Friday, July 15, 2011

Tor: An Experiment in Anonymity

I first learned about Tor while reading about darknets and it has been in the back of my mind ever since. Every once in a while I would read something that mentioned Tor. Eventually my interest had been piqued enough that I wanted to know more about Tor.

Enter the Tor Project

The Tor Project is a program that joins your computer to a network of other computers in which data is encrypted and then routed through relays until it reaches its destination. Routing paths are chosen at random and periodically change. Nearly any type of internet traffic can be routed through Tor. Tor adds anonymity to internet traffic because once traffic is encrypted and enters the network, it is impossible to determine its source. (This is false if an attacker is capable of watching both the source and destination networks.)

Tor was originally the Onion Routing program, a program developed by the U.S. Navy for use with the military. Today Tor is open source and is used by people all over the world including journalists, military, law enforcement, and activists. Its used by people who reside in countries, such as China, to obtain information that would otherwise be censored or restricted.

After learning this from the Tor site, I was extremely excited to play with this technology. One download and a few command lines later I was running the Tor browser package. I quickly looked through the settings to find what options were available what could be tweaked. I found that you could relay traffic for the Tor network. Cool! Providing uncensored internet access to people in oppressive countries is noble right? Turn that option on and additional options become available including some stuff about exit nodes.

What are exit nodes? They are relays that provide an exit point for data within the tor network. This is the point where the encrypted tor data is decrypted and forwarded onto the requested server. From the server's point of view, the traffic is coming from the exit node. So, enthusiastically I check most if not all the boxes available, allowing http, https, email, IM and IRC, as well as miscellaneous other services. Part of me also wanted to see what this data looks like coming across the network.

In the mean time I continued surfing around the internet reading more about exit nodes since this is a new concept to me. I found data describing how it works, how to configure it, and advice on how to run an exit node with minimal harassment from ISPs.

After an hour or two I noticed that there is a descent amount of traffic flowing through tor, about 20MB had been transfered. What does it look like? The traffic between tor nodes definitely encrypted and exiting web requests seemed to encrypted over https. I don't recall seeing any other data but who knows, I wasn't looking really hard.

This got me thinking, what kind requests had come out of my exit node? My first thought was bittorrent data or similar P2P data. I don't want to deal with calls from my ISP about DMCA take downs so I decided to stop running an exit node and just run in relay mode.

The next day I moved the relay to a hosted server rather than keeping it at my residence. I also contemplated running it as an exit node on the hosted server but ultimately decided against that. Initially I made this decision again because of possible DMCA take down notices, but also contemplated the possibility of attacks being launched from my exit node. Over the next few days as I kept reading about exit nodes and experiences with them. I ran across a hand full (about 3 or 4) horror stories of tor exit nodes being implicated in accessing illegal porn. That is definitely something I don't want to be tied up in. So, I feel that my decision to leave my tor node set to relay only mode is the correct decision. I'll leave exit nodes to people and organizations that can deal with the legal ramifications of abuse.

The only question in my mind right now is, during those two hours my exit node was running, what data was requested from my IP? I will probably never know. Of the approximately 2600 exit nodes, I don't think there was a very high probability that something terrible was requested from my slow rated exit node. I think most of the data transfered was relay data rather than exit data. But you never know. Here's to the police not kicking down my door.