The Onion Router (TOR) – the truths and myths of anonymity

In the last article I mentioned using TOR as part of the TAILS operating system.

TOR in its early stages was really a precursor of digital privacy. The concept originated in the 1990s and it was based upon the research initiated by computer experts working with and funded from the US Naval Research Laboratory.

The detailed history of “onion routing” and the TOR project can be found here.

Essentially, TOR started out as free open source software, which at its core embraced the idea of a decentralised network. Any network traffic routed through the TOR network is encrypted and it does not go directly from A to B; instead, it randomly bounces through a network of relays (referred to as TOR nodes), which are run by volunteer users all around the world.

Routing traffic through multiple servers while protecting it each step of the way with layers of encryption brought to mind the “onion” parallel.

Image result for tor browser

Any online resources are accessible using TOR (pretty much anything in the “normal” Internet, or “clearnet”), however there is a number of Internet sites out there with top level domains of .onion. These resources are only accessible via the TOR protocol and are commonly referred to as “the dark web”.

To illustrate it with an example: to access the most popular online encyclopedia, you go to www.wikipedia.org by typing this URL in your browser. In the dark web, to access anything you must first know the exact URL, which is impossible to type out or even remember, because it will typically look like this: zqktlwi4fecvo6ri.onion.

The TOR browser

The development of TOR browser initiated in 2008. Anybody who attempted to use this technology in its early stages will remember the hardship associated with correctly configuring the tunnelling protocol connection.

Thankfully, in its current form the TOR browser is a fully configured, ready to go state-of-the-art product that can be used by anybody with bare minimum of effort and expertise. And it’s based on the free and open source Firefox browser.

Here’s the TOR browser download link:

https://www.torproject.org/download/

 

Demystifying TOR

Whether you consider TOR to be part of mainstream digital privacy tools or not, it’s hard to shake off certain myths and untruths about it, now heavily embedded in the popular imagination.

Here are some common misconceptions regarding TOR:

1. TOR is illegal

Generally speaking, this is not true. It’s not illegal to rout and encrypt Internet traffic, it’s not illegal to safeguard your privacy, it’s not illegal to access the dark web.

[Unless you live in a country whose authoritarian regime regularly breaches the privacy of their citizens and bans the use of such services – like China, Iran, Russia and so on].

In any other normal jurisdiction, the question of legality should be asked in respect of actions of specific users, who might use TOR to access services that allow them to purchase drugs or stolen goods, access child abuse material, etc.

It is worth noting that more that half of all content available on the dark web is not illegal.

Remember – anonymity does not equal criminality!

2. TOR is completely secure

This is also not true. Because TOR operates as a decentralised network, it is possible to attack it by controlling a substantial number of TOR nodes.

If a single party was to control enough relay points, it could disrupt the network’s anonymity by observing Internet traffic and analysing its metadata in order to link specific users to specific activities.

Moreover, the encryption of TOR traffic works only if its destination also offers encryption. Connecting to a website that utilises the unsecured HTTP protocol carries a big risk of dropping encryption upon arrival at the website and could lead to exposing sensitive information.

Likewise, if accessing any website where you have to log in, even if it uses HTTPS, you identify yourself with your login credentials. 

Opening downloaded files while still browsing within TOR can also de-anonymise the user. These files can be designed to link to certain Internet resources while by-passing the TOR network and can leads to revealing the real IP address of the user.

Remember – the safest option is to combine TOR usage with a trusted VPN!

3. TOR was created by US government - so it can't be secure

This claim is the exact opposite of the previous one. And like the previous claim, this is also not true.

TOR was not exactly created by the US government, it was created by individual researchers who received funding from the US Naval Research Laboratory.

It is also a known fact that:

a) the US government also uses TOR for their own purposes

b) the US government funds the researchers at the TOR Project to allow them to continue their work.

It is illogical to think that the US government would develop a technology like TOR for its own use, then make it public and then weaken it by implementing a backdoor in it, thus crippling everybody’s potential to use it, including their own.

The people behind the TOR Project themselves addressed the “backdoor concern” in the following way:

"There is absolutely no backdoor in Tor. We know some smart lawyers who say that it's unlikely that anybody will try to make us add one in our jurisdiction (U.S.). If they do ask us, we will fight them, and (the lawyers say) probably win. We will never put a backdoor in Tor. We think that putting a backdoor in Tor would be tremendously irresponsible to our users, and a bad precedent for security software in general. If we ever put a deliberate backdoor in our security software, it would ruin our professional reputations. Nobody would trust our software ever again — for excellent reason."

4. TOR is slow and inefficient

Answering this question can be tricky as the above metrics are subjective, depending on each individual user. Trying to be objective, I’ll settle on partially true.

The process of routing Internet traffic through various nodes around the world will certainly impact your connection speed. TOR is definitely slower than any clearnet browser.

Moreover, when using clearnet search engines such as Google, your searches within the TOR browser will be hampered by alerts on “unusual activity” and by captcha.

On top of that, TOR is sometimes being used for illegal activities like DDOS attacks or for downloading files via peer-to-peer software, which negatively affects connection speed for every TOR user who is currently online.

However, one has to understand that the slower connection is the price we pay for increased security and privacy. TOR is still an efficient tool and it still gets the job done; the difference is that when security and privacy take precedence, speed and performance become a secondary concern.

1 thought on “The Onion Router (TOR) – the truths and myths of anonymity”

Leave a Reply

Your email address will not be published.