Start at the Top

Start at the Top
By (Dr. Neal Krawetz)

Every now and then I write about the problems with TOR. For example:

  • 2010: TOR does not provide protection when you’re on a hostile network.
  • 2012: TOR does not provide everything needed to be anonymous.
  • 2014: Why do banks permit logins via TOR? Especially since TOR is frequently associated with banking fraud.
  • 2014: The Electronic Frontier Foundation (EFF) recommended that everyone should run a TOR relay. However, they didn’t mention the impact to your bandwidth and liability. For example, if someone uses your TOR relay to download child porn, then the police will kick in your door because it looks like the network request came from you. Even after you get through this explanation (which may take days or weeks, depending on how non-technical the police are), you still have a broken door. And I’m not being theoretical here. Earlier this year, a TOR relay operator was raided because someone used his TOR node to download child porn.

    There’s also the problem with ISP contract limitations that the EFF overlooked. Most ISP contracts have a clause that prevents reselling residential services (open relays fall under this classification) or using a residential connection to host a service (hosting is a commercial activity). Even if your ISP hasn’t shut you down yet, it doesn’t mean they permit it. TOR is a service that relays users, so running a TOR relay may violate the contract terms.

This isn’t even the full list of problems with TOR. TOR does one thing really well: it anonymizes one part of the network stack. However, the network stack has many parts. If you don’t anonymize the entire thing, then you are not anonymous.

More Recently

This year, I’ve been detecting more issues with TOR. FotoForensics came under a network attack via TOR nodes. And this is after multiple reports have pointed out that TOR is predominately used for malicious activities.

I started doing some experiments and found inconsistent network responses when using TOR. As a TOR user, you can be victimized by the entry (guard) node, exit node, any server you connect to, and any of the hidden services directory servers. There are also issues related to running your own TOR hidden service. You can expect to be attacked by TOR users, hidden service directory servers, and others who want to deanonymize the service.

A few days ago, the TOR Project retweeted a cute animated GIF. The picture shows how to get on TOR if you’re otherwise blocked. They say, if you can’t get on TOR, you should:

1. Send an email to
2. Install the software they send to you.
3. Configure it for your country (China, Iran, etc.)
4. Configure the network bridges

Of course, I’m thinking: If I were one of these countries that block TOR, or if I just wanted to screw with TOR users, I could:

1. Intercept email to/from
2. Respond with malware named “tor.exe”.
3. $$$ Profit!

The author of the tweet responded. He pointed out that they also ship gpg signatures and can use TLS email. So… I can ship my own gpg signatures and use my own TLS email. Sure, it doesn’t match, but if I’m already hijacking the network in order to intercept email, then I can hijack gpg signature lookups and TLS responses in order to make sure it appears valid for you.

(As one of my associates pointed out: Viewing the animated GIF requires JavaScript from 3 different hosts. He sarcastically added, “Yay minimizing the amount of anonymizing-busting client-side code that their audience needs to allow to execute!”)

To put it bluntly: The entire concept of TOR is based on trust. However, the trust model is broken.

Inherent Problems

Of all of my criticisms concerning TOR, I think the biggest is the indifference from the TOR Project. They know that TOR is often used for criminal activity. They know that TOR is often used for spam and network attacks. They are well aware that their hidden services are regularly used for human trafficking, child exportation, and contraband. Yet, as an organization, they do nothing to address these issues.

The argument for supporting these types of activities is typically along the lines of “it’s not illegal everywhere”. However, this argument has problems. For example, there are only a handful of countries where drug trafficking is unregulated and legal, and I don’t think any of them have TOR entry or exit nodes. (Drug use may be permitted in your country, but trafficking is likely still regulated.) And unless the majority of TOR hidden services are being used by people in Mongolia, Bolivia, or a handful of other countries that lack child pornography laws, these hidden services are likely illegal.

This ability to overlook obvious problems is not just in the TOR software. It appears to also be part of TOR’s culture and management. Last month, one of TOR’s key developers resigned amid sex abuse claims. This seems to have been widespread knowledge within the TOR Project, with no steps taken to address the issue.

Cleaning House

The only way I can see to resolve issues like these is to replace the key personnel. You have to change the mindset and culture before you change the code.

And amazingly, that is exactly what the TOR Project just did! The TOR Project replaced their board with a new set of directors. The new board members reads like a who’s who list of knowledgeable people in the fields of computer security, privacy, and cryptography. Although the news reports say that the TOR Project replaced their board members due to the sex abuse scandal, I certainly hope that this has implications further down the line.

July 17, 2016 at 06:47PM
via The Hacker Factor Blog