TOR in depth

May 20, 2008 – 8:57 pm


TOR (The Onion Router) is a network of Nodes, which can be used to tunnel your connection anonymously.
It’s free, and it’s an open-source project, so everyone can use it.

The TOR network consists two main categories, TOR Servers and TOR users.
any TOR user can be a TOR server. So no one can ‘own’ all the servers.

TOR creates chains of 3 nodes each and changes those chains every few minutes. The chains are created randomly from a Directory of nodes managed by a few main TOR Nodes.

TOR opens a connection between the client and the first node (Usually referred as an EntryNode), then it sends a signal to open a connection to the second node, and then to the third node (Usually referred as an ExitNode).

So when you surf to a website, you are doing so through three different nodes that are located around the world.

You -> Node1 -> Node2 -> Node3 ->

TOR relies on Telescoping encryption, which means every node can only see the information it needs to see, rather than having the ability to decrypt the entire data transmitted between the nodes.

Security and Privacy Simulations

So the owner of the first node can see who is the actual person that wants to surf anonymously, but cannot see the data because it’s encrypted - so Node1 cannot see what i asked for, but can see who I am.

The owner of the second node can’t really see anything. He doesn’t know who asked for the data, because all of the requests are being tunneled through the first node (which gives no information about the original person that requests the information), and he can’t see the data also, because it’s encrypted.

The owner of the third node doesn’t know who asked for the information because it’s tunneled through the second node, but he can see that data we have requested because the third node can decrypt the data.
The third node has the key to decrypt the data because it has to communicate with the website we requested (which generally doesn’t use any type of encryption).

Let’s take this a step further,
Node1 + Node2
If I am the owner of the first two nodes, it doesn’t do me any good. because again, I can see the person that wants to be anonymous, but I can’t see any of the data because neither Node1 or Node2 can’t decrypt the data.

Node2 + Node3
Owning Node2 and Node3 isn’t ideal either. I will be able to see the data, but owning Node2 won’t help me with anything.

Node1 + Node3
Owning Node1 and Node3 can be more helpful if I am an attacker who wishes to see the identity of a TOR user.
Node1 knows the identity of the person that requests the information, Node3 knows how to decrypt the data.
Getting the whole picture is still very hard.
Lets say ‘John’ is connected as the following:
Node1 -> Node5 -> Node3
Now, john wants to surf anonymously to google. So we see that Node1 gets a request from John, but we don’t know what john wants. then, we see that someone (we can’t tell it’s john for sure), requested google’s homepage through Node3. Connecting the dots and saying that john is the person that requested google’s homepage is almost impossible considering the fact that there are currently hundreds of thousands of users. The attacker can’t know for sure that john that surfed through Node1 is really the same person that requested a certain page through Node3.
The only way to know both the user identity and the requested data is to use a technique that relies on timing and calculates the average time it takes for someone to connect through Node1 to a second unknown node and then to Node3, and assume that whoever qualifies for the average time is the same user of both of the nodes.

Needless to say if the attacker owns all three nodes, he can see the user identity and the entire data he requested. But it is very unlikely that one person will control all three nodes because the chains are being randomly chosen by the TOR client and there is a reasonable amount of TOR Nodes (approximately 1800)

Now let’s take it a step further, Lets say someone hacked your computer and uses a Packet sniffer and watches every packet that leaves your computer. thanks to the encryption that TOR uses, the only thing the attacker can see is the first node identity. none of the data, not even the identity of the exitnode.

TOR also has a solution to a very known privacy issue that usually doesn’t get any attention by other anonymization applications, and that is the fact that DNS servers has the information on any user that made any DNS request to it. Which means that if i wanted to visit anonymously and used any type of anonymizer, google wouldn’t be able to know my identity by checking the logs of the Web server, but they will be able to know my identity through the logs of their DNS server. because every time you type an address in the navigation bar, in the background a DNS query is being sent to google’s DNS servers (Using your non-anonymous identity).
TOR solves this by using an application called Privoxy that allows DNS queries to be tunneled anonymously through the TOR network.

As you can see, eavesdropping TOR users is quite difficult.


As far as I know, TOR has only two vulnerabilities

  1. The first technique enables a website owner to know the true identity of a visitor that uses TOR by using a special Java applet that sends an ICMP packet (TOR does not support ICMP tunneling) to the website and by that unveils the true identity of the website visitor.
  2. The second method requires the attacker to own an ExitNode. By owning the exitnode the attacker can inject javascript code or a Java applet into the requested pages that it transmits back to the original TOR user that will help him unveil the identity of the TOR user.

Speed Issues

Unlike other applications that offers anonymous surfing, TOR is quite slow due to the fact that everything is encrypted, and being transmitted through 3 servers around the world.
While using TOR you should expect getting an average of ~20-35kbps, depends on the location and bandwidth of the nodes you surf through. offers a package called Vidalia Bundle, that includes Tor + Privoxy + Vidalia (graphical interface for Tor) + Torbutton (An extension for firefox).

Post a Comment