Tor != VPN – A Simple Explanation
I can’t take it anymore! I lurk on irc.freenode.net and /r/netsec and have seen a few too many mornings now that some person is safe, they used Tor. There is a big misunderstanding in what Tor actually does and protects. Here is my log in the fire to help explain the technology. Lets start with the basics…
What is Tor?
- Tor is a system intended to enable online anonymity, composed of client software and a network of servers which can hide information about users’ locations and other factors which might identify them. Use of this system makes it more difficult to trace internet traffic to the user, including visits to Web sites, online posts, instant messages, and other communication forms. It is intended to protect users’ personal freedom, privacy, and ability to conduct confidential business, by keeping their internet activities from being monitored. The software is open-source and the network is free of charge to use. Source: http://en.wikipedia.org/wiki/Tor_(anonymity_network)
So Tor helps you hide information about your location and personal information. A note here that is generally forgotten: A misconfigured Tor node does not guarantee anonymity. Lets walk through a standard Tor exchange with a user using Tor to get to http://google.com.
- The user opens the browser that is configured to tunnel through their Tor node proxy server
- The HTTP request is sent to the nearest known node and begins its transport through the Tor network
- All communication within the node is encrypted using TLS/SSLv3 (shown with the red lines)
- The HTTP request finds its way to the Exit Node shown in Green
- Once the traffic leaves the Tor network through the exit node it is back to unencrypted HTTP requests
- Our little robber dude is snatching your packets up
What we learn is that the same attack vectors exist for unencrypted traffic wether you are using Tor or not. As George Fuechsel from IBM would say “Garbage In, Garbage Out.” Likewise if you toss unencrypted traffic in you get unencrypted traffic out. Lets run this scenario again, but this time use the encrypted search function of Google by visiting: https://encrypted.google.com/
- The user opens the browser that is configured to tunnel through their Tor node proxy server
- The HTTPS request is sent to the nearest known node and begins its transport through the Tor network
- All communication within the node is encrypted using TLS/SSLv3 (shown with the red lines)
- The HTTP request finds its way to the Exit Node shown in Green
- Once the traffic leaves the Tor network through the exit node it is back to HTTPS requests
- Our little robber dude is left wondering what, who, and why the traffic was traversing Tor
By using HTTPS we have moved the attack vector from simple packet capturing to now the need to crack HTTPS. I focused entirely on HTTP, but it extends to ALL traffic types. That is why if you are using Instant Messenger or IRC through Tor you need to rely on TLS or OTR to provide encryption in addition to the standard clients. I hope this clears up some of the misunderstanding about what Tor is and what it protects (or doesn’t protect).
— UPDATE —
After receiving countless comments about this being the same vulnerability with VPN technologies, yes you are correct. Unless your end-to-end traffic begins and ends inside the tunnel then you are vulnerable to the same exploits. The difference is many users relate Tor=Anonymity and Security. In addition most users would not have access to an IPsec or OpenVPN end-point. Many on the other hand are turning to Tor after they hear word like encryption, proxy, and anonymous thrown around in the same breath. I would argue that due to the lack of understanding in how Tor and by an extension of that VPNs work, people are left with a false sense of security. As my Air Force security instructor taught me in BIP200 “You can’t lock the front door and leave the windows open and expect someone to not be able to break in.”