Tuesday, September 11, 2007
What is Tor, and why is it in the news?
Tor stands for "The Onion Router", and it's software and servers for anonymous Internet use. For example, it's handy for bloggers in oppressive countries.
Imagine that you needed to send physical mail without anyone being able to tell where it came from or, if they watched you send it, where it was going. You might wrap the mail inside envelopes inside other envelopes, each addressed to some third party, with instructions to remail the inner envelopes. The first recipient would open the outermost envelope and follow the instructions on the next envelope in, which would go to someone who didn't know where the mail got started. The first recipient wouldn't know the final destination because it was inside the inner envelope.
That's how Tor works, except instead of physical mail it's network data, and instead of opaque envelopes it uses encryption. Delivering the data requires peeling off one layer after another, just like peeling an onion, so the process is called "onion routing".
It works, but it's not magic and you still have to think about security issues.
For example, you need to get the software from some place you can trust. The regular distribution is through the Electronic Frontier Foundation. There's malicious software going around that sends email urging you to use Tor and including a link to download it which actually takes you to a place that installs malicious software.
The other thing to remember is that "anonymous" doesn't mean "confidential". When Tor traffic reaches its destination, it's readable unless you've encrypted it yourself. The last link in the chain of relays can read all the traffic going through it. If you've somehow identified yourself, then your cover is blown. This actually happened recently: a Swedish security nerd set up a Tor relay configured to the the last link in the chain of relays and watched what was going through. The security researcher, Dan Egerstad, found some interesting things: "The e-mail messages seen by Egerstad included discussions of military and national-security issues between embassies and sensitive corporate e-mail messages, he said."
|
Imagine that you needed to send physical mail without anyone being able to tell where it came from or, if they watched you send it, where it was going. You might wrap the mail inside envelopes inside other envelopes, each addressed to some third party, with instructions to remail the inner envelopes. The first recipient would open the outermost envelope and follow the instructions on the next envelope in, which would go to someone who didn't know where the mail got started. The first recipient wouldn't know the final destination because it was inside the inner envelope.
That's how Tor works, except instead of physical mail it's network data, and instead of opaque envelopes it uses encryption. Delivering the data requires peeling off one layer after another, just like peeling an onion, so the process is called "onion routing".
It works, but it's not magic and you still have to think about security issues.
For example, you need to get the software from some place you can trust. The regular distribution is through the Electronic Frontier Foundation. There's malicious software going around that sends email urging you to use Tor and including a link to download it which actually takes you to a place that installs malicious software.
The other thing to remember is that "anonymous" doesn't mean "confidential". When Tor traffic reaches its destination, it's readable unless you've encrypted it yourself. The last link in the chain of relays can read all the traffic going through it. If you've somehow identified yourself, then your cover is blown. This actually happened recently: a Swedish security nerd set up a Tor relay configured to the the last link in the chain of relays and watched what was going through. The security researcher, Dan Egerstad, found some interesting things: "The e-mail messages seen by Egerstad included discussions of military and national-security issues between embassies and sensitive corporate e-mail messages, he said."
# posted by Frederick @ 9:03 PM Email to a friend:
Haloscan: they provide trackback