topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 12:07 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Tor - The Onion Router  (Read 10902 times)

Darwin

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,984
    • View Profile
    • Donate to Member
Tor - The Onion Router
« on: November 04, 2007, 08:54 AM »
If you're worried about internet security and the footprint that you leave as you wander the net,  Free Download a Day is highlighting The Onion Router today. This FOSS app promises to provide you with a truly anonymous "presence" on the internet. There are shareware apps that do the same thing (Anonymizer and Ghostsurf spring to mind) but this one promises the same functionality for free.
« Last Edit: November 04, 2007, 08:57 AM by Darwin »

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Re: Tor - The Onion Router
« Reply #1 on: November 04, 2007, 10:39 AM »
A nice package which really simplifies this process for a new user is the freely available xB Browser. It's a gecko based browser from XeroBank

xB_Browser.png

Darwin

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,984
    • View Profile
    • Donate to Member
Re: Tor - The Onion Router
« Reply #2 on: November 04, 2007, 10:44 AM »
Nice find, Eóin - worth a look as well. I don't really worry about security to this point (if I did want to surf anonymously and without worrying about security, I'd use a combo of Ad-Muncher's IP scramble and Sandboxie - both of which are already installed), but it's always nice to see these various options.

cranioscopical

  • Friend of the Site
  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 4,776
    • View Profile
    • Donate to Member
Re: Tor - The Onion Router
« Reply #3 on: November 04, 2007, 11:15 AM »
Free Download a Day is highlighting The Onion Router today.
It's nice when one doesn't have to shallot for software.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Tor - The Onion Router
« Reply #4 on: November 04, 2007, 03:08 PM »
TOR is a nice piece of work, just remember that there's some issues with it - like, if you're not using an encrypted protocol (ie., you're browsing a site with http:// and not https://), it's still very possible for people to sniff your traffic at the exit node. Yes, this has been done.

Also, I haven't checked into this, but is it possible for TOR nodes along the way to eavesdrop on your traffic?
- carpe noctem

Lashiec

  • Member
  • Joined in 2006
  • **
  • Posts: 2,374
    • View Profile
    • Donate to Member
Re: Tor - The Onion Router
« Reply #5 on: November 04, 2007, 06:08 PM »
Yes, it's possible, but not very probable.

I would be very wary of using Tor if you are sending sensitive data, anyway, some exit nodes are operated by questionable organizations or countries... I suppose maybe you could encrypt your traffic before it's sent, but I don't know if such thing would be feasible.

(Oh man, another link to Ars Technica, it's like I work there ;D)

Darwin

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,984
    • View Profile
    • Donate to Member
Re: Tor - The Onion Router
« Reply #6 on: November 04, 2007, 06:23 PM »
I *think* Ghost Surf encrypts your data before sending it... but then, it's a shareware solution. I actually used it extensively circa 2005 but stopped using it circa 2005 because I don't really feel that I need the level of security that it provides.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Tor - The Onion Router
« Reply #7 on: November 05, 2007, 08:36 AM »
Yes, it's possible, but not very probable.
That's "just" the identify where the traffic is from attack, which is of course bad enough. I thought I heard it having been used in the wild, but can't find the reference... I was probably just thinking about the theoretical attack.

I would be very wary of using Tor if you are sending sensitive data, anyway, some exit nodes are operated by questionable organizations or countries... I suppose maybe you could encrypt your traffic before it's sent, but I don't know if such thing would be feasible.
TOR does it's own encryption, but obviously this can be decrypted, since the exit nodes need to send something the final destionation host (outside the TOR network) can understand. So if your data is traveling through a TOR node operated by somebody with malicious intents, won't they be able to see your data stream?

Of course you can use your own encryption before going through the TOR network, but anything that's attackable with a man-in-the-middle approach will be vulnerable, since the TOR network is effectively a whole lot of middle men.

I'm not sure how often TOR's routing changes, though... if it did often enough (ie, multiple times even for the same connection) it would be a lot harder to do attacks. But my guess is that once a stable/fast route is found, it'll prefer that route.

I suppose maybe you could encrypt your traffic before it's sent, but I don't know if such thing would be feasible.
-Lashiec
HTTPS (but...), PGP encrypted emails, password-protected RAR archives, etc...
- carpe noctem
« Last Edit: November 05, 2007, 08:42 AM by f0dder »

Lashiec

  • Member
  • Joined in 2006
  • **
  • Posts: 2,374
    • View Profile
    • Donate to Member
Re: Tor - The Onion Router
« Reply #8 on: November 05, 2007, 02:00 PM »
It's a good question. Traffic between nodes goes encrypted, but I suppose it has to be decrypted to perform another exchange of different keys with the next node in the path, so I guess during that moment you could see the data using appropriate tools.

It's a fact that exit nodes are capable of viewing your traffic, though. And people are also capable of viewing its traffic, just like it happened to this German guy who went to jail because his exit node was being used by a child pornographer. It was suggested that Russian and Chinese governments are operating a group of nodes in the Tor network. Now, if I could find the source...

About the encryption thing, I was asking if it's possible to encrypt any kind of traffic you send to other computers, but of course, those other computers should be able to decrypt your traffic as well, I mean, negotiation of keys is needed. Am I correct?

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Tor - The Onion Router
« Reply #9 on: November 05, 2007, 05:22 PM »
About the encryption thing, I was asking if it's possible to encrypt any kind of traffic you send to other computers, but of course, those other computers should be able to decrypt your traffic as well, I mean, negotiation of keys is needed. Am I correct?
First of all, the applications need to either be aware of the encryption (ie., it's done at the application protocol level), or you can tunnel/encapsulate the application traffic (ie., instead of connection to the other host, you connect to a port at localhost, which has an encrypted tunnel to the real host).

If you use an automatic (transparent) encryption (or rather, keyexchange) scheme, you're vulnerable to man-in-middle attacks. Under normal circumstances, when your data is only traveling through normal routers and not something like TOR, and you're not doing anything that attracts government attention :P, I wouldn't worry too much.

Alternatively, you could use known-passphrase encryption (same passphrase used at both ends), but that's a hell wrt. key exchange. Or you could use public-key encryption, which is somewhat better, but you still need either central key authorities or a web of trust...
- carpe noctem

Lashiec

  • Member
  • Joined in 2006
  • **
  • Posts: 2,374
    • View Profile
    • Donate to Member
Re: Tor - The Onion Router
« Reply #10 on: November 06, 2007, 09:35 AM »
So no real solution to be used without some cooperation from the other side of the transmission. I wonder how those BitTorrent clients using encryption do to connect with the clients that do not support it, like the same Opera :D. Maybe they ignore those other clients and thus they don't exchange data with them?

Ralf Maximus

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 927
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Tor - The Onion Router
« Reply #11 on: November 06, 2007, 10:59 AM »
Free Download a Day is highlighting The Onion Router today.
It's nice when one doesn't have to shallot for software.
-cranioscopical (November 04, 2007, 11:15 AM)

+1 for punitive damages .  :-)

iphigenie

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,170
    • View Profile
    • Donate to Member
Re: Tor - The Onion Router
« Reply #12 on: November 06, 2007, 11:45 AM »
It is also a good idea to use tor for non sensitive stuff, as it increases the security of the network for all.

I use tor as a proxy when on the road, and sometimes from home. I am considering making a node too, I think the whole concept is quite important.

Besides, that way if I really have something sensitive one day it wont be too obvious (can't be too paranoid!). But besides i live with someone whose work could one day be deemed sensitive so it's not a bad idea to start early ;)

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Tor - The Onion Router
« Reply #13 on: November 06, 2007, 05:18 PM »
So no real solution to be used without some cooperation from the other side of the transmission. I wonder how those BitTorrent clients using encryption do to connect with the clients that do not support it, like the same Opera :D. Maybe they ignore those other clients and thus they don't exchange data with them?
Depends on the client - you usally get some options, ranging from "Turn Off", "Accept Incoming", "Try Outgoing", "Force Outgoing"... Also, iirc the torrent id hash is used as part of the encryption key, so a man-in-middle that doesn't sniff tracker requests will probably have a hard(er) time intercepting traffic.

But it's still fully possible (although a bit tricker) for ISPs to detect even encrypted torrent traffic and throttle it.
- carpe noctem