The Anti-virus Times

Friday, January 13, 2023

In previous issues of the Anti-Virus Times, we've often touched on anonymity and online safety. In particular, we talked about VPN technology, which can be very useful but, at the same time, cannot guarantee absolute privacy and protection for user data. On multiple occasions in our materials devoted to digital hygiene, we mentioned that absolute privacy on the Internet is unattainable. Therefore, even using various tools and evasion techniques, you should always first observe at least basic security measures. This is the main thing that any user should understand. At the same time, knowing how widely used privacy-enhancing technologies and tools work will never go amiss. So, in today's issue, we're going to talk about Tor.

Many of our readers have probably heard words like “Tor Browser”, "onion", "onion routing", and "the darknet" multiple times. One of our previous issues in particular was devoted to the darknet. And it’s true that many users associate Tor with crime and criminal activity. But today we will not talk about how to access the darknet but about using Tor as a tool for working anonymously in a public network—the Internet. We will tell you about the general principles of its operation and figure out how well Tor protects the data that you exchange online.

There is some confusion about definitions when it comes to what Tor is. Strictly speaking, Tor is anonymous network-connection software that uses Onion routing technology. Tor should not be confused with Tor Browser. The latter is the official client application for connecting to the Tor network and is a modified web browser. It is the Tor browser that allows the average user to work in this network "out of the box", that is, with default settings.

Let's see how a data transfer works on the Tor network and how data protection is ensured. Just like VPN, Tor works "over" the global network—the Internet. There’s a reason the Internet is called the "World Wide Web"—you can think of the threads of the web as routes for transmitting information, and the intersecting lines as network nodes and computers that receive and transmit information through it. While surfing the web and wanting, for example, to visit drweb.com, your request goes through your provider, and then your network packets go through one path (usually the shortest one) along the web lines to the desired node. This is called routing. As noted above, Tor itself is a network, and its routing is arranged differently. Tor uses intermediate nodes or routers to make your network traffic go along a more confusing route. Therefore, the Tor network can be regarded as a decentralised system of proxy servers that are involved in the transfer of data between you and the destination endpoint. But, alas, it’s not that simple.

Each node in Tor has its own role. In addition, encryption is used when data is transferred. Once you have established a network connection, your request is sent to the entry node. The entry node knows your IP address but does not know the destination; moreover, at this stage, the traffic between you and the entry node is already encrypted. Then, traffic goes to intermediate nodes. Their task is to redirect traffic to the exit node; as a result, the entry point and exit point in the Tor network do not know anything about each other. The exit node, in turn, serves to exit your traffic from the Tor network and directs your request to the endpoint. This node knows which site you're connecting to, but it doesn't know your identity. Therefore, the site cannot track your IP address and current location, as it only communicates directly with the exit point.

Another interesting feature of Tor is the principle of layer-by-layer traffic encryption, similar to onion layers. The original message (the onion kernel) is encrypted so that only the exit node can decrypt it—this is the first layer of encryption. Then it is encrypted again so that only the intermediate node can decrypt it—this is the second layer. Finally, it is encrypted again, and only the entry node—the third layer—can decrypt it. In this form, the encrypted message arrives at the entry node. Thus, each node on the message path decrypts its layer and receives only the metadata needed for sending. The original message is open only to the exit node, which sends it to the endpoint. This approach allows us to regard the intermediate nodes in the Tor network with minimal trust because it is mathematically unlikely for the original message to be intercepted and decrypted.

In theory, everything sounds quite safe. Unfortunately, in reality, even such an interesting concept has limitations and security gaps. First, in view of the implementation, your ISP or an interested party can track the fact that you have connected to the Tor network. They will not see the content of the message or the destination address, but the fact the connection was made will itself be recorded. How critical this is for you depends on the situation, but you should remember this. In the same way, the destination web resource can track that nodes from the Tor network are communicating with it, which can also be a disclosing sign.

As you might have guessed, the main responsibility lies with the exit nodes because they provide access from the Tor network and communication with the destination endpoints. The exit node can be organised by anyone—both an ideological anti-censorship fighter and an attacker, or any person pursuing their goals. The community that maintains the Tor network tries to combat dishonest exit nodes, but it should be assumed that a portion of them is always under surveillance. As noted above, the exit node operator does not know your IP address and location, but they know the intermediate node from which the request came or where to send the response. In addition, the use of unsecured protocols when communicating with a site (HTTP instead of HTTPS) allows the operator of the exit node to analyse and even modify your network traffic. Therefore, only secure protocols should be used for an exchange, despite the presence of encryption within the Tor network.

Separately, it is worth noting that, according to the community, using Tor by default does not make your computer one of the nodes of the network and especially does not make it an exit node. However, developers have the right to change the algorithms and settings of the software, which does not guarantee that your PC will not be used in this way in the future.

Another danger is a modified or malicious Tor executable file that the user can download by mistake. It should also be noted that using an "onion network" does not reduce the risk of acquiring a malware infection via the Internet.

Finally, we want to note that using Tor, just as VPN, is largely a matter of trust. Both software and conceptual vulnerabilities always pose a certain threat. The average user can only decide how, when, and to what extent to trust or distrust any company, community, or group of unknown people. It is the latter with whom we most often interact on the World Wide Web.