As news of PRISM and other top-secret domestic surveillance programs cartier jewelry replica has been reported, many Americans have sought out means to prevent the government’s prying eyes from gaining access to their data. One of the most frequently cited methods of circumvention is Tor. NPR’s Science Friday, for instance, spoke about Tor as a potential PRISM circumvention on July 12, and the Tor Browser Bundle is one of the first things promoted on PRISM Break.
This is very bad. Tor should not, I repeat, NOT, be used as as a default wrapper for one’s browsing traffic. I’ve had to stop several friends from making this mistake after being misled by pseudo-technical sources, and now I’m here to stop you.
This is not about a flaw in the Tor protocol; rather, it is a correction of the myth that Tor can protect your conversations from random listeners. This belief is in fact the opposite of the truth; using Tor guarantees that at least one random party will have full access to all packets in both directions going over a specific node chain, because Tor is about hiding your IP address, not hiding your packet contents. As this is the effect that most people are attempting to avoid, Tor is not only counterproductive but dangerous for the average user.
PRISM can only be beaten by not playing
Before we discuss the specific mechanics of why it’s such a big no-no to wrap your web traffic in Tor by default, we should address a more fundamental point. PRISM is a voluntary program of data submission. This means that PRISM participants have been invited by the NSA to upload the contents of their database, and that the vendors have chosen to accept this invitation. It doesn’t matter how you access a PRISM participant’s resources, because they upload all the data they have on you anyway. Therefore, the only way to prevent your data from getting submitted to the NSA, whether you’re connecting from your home DSL or the Starship Enterprise, is to not give any data to the entities that are wrapping it in a neat bow and dropping it on the NSA’s doorstep. Tor will not help with this. Tor will do nothing to prevent this. Tor makes it harder for an endpoint to discover the data’s originating IP address, which is a fairly minor detail when we’re discussing something on the scale of PRISM, since they already have all the emails, IMs, photos, cell phone information, etc. of basically everyone.
I repeat: the only thing that will protect someone from PRISM is refusal to utilize the products of PRISM participants. It does not matter how or why or when or where you access it. If you upload any data to the service of a vendor who participates in PRISM, the NSA has it, and that’s the end of the story. As far as the U.S. government is concerned, using Tor will just result in a flag on your account that makes the guys who’re reading your email laugh and say, “Ha! This guy thinks we care so much about his boring emails that he should try to hide from us. What a jokester.”
However, it is very important that one doesn’t use Tor to do mundane things that are just as well done on a direct connection, because Tor’s infrastructure is inherently insecure for most ordinary uses.
Your traffic is visible to the exit node.
Tor is an acronym for “The Onion Router”. It is so named because it works by wrapping your request in several layers of encryption and then sending this request through an automatically generated chain of nodes. At some point, the request must be unwrapped to be sent to its final destination because most people are trying to communicate with an ordinary online service that doesn’t understand Tor’s methods.
The Tor node that performs the final unwrapping is called an exit node. The exit node decrypts the packet it received from its sibling on the chain of nodes and receives your full, plaintext request, which it submits on your behalf to the intended destination. The exit node waits for the response, encrypts it, and sends the encrypted response back up through the node chain until it reaches you, the dear user and the termination of the chain, where your Tor client decrypts the packet from your chain-sibling and presents your client with a comprehensible piece of data.
There is no way to restrict what an exit node can do with your session’s plaintext, and anyone can run an exit node. There is no qualification process and there are no restrictions. Barack Obama could be running an exit node within minutes, and so could Edward Snowden, and there’d be no way for either replica cartier love bracelet of them to ensure that the other couldn’t see the requests they were sending. The user simply checks a box in Vidalia and he’s running an exit node, relaying plaintext data between conversants. Exit nodes automatically change every few minutes, so many exit nodes will be relaying pieces of your conversation, possibly re-exposing sensitive data to many entities over the course of a single session. Anyone running a Tor exit node is a potential listener.
The Tor project attempts to scare exit node operators straight by citing the possibility of prosecution under wiretap laws, but this is a purely legal restriction; under Tor’s design, there is no possible technical implementation that would prevent the exit node operator from being able to save both incoming and outgoing messages as sent between conversants. Only the threat of prosecutorial pressure (which is basically non-existent for certain parties) stands betwixt an exit node operator and your data. Thus, Tor is extremely dangerous for the ordinary user. It must be used only for specific, carefully-planned sessions, or you risk exposing sensitive personal data to anyone running an exit node.
In principle, Tor is not very complex. It simply automates what would otherwise be a very cumbersome manual process of chaining proxies and encrypting a message for each replica cartier love bracelets proxy’s public key. Tor’s directories and announce mechanisms mean that one no longer must trawl for private proxies, but they also mean that anyone can register a node as a proxy and do whatever they like with the traffic they’re passing. Tor puts no restrictions on any of this — literally anyone running the Tor software can volunteer to pass along traffic and will automatically begin receiving the traffic of other users.
You are much safer with just the NSA spying on you than all the people you invite to spy when you utilize Tor indiscriminately.
What about SSL/TLS?
Encryption protocols implemented by browsers may mitigate this issue to varying degrees, dependent on the details of the cryptography’s implementation and negotiation (and the assumption that an exit node isn’t tampering with the negotiation handshakes to allow easier interception of the encrypted conversation), the validity and trustworthiness of the certificates in use, the server’s proper attribution of security flags, and other variables. That’s sure a lot of stuff to have to assume is in place when you’re broadcasting your packet-level conversations out to potentially any Joe Blow on the street.
Why does Tor exist if it’s so unsafe?
Because Tor is not designed to be a universal privacy tool. It was built for a specific purpose, which was the circumvention of restrictive firewalls. The default example is China; Tor could be used by Chinese dissidents to post or access information that is censored in China, but available in the “free world”. Tor would make it impossible for the Chinese government to tell which computer was used to post a certain piece of information, and would hide the fact that other information was being accessed at all. Tor is meant as a lifeline to the outside world. Tor actually makes it much easier to spy on random conversations between entities, if you’re into that kind of thing (and the government obviously is), because the idea is to get public information in and out of a locked-down environment. And it works very well for that.
With this in mind, it’s ironic to look back on the way that certain persons have clung to Tor as a solution to domestic spying, because in actual fact, Tor makes such spying easier for an adversary that is only slightly removed from many of Tor’s biggest participants (universities), and opens the user’s traffic up to the possibility of tampering or recording from a potentially infinite collection of more ignominious foes.
OK, when can I use Tor?
Assume any data you pass through Tor, including usernames and passwords, will be publicly visible. If you have a use case where you’re OK with that happening, you’re OK to use Tor; if not, you aren’t. As most people do many things that they don’t want publicized, Tor is a very bad solution for most people.