While the idea of circumventing the privacy offered by Tor via DNS, Flash, and Java (applets) is nothing new, HD Moore’s “Torment” Tor server hack has made news at Securityfocus and ZDNet. Although I’m not quite sure why this big news now all of a sudden, it does have positive side effects for the Tor project (see my opinions below).
Moore’s methodology is based on the following strategy (also see Decloak):
1) A modified version of the Tor server is used.
2) When the Tor server is an exit node for a particular connection, it parses HTTP traffic for keywords that indicate criminal activity.
3) When an active keyword is found, the modified Tor server will embed HTML code in the response that will cause the Tor client’s browser to:
- Resolve a host name containing a unique identifier. Applications that use SOCKS 4 resolve hostnames using the ISP’s DNS (without going through the proxy server). In this scenario, the entity running the modified Tor server will also have to run a modified version of a DNS server that will match DNS queries to the unique identifier. This technique allows for the identity of the ISP of the client to be revealed (unless the user is using DNS that does not belong to his or her ISP).
- Load and run a Java applet hosted by the entity running the modified Tor server. The applet will determine the local IP address and pass it to the Tor server owner. If the end user is behind a NAT router, his internal (non-routable) IP address will be revealed.
- The Java applet will send a UDP packet to the server that served the applet. This UDP packet will be sent directly to the destination without going through TOR and will reveal the actual IP address of the client.
Here are my opinions on this:
1) Attempting to identify criminal activity based on keywords may help identify some criminals, but it will most likely result in too many false positives. This will compromise the anonymity of many legitimate Tor users, thus defeating the entire idea behind the Tor project.
2) The proposed methodology uses techniques that are circumvent-able by using Socks4a aware browsers and disabling plugins such as Flash and Java. I am sure Moore is aware of this, and to his credit, most users as of today are most likely to install and use Tor out-of-the-box. Also, disabling plugins such as Flash and Java may not be an option for many users because many web applications require these.
3) The fact that this topic has gained attention will have the following positive side effects on the Tor project:
- Some legitimate Tor users will pay attention to post-installation steps (use Socks4a, disable plugins) they need to perform in order lower the chances of their anonymity being circumvented.
- The Tor project, or a new project that utilizes the Tor system, may make an effort of offering a one stop solution or enhancement to the download package that may aid in automating some of the post-installation steps.
- The Tor download page provides warnings against the limitations of Tor, and even suggests that users investigate plugins such as NoScript and QuickJava. Unfortunately, a regular Tor user is not likely to spend time researching these proposed suggestions and will end up being suscsceptible to the techniques described by Moore. In addition, Tor users who use plugins such as QuickJava may still be susceptible because of the dynamic tag generation proposed by Moore, and there are already ongoing efforts by Tor volunteers to fix this.
In summary, I don’t believe Moore’s proposed idea is the most efficient solution to catching criminals who use Tor as the ZDNet seems to suggest, but I do believe that he has done a great job of demonstrating how most Tor users are susceptible to information leakage, and I believe this will in turn strengthen the Tor project.