Tor: Exploiting the weakest link
01 Mar 2012
Since the birth of the internet, there has been censorship. People have always been looking for ways to anonymously access the internet, either by proxy or VPN, however these still (can) log traffic origin and destination.
Since a few years there have been a few projects to anonymize traffic. One of the more famous ones is Tor (The Onion Router).
How Tor works
Tor uses servers and clients. When you request a webpage from your client, Tor will make an encrypted
request to a randomly selected relay server called an Onion router. This Onion router knows who you are. Next thing the router does is ask another Onion router to relay the message. This second Onion router only knows the first Onion router. The second asks a third, the third asks the fourth, etc. No single router knows the complete route, however the client does.
The client can access a database which holds all the relays and if he wants, he can select his own route or a random route is selected. He then gets all the public keys for the route and encrypts his message in reverse order, starting with the public key of the last node, than the one to last node, etc. So the encryption is layered (just like the layers of an onion). However there is also a message for every node that contains the next hop. Now at the exit router the message is decrypted completely and the request for the webpage is made. For the webserver that serves the question, the client's IP is the IP of the exit node.
The weakest link
So traffic is encrypted multiple times and relayed through different servers. This ensures anonymity. However... everyone can set up a Tor exit node ... and everyone that has an exit node, can monitor the traffic.
The weakness in this technology is one we find in other technologies as well, the so called "user". A lot of people are concerned about their anonymity and figure they are safe when using Tor. They forget that when using a physical line or an encrypted Wifi AP, The chances of getting a Man in the Middle Attack (MMA) is small. Now because we can easily host an exit node, we can sniff traffic from people who think they are anonymous, a lot of people in fact. At 20 Mbit (the max speed we allowed Tor to use), we got about 200 different Facebook sessions a day.
Users forget about certain things, like facebook over https. I've heard people say "I've enabled https on my facebook account, so when I log in, I'm safe." Well that's good for them but they forget that often, if you do not explicitly state https for the facebook login page, your password and username is sent PLAIN TEXT over the internet. Facebook doesn't know you want a secure line before you are logged in.Obviously this goes up for a lot of different sites other than Facebook.
The whole point of Tor is to be anonymous, but users get facebook accounts with often their full name and address on it, and then log in insecurelly.
One could write a script (and we made a proof of concept), that looks for usernames and passwords or hijacks sessions and automatically goes to a facebook like page "I am using Tor to be anonymous".
I am not saying Tor is unsafe, all we wanted to proof is that people need to think twice before thinking they are anonymous and safe on the internet. There will always be people that want to do malicious stuff. We could have hijacked about 20 accounts in half an hour and revealed people who use Tor or get into their emailboxes. (like Dan Egerstad also prooved in 2007).
The comments in the clip are in Dutch, but basically we set up a tor node and used tshark to capture traffic. We specified we were interested in http traffic coming/going from Facebook. We then took the session cookie and injected it into our browser which then automatically logs us into Facebook as that user.
Tor is a good anonimity provider, but like all tools, you need to use it in the correct way.