Archive for March, 2009

WARNING: Tor is dangerous for the unwary

Posted in Uncategorized on March 18, 2009 by voline

The short story is that Tor should be viewed as nothing more than an untrusted proxy server with the added feature that the proxy (theoretically) can not connect your ip to the traffic its handling.

This means that all the normal problems of untrusted proxy servers accompany the use of Tor. For instance, a malicious exit node can manipulate unencrypted traffic or steal sensitive data (read passwords). Compound this with the fact that many secure sites send secure data unsecurely, even google. The effect is that users may be better off not using Tor.

Of course, Tor is an anonymizing tool not a privacy tool, so this is to be expected. As Schneier points out, “the price you pay for anonymity is exposing your traffic to shady people”.

However, all is not lost! If there is end-to-end encryption to the website, no eavesdropping can occur. Many sites don’t have https versions of their site, so this isn’t always possible. Some sites that require a login perform that login over https, but then, after authentication, revert to http, allowing session cookies to be stolen and the account compromised. Using the ForceHTTPS firefox extension, one can enforce that a secure connection is always used after login.

Tangentially, an interesting idea I ran across was that since Tor exit nodes can manipulate unencrypted data however they wish, spammers could setup Tor exit nodes to crack captchas. What about manipulating the output of certain websites? All google search results now point to a link which exploits the browsers.

Tor introduces a man-in-the-middle injection point. What makes this worse than just using a direct connection, is that its easy to setup a Tor exit node. With a direct connection one of the routers along the way has to be accessible by an attacker. This is harder to obtain unless you obtain the assistance of the owner (ie not that hard for the government or telcoms themselves). Tor does allow a whitelist of exit nodes to be used, which should alleviate much of this concern (but do you really trust them?). You might setup your own Tor exit node and only use that one to be sure. But as a Tor operator you could be more highly scrutinized, possibly leading to a “cure worse than the illness” situation.

So if you’re going to use Tor for webbrowsing be very careful. Don’t sign in to sites without ForceHTTPS installed and protecting that site. Never, EVER accept improperly signed ssl certificates. Make sure you’re using the torbutton extension. And be generally conscious about what you’re doing over an insecure connection.