Unpeeling Tor
Discover how you can mask your web browsing and how governments track you, with a little help from Neil Mohr.
Neil Mohr unpeels himself from his sofa and heaves his ever-growing bum up after weeks of isolation to explore how Tor keeps your web browsing private and secure.
They’re watching you. They’re watching everything you do online. You’d think we were being paranoid, but it’s part of their mission statement; the international Five Eyes (https:// en.wikipedia.org/wiki/five_eyes) is a group made up of Australia, Canada, New Zealand, the United Kingdom, and the United States, which have worked together since World War II to collate and share intelligence – and that includes internet use by you.
In the digital age, that means intercepting, storing, and analysing all internet traffic. Don’t be fooled into thinking that local laws can stop a nation state from spying on its own citizens. If you’re one of the Five Eyes, just get your mates overseas to do the spying, then report back. Tempora (https:// en.wikipedia.org/wiki/tempora), a UK programme, splices off the undersea fibreoptic backbone of the internet, duplicates all the data transmitted over it. The data is then shared with the USA'S NSA. Damn crafty us Brits, described by Edward Snowden as “worse than the US.”
In the USA, programmes such as PRISM created a legal framework for the
NSA to spy on targeted
US citizens, immunising co-operating
US companies from prosecution. Or take MUSCULAR for bulk copying Google and Yahoo! data to outside US territory, for the NSA and the UK'S GCHQ to rifle through at their leisure. And who knows what Russia, North Korea, and China are up to.
It’s not paranoia if it’s actually happening. But the good news is that the open source community has brought together a host of privacy technology to offer a verified solution: Tor.
Tor (or, as it used to be known, The Onion
Router) is a collaborative, open source project designed to provide anonymous access to the internet. Think of it as a browser VPN anyone can use.
That’s a good starting point, but what’s wrong with your current VPN service? It says it offers you privacy and anonymous browsing, right? Yes, but how do you know it actually does? If it’s a Us-based commercial service, the VPN is at the mercy of the US government, and can be gagged by existing legislation while the state rifles through its servers.
Or how do you know your VPN isn’t run by some guy sitting in a basement somewhere, dressed in a dolphine onesie, while he watches anime? This isn’t to say VPNS are useless, it’s pointing out that they’re not a silver bullet. If no third parties test their systems for security or flaws, how do you know they’re secure at all?
This brings us back to Tor and what it can do for our online privacy. It might help to very quickly say why you don’t have online privacy in the first place, beyond the notion that every government in the world is probably monitoring you online. It’s largely down to how the internet was developed and has to be run. The internet is a precarious stack of open protocols built up over decades, and back in the 1960s everything was done in plain text – that didn’t change for a very long time; e.g. HTTP is transmitted in plain text.
Even today, the domain-name routing of your browsing and email message headers remains open to scrutiny, and if you want the internet to be worldwide, you have to allow data packets to be passed across borders. This enables nation states to do some dubious rerouting of entire tranches of data, which also strengthens the argument for a system such as Tor. But what exactly is that system?
Stinky onions
The reason Tor was originally called The Onion Router that your data and destination address are locked up inside an onion of encryption. As your data packets move through the Tor network, each relay node unpeels one layer of encryption, which points to the next node, until the final exit node is reached, and the unencrypted data is passed to the end destination.
So, the entry node doesn’t know what the data is or where it’s going, but keep in mind it does know where you are. Intermediate relay nodes don’t know where the data is going or what the data is, while the final exit node doesn’t know where the data has come from, but it does know the destination, and it can interrogate the data unless you’re using a secured HTTPS site. Of course, you also need to bear in mind that the final destination can know everything about you if you’re not taking care to anonymise yourself correctly.
Using Tor
The Tor Project has done a grand job of making it supereasy to install and run; it’s not much more complex than going to www.torproject.org, grabbing the installer, running that, and using the Tor Browser. You can ignore the Configure options when Tor is first run – they’re for connecting via a proxy and can be set from within the browser later if need be.
If the Tor Browser looks familiar, it’s because it’s a respin of Firefox, tooled to work directly with Tor, offering specific settings, pre-configured plugins, and security certified to be as secure as possible out of the box. A regular warning is not to use random plugins or indeed other browsers (especially Chrome) over Tor, because you have no idea what tracking they might have implemented within them. However, there are two default plugins that we’ll cover shortly, explaining why they’re so handy.
The Tor Browser is basically a locked-down build of Firefox. By default, it forgets and wipes everything from session to session, because it’s in what it calls “Permanent private browsing mode.” If you’re after a more casual browsing mode, you might want to select Menu > Options > Privacy & Security, and disable Always Use Private Browsing Mode under History. This forces a restart, and retains cookies and your browsing history – so if you are after higher anonymity, this is not recommended.
Moving security in the stronger direction, the Shield is icon in the toolbar – or within the Menu > Options > Privacy & Security > Security section – offers three distinct security levels. It defaults to Standard, which is frankly pretty secure, but it does still enable Javascript,
which many distrust. The annoying issue is that most websites require Javascript to run, so if it was disabled,
Tor would be mostly useless to the average user – it’s a trade-off between usability and security.
The next security level, Safe, turns off Javascript for all sites that can’t use the encrypted HTTPS mode, while it disables audio, video, and WEBGL unless you click to allow them. The highest level disables Javascript entirely. And don’t even ask about Flash – Flash is a security nightmare at the best of times, so Tor just won’t go there. In general, the advice not to run third-party plugins is down to the fact that you have no real idea what data they could transmit back to base. However, Tor does use two well-known plugins.
To help secure your connections, Tor makes use of two widely used browser plugins: HTTPS Everywhere and Noscript. HTTPS is a version of the standard HTTP plain-text protocol that’s been encrypted. This instantly means no one can read the data travelling between your PC and the destination server. However, it’s not always enabled by default, hence the use of the plugin to do just that. However, it can’t enable HTTPS on sites that don’t support it at all. The Noscript plugin offers persite control over almost every aspect of the code run by that website. makes use of this to restrict or disable code that could leak data about yourself.
Identities and circuits
When you first connect to the Tor network, this is called your initial “Identity” – basically, all data is sent to the same entry node for a set period of time (usually two or three months), before you’re automatically cycled to another. The series of encrypted server hops after this, and the exit node, is called the circuit. When connected to a website, click the “i” icon at the start of the URL address bar to see the established Tor circuit, along with an option to reset this.
Tor offers two ways to reset the circuit or the Identity. The basic option is the Tor circuit – this most often crops up when an exit node IP has been banned by a service. Choosing a new circuit provides you with a new exit node. It causes the currently active tab or window to be reloaded over a new Tor circuit. Other open tabs and windows from the same website will use the new circuit as well once they are reloaded.
Selecting New Identity takes this a step further. Alongside requesting a new entry node, it closes all your open tabs and windows, clears all private information, such as cookies and browsing history, and uses new Tor circuits for all connections. It’s like restarting the browser as well as your router.
Weird browsing
We should take a moment to highlight some of the more common issues you can run into when browsing the web from the view of a Tor exit node. Exit-node IPS get flagged up for all manner of nefarious reasons, so if a site or service sees you’re coming from an exit node IP, it’ll likely trigger a red flag and additional security checks on you, which you wouldn’t experience when browsing normally.
One common annoyance are repeated captcha challenges. Where you might normally be used to getting one, expect multiple challenges before you’re allowed access to a service or website. Also, some websites turn up in foreign languages – again, this is down to whatever location your Tor exit node is located in. Most sites base your location on this IP, then serve up their site or service in that language. You just have to switch the site using any offered language preferences.
You might get messages saying that your IP is blocked, or warnings that your account or system may have been compromised. Again, this is down to unscrupulous types abusing the Tor system and giving exit-node IPS a bad name. Typically, using the New Identity option can solve these issues.
Running nodes
We mentioned various types of nodes, which is a fancy name for a server or PC running Tor in a special mode. By default, you run Tor in client mode – you’re only accessing the Tor network, rather than helping to run it. The network itself is made up of three node types: entry, relay, and exit. The most widespread are relay nodes, the intermediary nodes that pass encrypted onion
packages within the Tor network – technically, when you install the Tor Browser, you have everything required to run a relay, but we’re not going to cover this. An entry node is simply a relay node that’s run for long enough (68 days) and proved to be reliable enough for the classification upgrade.
An exit node is where Tor traffic re-enters the standard internet and is sent on to its destination. If you wanted, you could run an exit node, but this is not recommended. Due to the nature of the traffic, exit nodes can draw the ire of not only your ISP, but also local law enforcement. The Tor Project advises you to inform both your ISP and local authorities that you’re running an exit node to avoid such issues. So it’s not really something you should do on a whim or with company servers, Jonni.
The deep, dark, dingy web
implements a network within the internet network, and just like the internet, the Tor network can and does have its own network of anonymous websites that get called various things, such as the dark web or deep web, along with Tor Hidden Services. There is a whole unseen world of anonymous .onion websites that live within the Tor network.
You’re able to access sites with https://<16character hash>.onion. As an example, Facebook has an onion service at https://facebookcorewwwi.onion
that enables people living in some of the world's more oppressive regimes to still use Facebook. Duckduckgo also offers an onion site at https://3g2upl4pq6kufc4m.onion.
As you can imagine, a good chunk of the dark web is taken up by illegal activities, but that certainly doesn’t mean there’s no room for good elements. You can find a reasonable list of legal sites at https://github.com/ alecmuffett/real-world-onion-sites.
Stay safe out there
isn’t a magic bullet to complete online privacy or anonymity– if you do something silly, you will expose yourself to anyone monitoring. A simple example is that if you log into a service via Tor using your real identity, that service and any bodies that are able to monitor the service can then identify you. It’s the same situation if you make payments with accounts linked to your real identity, which is why Bitcoin and other cryptocurrencies are popular.
Sharp-eyed readers might have spotted how we mentioned that entry nodes (aka guard nodes) do actually know your real IP, although they have no idea where your data is going. However, this has led to speculation that government-run entry nodes could collate logs that tally with exit node traffic, among other advanced techniques, to monitor Tor users. This leads some people to run a Tor-over-vpn combination, which certainly would remove this one weak element in the
Tor system.