| Subcribe via RSS

Tor and Security

February 18th, 2008 Posted in Privacy, Security, Tech, Web

tor_sticker.pngMaybe you have heard of Tor, a way to anonymize your internet traffic. Maybe you have even used it. I have and occasionally do. But as it gains popularity, it becomes more important to understand the limitations of Tor and internet anonymity. Most users confuse anonymity and privacy. Tor provides anonymity, but not privacy.

If that statement is confusing to you, your not alone. Recently a Swedish security researcher set up a sniffer (a computer with a network card that captures all network traffic) on the 5 Tor servers his company ran. He ended up capturing login credentials and messages, from embassies, human rights groups and corporations.

Tor basically works by obscuring your request though a random network of “Onion Servers” So anyone watching your traffic cannot tell where it came from or where it is going. The problem is that to and from are only a small part of what you should be concerned about. Any data that enters the Tor Network in cleartext, is passed around that network, and comes out in cleartext.

tor_network.jpg

Even scarier, it is pretty much taken for granted that at least some of the Tor servers are hosted by government organizations and hacker groups. Now I don’t mean to get out my tinfoil hat, but this makes perfect sense to me. What could be more tempting then a hacker group or a government intelligence agency knowing that people who want anonymous traffic will need to pass through a point on there network that they control.

All that would need to be done is to set up a computer that captures packets on the outbound side of the server and gather data. Now you would not know where that data is coming from, but the content might be in the clear. And having this data, you would know that there is a pretty good chance that the sender would want this data to be confidential.

So if you use Tor how can you protect yourself? The best thing would be to make sure that you are using encryption. You should never send use a protocol that transmits in the clear for sensitive information. Make sure you are using HTTPS for websites, scp or sftp for file transfers instead of ftp, ssh instead of telnet, etc..

Tor is a great tool, and used properly can be an important part of any privacy system. The limits of Tor though need to be understood and precautions taken to mitigate these risks.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Reddit
  • StumbleUpon
  • Technorati
  • Facebook
  • Fark
Tags: , , ,
This entry was posted on Monday, February 18th, 2008 at 12:42 pm and is filed under Privacy, Security, Tech, Web. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.