I’ve heard lots about Tor, and thought it was about time I learned how to use it. I have no actual use for it; but in the same way I have no emails that are really private and yet still use OpenPGP, I like to know how to use the technology that keeps prying eyes away from me should I need it.
Tor is a so-called onion-router. It’s job is to hide the two ends of a connection from each other. This is done by introducing multiple intermediate nodes who only know about the next intermediate. In fact there is no way for any particular node to know if it is talking to an end point or not.
The Tor network is run by volunteers that are willing to pass packets to and fro under instruction from other Tor nodes. They each publish a public key for their node. That list of public keys allows the “onion†to be created. At the centre of the onion is the payload, this is the message you want to send. Let’s assume that the endpoint is public, but you want to hide your communication from any observer (like, say, the Chinese government).
- Select a random path through the Tor network
- Work backwards from the end point.
- For each node on the network you create a wrapper. That wrapper says where the inner layer should be delivered next.
- You encrypt that wrapped package the target node on the path.
- Now you move to the node in the path next closest to you, and repeat. Wrap, encrypt.
- And so on.
Eventually, you are holding an “onion†packet that has been wrapped and encrypted; wrapped and encrypted; wrapped and encrypted and is ready to be delivered to the first node in the path. That node is the only one able to unwrap that “skinâ€, read the wrapper and see who gets the next layer.
It doesn’t matter who sees the packet, they can’t connect the input to the node to the output from the node and they can’t see where it’s final destination is. Only the last node (called the exit-node in Tor parlance) gets to see the final destination, and they don’t know where it came from. Assuming the core packet is itself encrypted, then not only is no node able to read the communique, no node knows simultaneously who sent it and who it is addressed to.
The above was a method for hiding access to a publicly known service. What if you want to hide the service as well? In that case, the server runs inside the Tor network. There is no exit node. That means any one of the intermediate nodes could be the destination node. None of the other intermediates know that. Only that destination node can decrypt the packet and see that it is addressed to it.
The target service is therefore identified not by IP address (it wouldn’t be very hidden then) but by a so-called pseudo-domain. You will be familiar with normal domains, www.google.com translates to an IP address using the DNS network and your computer then connects to that address. Tor relies on the client software to understand the .onion top-level domain. Of course not all software is Tor-enabled — you can try typing a .onion domain into your browser. You’ll get nothing.
For software that does understand .onion domains, rather than querying the DNS system (which maps names to IP addresses); the client software queries the Tor network itself, which knows how to resolve these addresses. The implication is that you need either a plugin or specially customised versions of your clients (like your web browser) to use a hidden Tor service.
Key feature of Tor:
- You can browse any site without that site knowing your IP address.
- You can browse any site without any intermediate (like your ISP, BT, the government) being able to see that you are doing so.
- You can browse ‘hidden services’ who don’t want to reveal their IP address to anyone.
- Hidden sites operate a name resolution system outside of the internet standard, DNS. That means those sites cannot be shut down in the normal SOPA/ACTA/DMCA/SIPA/IWF sense. Your internet connection is yours to do with as you please.
Here’s what I did on Debian:
$ apt-get install tor
Setting up tor (0.2.2.35-1) ...
Something or somebody made /var/run/tor disappear.
Creating one for you again.
Raising maximum number of filedescriptors (ulimit -n) to 32768.
Starting tor daemon: tor...
Feb 09 15:39:25.584 [notice] Tor v0.2.2.35 (git-73ff13ab3cc9570d). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux i686)
Feb 09 15:39:25.585 [notice] Initialized libevent version 2.0.16-stable using method epoll. Good.
Feb 09 15:39:25.586 [notice] Opening Socks listener on 127.0.0.1:9050
Feb 09 15:39:25.586 [notice] Opening Control listener on /var/run/tor/control
Then I went to the Tor check page, which happily told me that I wasn’t connected using Tor. Which didn’t surprise me, I haven’t told the browser to do anything but connect directly. Similarly, the Tor guide actually says
Please note that it is important that you use the browser that comes with the bundle, and not your own browser.
Tor comes with a pre-configured and modified-for-Tor browser. I’m more a do-it-yourself sort of person though. Debian very nicely packages the Firefox plugin that will take care of the magic for us.
$ apt-get install xul-ext-torbutton
Setting up xul-ext-torbutton (1.4.5.1-1) ...
Then restart Firefox, and you will see a new button on the address bar: a little onion with an ‘X’ on it. Push it, and reconnect to the Tor check page. This can be considerably slower than your normal browsing experience because the packets are travelling along a far more convoluted path and with considerably more encryption done inbetween. Eventually though you will get a congratulatory page.
If you were a dissident, you could now breathe a little easier. Your oppressive government can’t watch you. They might be able to tell that you’re using Tor (however Tor uses ports 80 and 443, so it’s hard to tell apart from normal encrypted web traffic), but they can’t see what you’re doing or who you’re talking to.
The Tor plugin, Torbutton, is really just an interface to an automatic settings switcher. Torbutton disables leaky features (plugins, etc) and changes your browser proxy to point at the local Tor client. Any application that supports proxy configuration can therefore also use Tor by setting the proxy manually:
SOCKS v5 proxy 127.0.0.1:9050
Now, let’s try accessing a hidden service. With Torbutton still active, connect to
http://3g2upl4pq6kufc4m.onion/
This is the Tor hidden service address for the DuckDuckGo search engine. If you can see that, you should be able to access any hidden service you wish. I had no trouble seeing Silk Road; but not being into drugs found it had nothing I want — YMMV.