Raising the Shields – Part 5: The Onion Router (TOR)

Using the Internet privately and anonymously with an off the shelf web browser is next to impossible. The combination of IP address, cookies, what the browser willingly tells web servers about you, add-ons such as Flash communicating with a remote server outside of the browser context, etc. etc., leaves little privacy and anonymity. There's a project, however, that promises help and it's called 'The Onion Router', or TOR for short.

TOR is based on a network of relay nodes that forwards encrypted data packets to and from a client to a TOR entry node, nodes in between and an exit node. Before a packet is sent, it is encrypted several times and each TOR node can just remove one encryption layer. Imagine the layers of an onion and you understand why the project has chosen this name. This way each node only knows its direct neighbors and hence your original IP address is concealed.

I tried TOR a number of years ago for the first time and at the time it was far too slow for my taste for everyday use. When I recently tried it again, however, I noticed that even during high times during the day, speed is acceptable for web browsing. Don't expect multi megabit speeds though. In addition to web browsing, TOR can also be used with email programs such as Thunderbird to anonymize the location from which you access your emails and also other programs that can handle proxying such as for example SSH for remote server management and Instant messaging clients such as Pidgin.

While a number of years ago, setting up TOR was a bit of a tricky exercise, things have become much easier these days. The TOR website features a browser bundle that is easy to install and comes preconfigured for immediate use with Firefox in a separate directory from your main Firefox installation. A single click starts the TOR software and once a connection to the TOR network is established the package automatically loads the TORified Firefox that has no plugins except for NoScript to disable JavaScript. Also, it starts no external programs when requested by the web page to ensure there is no information leakage via IP connections established outside the browser context.

While Panopticlick says my normal browser is unique among 3 million other users, which means that even without cookies I am instantly recognizable by web servers, the TORified Firefox browser is only unique among 1500 others. A pretty good value.

One thing to keep in mind when using TOR is that one can't be certain if the exit node is hosted by a white hat or a black hat. Therefore beware of using usernames and passwords in SSL connections as the exit node could produce valid SSL certificates for websites on the fly if they have access to a certificate authority and thus could launch a man in the middle attack on you. There's ways to detect this, too, such as removing all SSL certificates in the TORified Firefox which triggers an alert each time an HTTPS protected web page is visited and each time a certificate is changed afterward.

All things considered, I'd say TOR is very simple to use on a PC today and being aware of its limitations in terms of exit node security it can provide anonymity while still being fast enough. In a follow up post I will have a closer look at the Android version of TOR and a TORified browser.