Camden Civil Rights Project
Researched, compiled and edited by L. Christopher Skufca
With the numerous methods incorporated by malicious hackers, the NSA, the FBI and even local law enforcement agencies to access your private data, Tor is the best alternative for anonymously surfing the internet. Fundamentally, Tor is secure; however, Tor itself can’t guarantee your privacy and security. Additional security measures must be taken to protect your anonymity. The experts at Information Security Stack Exchange provide guidance on best practices for preserving your online anonymity while using Tor.
What is Tor and How Does it Work?
Tor is free software for enabling anonymous online communication. Tor is intended to protect the personal privacy of users, as well as their freedom and ability to conduct confidential communication, by keeping their Internet activities from being monitored. Tor protects anonymity by directing Internet traffic through a free, worldwide, volunteer network consisting of more than six thousand relays to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis. It is legally used by millions worldwide to circumvent censorship and to stay safe from online snooping.
Tor is an acronym for The Onion Router, encryption technology which was developed in the mid-1990s by United States Naval Research Laboratory for the purpose of protecting U.S. intelligence communications online. In 2004, the Naval Research Laboratory released the code for Tor under a free license, and in 2006 a Massachusetts-based 501(c)(3) research-education nonprofit organization called The Tor Project was founded. Its stated purpose is the research and development of online privacy tools.
The routing method utilized by the Tor network disguises your identity by moving traffic across different Tor servers, and encrypting that traffic, making it difficult to trace communications back to the original source. In an onion network, like that used by Tor, electronic data, including the destination IP address, is encapsulated in layers of encryption, analogous to layers of an onion. The encrypted data is then transmitted through a series of network nodes called onion routers, each of which “peels” away a single layer, uncovering the data’s next destination. Each relay decrypts a layer of encryption to reveal only the next relay in the circuit in order to pass the remaining encrypted data on to it. The sender remains anonymous because each intermediary knows only the location of the immediately preceding and following nodes. The final relay decrypts the innermost layer of encryption and sends the original data to its destination without revealing, or even knowing, the source IP address.
Anyone who tries to identify the user would see traffic coming from random nodes on the Tor network, rather than the source computer. Because the routing of the communication is partly concealed at every hop in the Tor circuit, this method eliminates any single point at which the communicating peers can be determined through network surveillance that relies upon knowing its source and destination.
To access the Tor network, you simply need to download the Tor browser. Everything you do in the browser goes through the Tor network and doesn’t need any setup or configuration from you. One drawback of using Tor is that users experience a much more sluggish internet experience since their data is being transferred through multiple relays.
What Tor Is Good For
Tor is most useful for concealing internet browsing habits. Used in conjunction with additional security measures Tor can also be useful in protecting the anonymity of your communications with a third party. Tor has been utilized by researchers, journalists, whistleblowers, attorneys and even law enforcement officers hoping to conceal their IP address from detection.
There are several legitimate purposes for wanting to protect your online anonymity. Much of the Tor Project’s funding comes from federal grants issued by agencies, such as the U.S. State Department, that claim a vested interest in supporting safe, anonymous speech for dissidents living under oppressive regimes. It is used by human rights workers, activists, journalists and whistleblowers worldwide. Tor is also a useful tool for legal practitioners seeking to protect privileged attorney client communications and has been used as an effective tool for protecting the anonymity of undercover law enforcement officers and police informants.
However, in the wrong hands, Tor has also been used for more nefarious purposes. Tor’s technology can be utilized to provide anonymity to websites and other servers configured to receive inbound connections which are only accessible by other Tor users. These are called hidden services. Rather than revealing a server’s IP address (and thus its network location), a hidden service is accessed through its onion address. The Tor network understands these addresses and can route data to and from hidden services, even those hosted behind firewalls or network address translators (NAT), while preserving the anonymity of both parties. These hidden service sites create an opening for criminal activity, such as happened with the Silk Road exchange site caught which was shut down for trafficking illicit drugs. Tor’s hosting capabilities have also served as platforms for child pornography and illegal arms trading.
The Limitations of Tor
Anonymity is not the same as security. While it is difficult to hack the encryption of the Tor network, a network is only as secure as the technology used to access the network.
In a 2012 child pornography sting, the FBI utilized a hacking tool created by Metasploit called a “Decloaking Engine” to infect the servers of three different hidden Tor sites, which would then target anyone who happened to access them. The network investigative technique (NIT) used a Flash application that would ping a user’s real IP address back to an FBI controlled server, rather than routing their traffic through the Tor network and protecting their identity.
Woodward’s warning proved to be timely; in August 2013, the FBI was able to exploit a security flaw in the modified Firefox 17 browser included with the Tor Browser Bundle, a collection of programs designed to make it easy for people to install and use the software. Representatives of Tor responded to the breach with the following statement:
The good news is that they went for a browser exploit, meaning there’s no indication they can break the Tor protocol or do traffic analysis on the Tor network. Infecting the laptop, phone, or desktop is still the easiest way to learn about the human behind the keyboard.
Tor still helps here: you can target individuals with browser exploits, but if you attack too many users, somebody’s going to notice. So even if the NSA aims to surveil everyone, everywhere, they have to be a lot more selective about which Tor users they spy on.
Two months later, in October 2013, The Guardian released an NSA presentation, provided by whistleblower Edward Snowden, revealing an NSA program targeting Tor users by exploiting the Tor browser bundle. The NSA attacks were designed to identify Tor users and the hidden sites they visited.
As The Guardian reported, this type of “man-on-the-side” style attack on Tor users cannot be pulled off by just anyone because it requires the assistance of internet service providers (ISP’s):
“(man-on-the-side attacks) are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a “race condition” between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack…
According to a top-secret operational management procedures manual provided by Snowden, once a target is successfully exploited it is infected with one of several payloads. Two basic payloads mentioned in the manual, are designed to collect configuration and location information from the target computer so an analyst can determine how to further infect the computer.
These decisions are made in part by the technical sophistication of the target and the security software installed on the target computer; called Personal Security Products or PSP, in the manual.”
Motherboard points to a 2013 FBI sting which utilized this method:
The FBI’s big child porn bust this summer also raised some suspicion from privacy advocates over how easy it is for the Feds to infiltrate Tor. The FBI managed to crack the anonymous network by injecting malware into the browser, in order to identify what it called “the “largest child porn facilitator on the planet.” In the process, the malware revealed the IP addresses of hundreds of users.
On January 05, 2016, Motherboard reported that the FBI conducted a network attack which targeted over a thousand computers and was was able to deanonymize visitors to a Tor hidden site called Playpen, allegedly one of the largest sites hosting child pornography on the Darkweb. According to the article, “the FBI ran Playpen from its own servers in Newington, Virginia, from February 20 to March 4,” during which time, “the FBI deployed what is known as a network investigative technique (NIT), the agency’s term for a hacking tool.” According to the complaint filed by the FBI, “approximately 1300 true internet protocol (IP) addresses were identified during this time.”
Tor explicitly warns against installing or enabling browser plugins. The Tor Browser is configured to block browser plugins such as Flash, RealPlayer, and Quicktime, because they can be manipulated into revealing your IP address. Therefore, Tor does not recommend installing additional addons or plugins into their Browser, as these may harm your anonymity and privacy by bypassing network protocols.
End Node Decryption
Tor has a known weakness: The last node through which traffic passes in the network has to decrypt the communication before delivering it to its final destination. Someone operating that node can see the communication passing through this server.
In 2007, Swedish security researcher, Dan Egerstad was able to intercept passwords and email messages from government agencies by running Tor exit nodes. According to Egerstad, many who use Tor mistakenly believe it is an end-to-end encryption tool. As a result, they aren’t taking the precautions they need to take to protect their web activity. University of Surrey professor, Alan Woodward, cautions that Tor volunteers are anonymous and therefore, users “do not choose which exit node you use so you cannot guarantee who it is that is actually running that node.” Woodward also remarked that Tor’s random routing between nodes makes it unlikely that anyone could target a specific individual in this way, unless they run a large proportion of the Tor nodes that are out there. Taking additional steps to encrypt data could also mitigate this risk.
Study on Traffic Correlation Attacks
In August 2013, Tor accounts increased by over 100%, leading many to suspect that Edward Snowden’s June 2013 revelations of the vast NSA surveillance program had led more internet users to protect their privacy. However, the sudden uptick in Tor users may be better explained by a joint research project designed to identify the effectiveness of these type of end node relay attacks.
In November of 2013, the US Naval Research Laboratory and Georgetown University in Washington, D.C. issued a joint report entitled “Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries.” The report focuses on traffic correlation attacks against Tor users, by network adversaries, such as such as corporations, intelligence and law enforcement agencies, or governments.
A network adversary is a network operator with ample network resources to observe a large portion of the underlying network over which Tor traffic is transported through controlling one or more autonomous systems or internet exchange points. Within the Internet, an autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the Internet. An Internet exchange point (IXP) is a physical infrastructure through which Internet service providers (ISPs) and Content Delivery Networks (CDNs) exchange Internet traffic between their networks (autonomous systems or ASes).
In layman’s terms, the study found that the more entrance and exit nodes a network adversary is capable of controlling, either through Tor exit relays or the destination servers themselves, the greater the probability the targeted communications will pass through a resource controlled by the attacker, exposing a Tor user (and their communications) to identification.
According to the report, “A network adversary leverages their position as a carrier of network traffic to correlate Tor traffic streams that cross their network at some point between the client and guard and exit and destination pairs.” As the researchers remark, “Tor does not currently implement any protection against adversaries who operate ASes or IXPs.”
In traffic correlation attacks, an adversary has the bandwidth capacity to run voluminous relays in the Tor network in order to deanonymize an individual user. The researchers report:
“Onion routing is vulnerable to an adversary who can monitor a user’s traffic as it enters and leaves the anonymity network; correlating that traffic using traffic analysis links the observed sender and receiver of the communication. Øverlier and Syverson first demonstrated the practicality of the attack in the context of discovering Tor Hidden Servers. Later work by Murdoch and Danezis show that traffic correlation attacks can be done quite efficiently against Tor.”
Since network adversaries can monitor entrance and exit traffic on any of the routers they control, the more points within their control, the greater their ability to expose a Tor users’ identity. Researchers found that, “sending many streams over Tor induces higher rates of circuit creation, increasing the number of chances the adversary has to compromise one. Alternatively, the specific destination addresses and ports that users connect to affect the probability a malicious exit is chosen because allowed exit policies differ from relay to relay.”
This is important because information travels through the encrypted layers of the Tor network through Internet Exchange Points (IXPs) or autonomous systems (ASes) that control multiple routers, such as ISPs. Since attackers can theoretically see exit or entrance traffic on any of the routers they control, logically, the more points of control, the faster and easier it is to expose a Tor users’ identity. As Meghan Neal at Motherboard points out, “Hypothetically, a state-sponsored cyberattacker could control all of the routers in the country.” Therefore, US intelligence agencies which have innumerable routers at their disposal would have a tremendous advantage in deanonymizing users and tracking their communications across the Tor network.
The Tor Project, itself, openly acknowledges:
“Just using Tor isn’t enough to keep you safe in all cases. Browser exploits, large-scale surveillance, and general user security are all challenging topics for the average internet user. These attacks make it clear that we, the broader internet community, need to keep working on better security for browsers and other internet-facing applications.”
Therefore, it is highly recommended that Tor users always take additional security precautions by using an anonymous proxy tool, such as a virtual private network (VPN) and HTTPS encryption whenever possible as added layers of protection.
If you are not already using a VPN or HTTPS, you should be. If a site offers HTTPS, just go to https://www.thewebsite.com instead of just plain old http. To help ensure private encryption to websites, the Tor Browser includes HTTPS Everywhere to force the use of HTTPS encryption with major websites that support it. However, you should still watch the browser URL bar to ensure that websites you provide sensitive information to display a blue or green URL bar button, include https:// in the URL, and display the proper expected name for the website.
Using Tor Could Increase the Possibility that You are Targeted
Edward Snowden revealed in October 2013, the online anonymity Tor network is a high-priority target for the National Security Agency. In support, The Guardian released “Tor Stinks,” an NSA presentation (vintage June 2012) outlining current and proposed strategies for exploiting the network. The work of attacking Tor is done by the NSA’s application vulnerabilities branch, which is part of the systems intelligence directorate, or SID. The majority of NSA employees work in SID, which is tasked with collecting data from communications systems around the world.” Therefore, someone like the NSA or FBI can tell if you’re a Tor user making them more likely to target you.
Furthermore, an NSA document obtained by the Guardian in June 2013, titled Minimization Procedures Used by the National Security Agency in Connection with Acquisitions of Foreign Intelligence, reveals that using online anonymity services such as Tor or sending encrypted e-mail and instant messages are grounds for US-based communications to be retained by the National Security Agency even when they’re inadvertently collected.
Of concern, the NSA Minimization Procedures provide no ascertainable guidelines for protecting against warrantless domestic surveillance. Section 5 clearly reveals domestic communications are being monitored en masse and allows for the collection and dissemination of information relating to “evidence of a crime” to law enforcement agencies, whether or not a warrant has been obtained or an individual is the target of a current investigation. The procedures make no distinction between suspected terrorist or non-terrorist activity, or violent and non-violent offenses.
In August 2013, Reuters reported that law enforcement officers have been instructed to mislead judges and prosecutors by recreating the investigative trail to effectively cover up where the information obtained through NSA surveillance originated. An internal Special Operations Division (SOD) document obtained by Reuters reads: “Remember that the utilization of SOD cannot be revealed or discussed in any investigative function.” The document specifically directs agents to omit the SOD’s involvement from investigative reports, affidavits, discussions with prosecutors and courtroom testimony. Agents are also instructed to use a deceptive technique known as parallel construction to misrepresent that the evidence provided by SOD was collected through “normal investigative techniques.”
Likewise, Section 4, which deals with attorney-client communications, provides scarce safeguards for protecting attorney client privilege. Section 4 specifies that an analyst must cease monitoring communications between a person “known to be indicted in the United States” and their legal representative. However, there is no such protection for suspects who have not yet been indicted and the instruction or for privileged communications in civil or commercial proceedings.
Finally, a 2014 report published by German security researchers revealed the NSA internet database program XKeyscore, contains a piece of source code with rules for automatically capturing information about people who used Tor and privacy-focused operating system Tails. One rule seems to “fingerprint” people who visit the Tor website, as well as people who search for information about Tails or visit places known to have information on it, including the Linux Journal, where anything in the “Linux” category of articles is flagged. Fingerprints are flags that allow NSA agents to identify and track users across the web.
Tor As a Tool for Journalists and Whistleblowers
In 2014, The Guardian launched a secure platform for whistleblowers to confidentially submit sensitive documents to the newspaper’s reporters. According to The Guardian:
The SecureDrop open-source whistleblowing platform provides a way for sources, who can choose to remain anonymous, to submit documents and data while avoiding virtually all of the most common forms of online tracking.
It makes use of well-known anonymising technology such as the Tor network and the Tails operating system, which was used by journalists working on the Snowden files.
The SecureDrop platform was initially developed by the US developer and open source activist, Aaron Swartz, who committed suicide in 2013 after facing criminal prosecution under the Computer Fraud and Abuse Act for downloading mass quantities of academic research articles. To Date, the SecureDrop directory includes such familiar media sources as The Guardian, The Intercept, The New Yorker, The Sun and the Washington Post.
Is Tor Simply a Honeypot Run by U.S. Intelligence and Law Enforcement?
There is a legitimate concern among privacy advocates that Tor may simply be a honeypot for identifying illicit activities due to its historical and financial ties with the U.S. intelligence and law enforcement communities. Onion routing was originally developed in the mid-1990s by United States Naval Research Laboratory for the purpose of protecting U.S. intelligence communications online. Yasha Levine of Panda points out:
“Tor’s original — and current — purpose is to cloak the online identity of government agents and informants while they are in the field: gathering intelligence, setting up sting operations, giving human intelligence assets a way to report back to their handlers — that kind of thing. This information is out there, but it’s not very well known, and it’s certainly not emphasized by those who promote it.”
In addition, Tor’s own website states, “A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently.” The site adds, “Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.”
Furthermore, Tor’s onion routing technology was originally funded by the Office of Naval Research and DARPA. Early development was spearheaded by Paul Syverson, Michael Reed and David Goldschlag — all military mathematicians and computer systems researchers working for the Naval Research Laboratory, located within the Anacostia-Bolling military base in Washington, D.C.
In 2004, the Naval Research Laboratory released the code for onion routing under a free license, and in 2006 a Massachusetts-based 501(c)(3) research-education nonprofit organization called The Tor Project was founded. Since its inception, the vast majority of Tor Project funding has been provided by the Department of Defense and the US State Department:
- In 2006, Tor was funded was through a no-bid federal contract awarded to Roger Dingledine’s consulting firm, Moria Labs;
- In 2007, all of Tor’s funding came from the federal government via two grants. $250,000 came from the International Broadcasting Bureau (IBB), a CIA spinoff that now operates under the Broadcasting Board of Governors, and just under $100,000 came from Internews, an NGO aimed at funding and training dissidents and activists abroad. Tor’s subsequent tax filings show that grants from Internews were conduits for “pass through” grants from the US State Department;
- In 2008, Tor received $527,000 from IBB and Internews, which represented 90% of its funding;
- In 2009, approximately 90% of Tor’s funding came from the State Department, through a $632,189 grant described in tax filings as a “Pass-Through from Internews Network International.” Another $270,000 came via the CIA-spinoff IBB. In addition, the Swedish government contributed $38,000, while Google provided another $29,000;
- In 2010, Tor received $913,000 from the State Department and $180,000 from IBB— representing 84% of Tor’s $1.3 million in total funds listed on tax filings.
- In 2011, Tor received $730,000 via Pentagon and State Department grants, $150,000 came from IBB and Swedish International Development Cooperation Agency (SIDA), Sweden’s version of USAID, gave Tor $279,000;
- In 2012, Tor’s funding nearly doubled, as it recieved $876,099 from the DoD, $353,000 from the State Department, $387,800 from the IBB, $318,000 from SIDA and $150,000 from an RFA grant for Tor’s OONI Project.
The question is whether you can trust that a program which originated within the U.S. intelligence community, for use by US intelligence and law enforcement agencies and receives the majority of its funding from the Department of Defense and the State Department is sufficiently independent from these agencies to reasonable protect the privacy and anonymity of dissident journalists, activists and government whistle blowers. Your level of trust is most likely commensurate with the severity of the penalty that exposure would bring about.
For those of you not involved in criminal activity, exposing high level corruption or seeking to disclose state secrets, the following recommendations submitted on an Answers forum for network analysts should suffice in protecting your privacy.
A Guide for Safe Tor Use
As a very long time Tor user, the most surprising part of the NSA documents for me was how little progress they have made against Tor. Despite its known weaknesses, it’s still the best thing we have, provided it’s used properly and you make no mistakes.
Since you want security of “the greatest degree technically feasible”, I’m going to assume that your threat is a well-funded government with significant visibility or control of the Internet, as it is for many Tor users (despite the warnings that Tor is not sufficient to protect you from such an actor.
Consider whether you truly need this level of protection. If having your activity discovered does not put your life or liberty at risk, then you probably do not need to go to all of this trouble. But if it does, then you absolutely must be vigilant if you wish to remain alive and free.
I won’t repeat Tor Project’s own warnings here, but I will note that they are only a beginning, and are not adequate to protect you from such threats.
To date, the NSA‘s and FBI’s primary attacks on Tor users have been MITM attacks (NSA) and hidden service web server compromises (FBI) which either sent tracking data to the Tor user’s computer, compromised it, or both. Thus you need a reasonably secure system from which you can use Tor and reduce your risk of being tracked or compromised.
- Don’t use Windows. Just don’t. This also means don’t use the Tor Browser Bundle on Windows. Vulnerabilities in the software in TBB figure prominently in both the NSA slides and FBI’s recent takedown of Freedom Hosting.
- If you can’t construct your own workstation capable of running Linux and carefully configured to run the latest available versions of Tor, a proxy such as Privoxy, and a web browser (with all outgoing clearnet access firewalled), consider using Tails or Whonix instead, where most of this work is done for you. It’s absolutely critical that outgoing access be firewalled so that third party applications cannot accidentally leak data about your location.
- If you are using persistent storage of any kind, ensure that it is encrypted. Current versions of LUKS are reasonably safe, and major Linux distributions will offer to set it up for you during their installation. TrueCrypt might be safe, though it’s not nearly as well integrated into the OS. BitLocker might be safe as well, though you still shouldn’t be running Windows. Even if you are in a country where rubber hosing is legal, such as the UK, encrypting your data protects you from a variety of other threats.
- Remember that your computer must be kept up to date. Whether you use Tails or build your own workstation from scratch or with Whonix, update frequently to ensure you are protected from the latest security vulnerabilities. Ideally you should update each time you begin a session, or at least daily. Tails will notify you at startup if an update is available.
- Viciously drop cookies and local data that sites send you. Neither TBB nor Tails do this well enough for my tastes; consider using an addon such asSelf-Destructing Cookies to keep your cookies to a minimum. Of zero.
- Your workstation must be a laptop; it must be portable enough to be carried with you and quickly disposed of or destroyed.
- Don’t use Google to search the internet. A good alternative is Startpage; this is the default search engine for TBB, Tails, and Whonix. Plus it won’t call you malicious or ask you to fill out CAPTCHAs.
Tor contains weaknesses which can only be mitigated through actions in the physical world. An attacker who can view both your local Internet connection, and the connection of the site you are visiting, can use statistical analysis to correlate them.
- Never use Tor from home, or near home. Never work on anything sensitive enough to require Tor from home, even if you remain offline. Computers have a funny habit of liking to be connected. This also applies to anywhere you are staying temporarily, such as a hotel. Never performing these activities at home helps to ensure that they cannot be tied to those locations. (Note that this applies to people facing advanced persistent threats. Running Tor from home is reasonable and useful for others, especially people who aren’t doing anything themselves but wish to help by running an exit node, relay, or bridge.
- Limit the amount of time you spend using Tor at any single location. While these correlation attacks do take some time, they can in theory be completed in as little as a day. And while the jackboots are very unlikely to show up the same day you fire up Tor at Starbucks, they might show up the next day. I recommend for the truly concerned to never use Tor more than 24 hours at any single physical location; after that, consider it burned and go elsewhere. This will help you even if the jackboots show up six months later; it’s much easier to remember a regular customer than someone who showed up one day and never came back. This does mean you will have to travel farther afield, especially if you don’t live in a large city, but it will help to preserve your ability to travel freely.
- When you go out to perform these activities, leave your cell phone turned on and at home.
Many Tor users get caught because they made a mistake, such as posting their real email address in association with their activities. You must avoid this as much as possible, and the only way to do so is with careful mental discipline.
- Think of your Tor activity as pseudonymous, and create in your mind a virtual identity to correspond with the activity. This virtual person does not know you and will never meet you, and wouldn’t even like you if he knew you. He must be kept strictly mentally separated.
- If you must use public internet services, create completely new accounts for this pseudonym. Never mix them; for instance do not browse Facebook with your real email address after having used Twitter with your pseudonym’s email on the same computer. Wait until you get home.
- By the same token, never perform actions related to your pseudonymous activity via the clearnet, unless you have no other choice (e.g. to sign up for a provider who blocks Tor), and take extra precautions regarding your location when doing so.
- If you need to make and receive phone calls, purchase an anonymous prepaid phone for the purpose. This is difficult in some countries, but it can be done if you are creative enough. Pay cash; never use a debit or credit card to buy the phone or top-ups. Never insert its battery or turn it on if you are within 10 miles (16 km) of your home, nor use a phone from which the battery cannot be removed. Never place a SIM card previously used in one phone into another phone. Never give its number or even admit its existence to anyone who knows you by your real identity. This may need to include your family members.
These are big in the news lately, with the recent takedown of at least two high-profile hidden services, Silk Road and Freedom Hosting. The bad news is, hidden services are much weaker than they could or should be. The good news is, the NSA doesn’t seem to have done much with them (though the NSA slides mention a GCHQ program named ONIONBREATH which focuses on hidden services, nothing else is yet known about it).
In addition, since hidden services must often run under someone else’s physical control, they are vulnerable to being compromised via that other party. Thus it’s even more important to protect the anonymity of the service, as once it is compromised in this manner, it’s pretty much game over.
The advice given above is sufficient if you are merely visiting a hidden service. If you need to run a hidden service, do all of the above, and in addition do the following. Note that these tasks require an experienced system administrator; performing them without the relevant experience will be difficult or impossible.
- Do not run a hidden service in a virtual machine unless you also control the physical host. Designs in which Tor and a service run in firewalled virtual machines on a firewalled physical host are OK, provided it is the physical host which you are in control of, and you are not merely leasing cloud space.
- A better design for a Tor hidden service consists of two physical hosts, leased from two different providers though they may be in the same data center. On the first physical host, a single virtual machine runs with Tor. Both the host and VM are firewalled to prevent outgoing traffic other than Tor traffic and traffic to the second physical host. The second physical host will then contain a VM with the actual hidden service. Again, these will be firewalled in both directions. The connection between them should be secured with IPSec, OpenVPN, etc. If it is suspected that the host running Tor may be compromised, the service on the second server may be immediately moved (by copying the virtual machine image) and both servers decommissioned. Both of these designs can be implemented fairly easily with Whonix.
- Hosts leased from third parties are convenient but especially vulnerable to attacks where the service provider takes a copy of the hard drives. If the server is virtual, or it is physical but uses RAID storage, this can be done without taking the server offline. Again, do not lease cloud space, and carefully monitor the hardware of the physical host. If the RAID array shows as degraded, or if the server is inexplicably down for more than a few moments, the server should be considered compromised, since there is no way to distinguish between a simple hardware failure and a compromise of this nature.
- Ensure that your hosting provider offers 24×7 access to a remote console (in the hosting industry this is often called a KVM though it’s usually implemented via IPMI which can also install the operating system. Use temporary passwords/passphrases during the installation, and change them all after you have Tor up and running (see below). The remote console also allows you to run a fully encrypted physical host, reducing the risk of data loss through physical compromise; however, in this case the passphrase must be changed every time the system is booted (even this does not mitigate all possible attacks, but it does buy you time).
- Your initial setup of the hosts which will run the service must be over clearnet, albeit via ssh; however, to reiterate, they must not be done from home or from a location you have ever visited before. As we have seen, it is not sufficient to simply use a VPN. This may cause you issues with actually signing up for the service due to fraud protection that such providers may use. How to deal with this is outside the scope of this answer, though.
- Once you have Tor up and running, never connect to any of the servers or virtual machines via clearnet again. Configure hidden services which connect via ssh to each host and each of the virtual machines, and always use them. If you must connect via clearnet to resolve a problem, again, do so from a location you will never visit again.
- Hidden services must be moved regularly, even if compromise is not suspected. A 2013 paper described an attack which can locate a hidden service in just a few months for around $10,000 in cloud compute charges, which is well within the budget of even some individuals. It is safer, though not at all convenient, to move the hidden service at least monthly. Ideally it should be moved as frequently as possible, though this quickly veers into the impractical. Note that it will take approximately an hour for the Tor network to recognize the new location of a moved hidden service.
Anonymity is hard. Technology alone, no matter how good it is, will never be enough. It requires a clear mind and careful attention to detail, as well as real-world actions to mitigate weaknesses that cannot be addressed through technology alone. As has been so frequently mentioned, the attackers can be bumbling fools who only have sheer luck to rely on, but you only have to make one mistake to be ruined. We call them “advanced persistent threats” because, in part, they are persistent. They won’t give up, and you must not.