For a long time, analysts and security professionals have relied on The Onion Router (Tor) for anonymity and privacy when conducting OSINT, but practitioners using this method could be leaving themselves vulnerable to malicious attacks.
When I first started conducting open-source intelligence (OSINT) , the use of Tor was common practice in order to provide some protection when it comes to doing this research. Conducting research in this manner is one way to hide the identities of the researchers. But Tor is not as private as most people assume, and if one part of that chain breaks, then the privacy and anonymity goes. We are going to look into several things to identify if Tor is really private or not.
What is The Onion Router (Tor)?
In order to have a better understanding of if Tor is really private, we need to have some background on Tor. The Tor Project, Inc., became a non-profit organization around 2006 but the idea of “onion routing” actually dates back to the mid-1990’s. Originally built by individuals at the U.S. Naval Research Lab (NRL) in order to overcome the lack of security on the internet and its ability to be used for tracking and surveillance.
Onion routing is based and conceived to rely on a decentralized network with diverse interests and trust assumptions. In order to make this happen, it was determined that the software for this new network needs to be free and open to maximize its transparency and decentralization. So in 2002, when the Tor Network was deployed, the code for the software was free and open source for everyone to use. Additionally, the network had dozens of volunteer nodes, mainly in the United States, and just one in Germany in the beginning.
The Tor Browser was released in 2008 in response to censorship and the need to get around government firewalls so that users could access the open web. Initially, the Tor network required its users to be extremely tech-savvy, so the browser allowed non-tech-savvy users to access the benefits with a simple download. This was instrumental during the Arab Spring of 2010, as it protected people’s identity while allowing internet users and activists to access critical resources, social media and websites that were blocked, a critical tool for organizing.
Tor’s layers of encryption
This is accomplished by encrypting the traffic of the user in at least three layers and bouncing it through a chain of three volunteer computers chosen out of thousands of computers around the world. As it makes its way through those network hops, one layer of encryption is stripped off before bouncing to the next computer. This encryption method makes it extremely difficult for anyone to trace your connection from origin to destination. It helps in reducing the ability of targeted surveillance. In countries like Iran and China, it acts as an important anti-censorship tool, since it hides any direct connection to domains like Google, Facebook and Twitter that oppressive regimes often block. There is one thing to be aware of in that the final computer involved in routing a user’s traffic to a destination website, known as the “exit node,” can see all of your activity as you connect to a website, even if it doesn’t know exactly where that activity originated. This means that if an “exit node” is being operated by law enforcement, intelligence services or malicious hackers, they can see the activity being conducted and begin to build a profile on the user. (https://www.wired.com/story/the-grand-tor/)
Fast forward to 2013, when mass surveillance became a mainstream concern based on Edward Snowden’s whistleblowing, it caused a bigger call for tools to safeguard people’s privacy. This is why the Tor Network has grown to have thousands of relays being run by volunteers and millions of users worldwide. (https://www.torproject.org/about/history/)
Should you be using Tor for everyday browsing?
Based on the above information, many would think that using the Tor Browser should be the main option as it has been designed to protect your privacy when on the Internet. That being said, there are some issues with using the Tor Browser for everyday browsing. The first shortcoming being that as there is encryption used for each connection, this causes huge latency issues when it comes to viewing non-Tor (.onion) sites. So while you are being given more privacy protection, it comes at the cost of speed when viewing sites that may cause frustration to normal users. This may not be an issue for advanced users, researchers or analysts as they are used to some type of latency when using the Internet.
Another critical misconception is the idea that you are anonymous when using Tor based on the multiple connections (hops) being used just to get to the page you want. While there is some level of anonymity, there are ways to determine the location of a user using Tor. The process for this determination is hardly a simple one (because of those layers outlined), but it can and has been done. The network is nowhere near foolproof when it comes to anonymity needs. I have heard stories of a user who was conducting research on the dark web getting a visit from law enforcement because of that research.
That last issue is that you are putting your privacy and protection of personal information in the hands of the Tor Browser itself. Why this could be a concern will be covered in detail below.
Is Tor protecting your privacy while you research?
When you go and look at the Tor Project’s website, they indicate many things that the Tor Browser protects you from when using it. The list includes:
- Blocking trackers
- Defending against surveillance
- Resisting fingerprinting
- Multi-layered encryption
These are all great things, as they will provide protection, but it can also make you more of a target for nefarious actors. Third-party trackers and ads can be used to put malware on your computer, so blocking them is an important security consideration. Additionally in Tor, cookies and browsing history are cleared when you close the browser, which is a good thing. But these protection protocols can be used against a user or researcher to identify them or plant malicious code on their endpoints.
Using Tor for Anonymous research
The Tor browser’s own claim of defending against surveillance is something that I have to question. Those stories I've heard about how users have been using the Tor Browser and then being paid a visit by law enforcement should have users worried that bad actors could do the same. Any surveillance protection and resistance to fingerprinting kind of go hand in hand. Stripping yourself of all identifying factors makes you more suspicious to web admins and site masters, not less. This is because as researchers we want to draw less attention when we are browsing. Blending can be done by looking like everyone else on the internet, not by appearing to be using the Tor Browser as it is still based on Linux, which is one of the least common operating systems used to access the internet and mainly used by cyber security researchers.
Who’s doing the encrypting?
The last claim about multi-layered encryption is true, but the way Tor works is it strips the encryption after every connection is made, so that the last relay to the site you want to visit is unencrypted. Again, all the other connections are encrypted and the relays are random so if someone was listening on the last relay it would be hard to identify anything before the unencrypted relay. However; with all of these relays being volunteer-run, there is nothing to say that the people running these servers couldn’t put trackers or other identifiers in the network traffic so that it can be easily identified. A decentralized network is only as good as its open-source system and operators. I’m certain most people volunteering our privacy and free speech advocates who feel passionately about the network, but you just don’t know who could be in charge of your encryption, so you have to ask yourself—is it worth the risk?
How to protect yourself on Tor
So while the Tor network and the Tor Browser were originally built for the military and government, this has changed since it was released to the public. It now has legitimate and illegitimate purposes that can be beneficial to regular users, researchers and analysts. With that, users, researchers and analysts should incorporate other security measures than just the Tor Browser.
If you do not have access to a managed attribution solution, you should probably invest in a virtual private network (VPN) service like NordVPN, ExpressVPN or PIA to give yourself some extra protection while using the Tor network and Tor Browser. Additionally, you can use a proxy service like Smartproxy, Bright Data or IPRoyal. Again, what you are trying to do is layer protection over protection, so you use a proxy service, VPN service and then the Tor Browser.
Layering these different services is the best way to protect yourself and your personal information from cyber threats. All of these things are required to work properly and be configured correctly in order to be effective. If one of the protections isn’t working or configured correctly, then you could be inadvertently putting yourself at risk.
Lastly, these solutions are not cheap and need to be taken into consideration when trying to identify the best way to protect you and your organization from threats either when you are just surfing the Internet or conducting research or an investigation.
The only way to foolproof dark web access
Again, this is not to say that the Tor Browser is not useful to an everyday user but there are more things to consider when it comes to using it on a day to day basis. But even with a VPN and proxy service, you are simply laying Swiss cheese holes of security vulnerabilities and hoping those holes don’t line up. If your personal or company security requires more guarantee than a hope and a prayer, managed attribution is the only solution.
To see firsthand how tools like Silo can help you safely utilize the dark web in your investigation, request a demo.
Learn more about researching on the dark web with our dark web series:
- Leveraging the dark web in online investigations: Why you should utilize the dark web in your investigation, where to begin and how to protect yourself (and your company) along the way.
- 3 things to consider before you start your dark web investigation: When trying to determine if you should begin a dark web investigation, ask yourself these three questions concerning content, risk and precautions.
- Essential tools for improving surface and dark web research: Leveraging these easy-to-use dark web tools for surface as well as dark web investigations can help improve the quality and speed of your research.
- Best practices for creating a dark web access policy: Protect your company and employees by creating a dark web access policy to set protocols for investigations to mitigate security and legal challenges.
- 4 things you shouldn’t do on the dark web: Avoid a world of trouble by following these four simple recommendations of what not to do on the dark web during online investigations.