reliability is not needed. It is well suited for learning the principles of anonymity and allows you to change your "location" at no cost.

2. Activate the bridge

A Tor bridge is a specially formed encrypted channel between the Tor browser and the Tor network, routed through a random server. It differs from VPN in that it does not allow you to select the connection server and only works with the Tor browser, so basically only for web protocols. VPN, in its turn, redirects all device traffic (unless otherwise specified in the settings).

This function is built into the Tor browser and is described in more detail in a separate article.

When you first start the onion browser, you will be prompted to activate the bridge. I recommend doing this right away. It doesn't really matter which type of bridge you choose. Only in some cases one of the options may not work. This is due to the restrictions of the internet provider. But this is also eliminated by using a VPN.

3. Do not use social networking sites and messengers through the Tor browser

Be careful when visiting sites that have your Tor login credentials. All activity is recorded, and from this data, special systems (OSINT) can identify you.

4. Never open links from Tor in a regular browser.

If interested parties publish any link that needs to be opened in a regular web browser, then they are most likely your enemies. The fact is that this will determine your real IP address.

However, when using a VPN, this is not dangerous. It is not your IP that will be determined, but the address of the VPN server.

5. The single rule for the darknet is to constantly change nicknames.

If you are registered in some sites where your anonymity is important, then I recommend changing nicknames as often as possible. This will disarm those who are trying to collect patterns of your behavior and identify habits in order to correlate with data from other sources.

Tags: 
Leaks
Senior Researcher
Dean Chester
Cybersecurity and online privacy expert and researcher. He's been published on OpenVPN, EC-Council Blog, DevSecOps, AT-T Business, SAP Community, etc. Dean has been testing VPNs for 8 years.

Leave a comment

click to select