The Onion is damaged … but not broken

The opposing sides

Connected People in NetworkAs we move into an Information Age, there is a continual battle on the Internet between those who would like to track user activities, to those who believe in anonymity. The recent Right to be forgotten debate has shown that very little can be hidden on the Internet, and deleting these traces can be difficult. The Internet, too, can be a place where crime can thrive through anonymity, so there is a continual tension between the two sides of the argument, and, overall, no-one has a definitive answer to say which is correct.

To investigation agencies the access to Internet-based information can provide a rich source of data for the detection and investigation of crime, but they have struggled against the Tor (The Onion Network) network for over a decade. Its usage has been highlighted over the years, such as when, in June 2013, Edward Snowden, used it to send information on PRISM to the Washington Post and The Guardian. This has prompted many government agencies around the World to prompt their best researchers to target cracking it, such as recently with the Russian government offering $111,000.

At the core of Tor is its Onion Routing, which uses subscriber computers to route data packets over the Internet, rather than use publically available routers. One thing that must be said is that Tor aims to tunnel data through public networks, and keep the transmission of the data packets safe, which is a similar method that Google uses when you search for information (as it uses the HTTPS protocol for the search).

The battle of the Gods

fotolia_1499904With the right to be anonymous at its core, the Tor project created a network architecture which anonymized both the source of network and the identity of users. With some many defence agencies around the World targeting Tor, the cracks have been starting to be exposed, in the same way that there has been on the targeting of OpenSSL and TrueCrypt. For this researchers identified an underlying flaw in Tor’s network design, and which has led the Tor Project has warned that an attack on the anonymity network could have revealed user identities.

This message was in response to the work of two researchers from Carnegie Mellon University (Alexander Volynkin and Michael McCord) who exploited the infrastructure. At present SEI has a Defense Department until June 2015, and is worth over $110 million a year, with a special target on finding security vulnerabilities.

Overall the attacks ran from January 2014, and were finally detected and stopped on 4 July 2014. In response to the vulnerability being found the Tor team, in a similar way to the OpenSSL Heartbleed announcement, where informed that the researchers were to give a talk at the Black Hat hacker conference in Las Vegas. The sensitives around the area is highlight by the fact that the talk was cancelled, due to neither the university nor SEI (Software Engineering Institute) approving the talk. The Tor project, through Roger Dingledine blog entry on 4 July 2014, revealed that identities could have been revealed over the period of the research.

The research team, used two methods of exploitionation:

  • Traffic confirmation attack. This involves adding rogue relays to Tor, so that they can be used for the routing process. If there is just a few nodes, the routes cannot be determined, but if operated over a longer time period, it may have been possible to uncover some of the full path details of the accesses. This is similar to infecting a secret network with spies, and over time adding more spies, so that eventually, the spies become more trusted, and it is thus possible for a route to contain all the spying agents, and thus determine the complete route of a secret message.
  • Sybil attack. This involved an attempt to a block up to 115 of the guard relays. As these account for around 6.4% of Tor’s guard capacity, it is likely that a considerable number of user traffic was involved.


The Web traces a wide range of information, including user details from cookies, IP addresses, and even user behaviour (with user fingerprints). This information be used to target marketing to users, and also is a rich seem of information for the detection and investigation of crime. The Tor network has long been a target of defence and law enforcement agencies, as it protects user identity and their source location, and is typically known as the dark web, as it is not accessible to key search engines such as Google. Obviously Tor could be used to bind to a server, so that the server will only talk to a client which has been routed through the Tor network, which would mean than search engines will not be able to find the content on them. This is the closed model in creating a Web which cannot be accessed by users on the Internet, and only by those using Tor. If then users trade within the dark web servers with Bitcoins, there will be little traces of their transactions.

With the Tor network, the routing is done using computers of volunteers around the world to route the traffic around the Internet, and with ever hop the chances to tracing the original source becomes reduces. In fact, it is rather like a pass-the-parcel game, where game players randomly pass to others, but where eventually the destination receiver will eventually receive the parcel. As no-one has marked the parcel on its route, it’s almost impossible to find out the route that the parcel took.

The trace of users access Web servers is thus confused with non-traceable accesses. This has caused a range of defence agencies, including the NCA and GCHQ, to invest methods of compromising the infrastructure, especially to uncover the dark web. A strange feature in the history of Tor is that it was originally sponsored by the U.S. Naval Research Laboratory (which had been involved in onion routing), and its first version appeared in 2002, and was presented to the work by Roger Dingledine, Nick Mathewson, and Paul Syverson, who have since been named, in 2012, as one of Top 100 Global Thinkers. It since received funding from Electronic Frontier Foundation, and is now developed by The Tor Project, which is a non-profit making organisation.

Thus, as with the Rights to remain private, there are some fundamental questions that remain, and it a target for many government around the World. In 2011, it was awarded the Free Software Foundation’s 2010 Award for Projects of Social Benefit for:

"Using free software, Tor has enabled roughly 36 million people around the world to experience 
freedom of access and expression on the Internet while keeping them in control of their privacy 
and anonymity. Its network has proved pivotal in dissident movements in both Iran and more recently 

Figure 1 shows a Web browser application setup for Tor. It uses onion routing and also the HTTPS protocol to secure the accesses. With Tor, too, the path between the two communicating hosts is also encrypted, which creates a tunnel between them. To focuses more on the security of the communication over the Internet, and less on the preserving the anonymity of the user. It is, though, often used for proxy accesses to systems, where a user wants to hide their access.

newFigure 1: Tor Web browser

For the attack by the researchers, the Tor project has proposed that the following questions remain unanswered:

  • Did we find all the malicious relays?
  • What data did the attackers keep, and are they going to destroy it?
  • How have they protected the data (if any) while storing it?

Within any research project, it would be key for these questions to be answered at the outset, and these may give some pointers to the reasons that the paper was pulled at the conference. As with any presentation of research findings, especially with a sensitive area that might have an impact on a funder, there should be approval given by the university, and it seems that the paper could have been pulled because of a lack of approval by the university.

Silk Road

One of the first of large-scale illegal uses on Dark Web was Silk Road (created Feb 2011) by “Dread Pirate Rogers” and which was used to trade drugs on-line. In June 2011 it was pin-pointed by chatter on the Internet and for increases in Web traffic, and was taken down by the DEA and Department of Justice in the US. It has since resurfaced as Silk Road 2.0, with other similar sites appearing, along with encrypted versions of the code from the site being created so that the site can be distributed to other places, if it is taken down. This approach is equivalent to self-healing Web sites, where the re-build themselves when they are attacked. In this case, a human helper will normally be involved in re-creating the site.

While Tor had been created for all the best of reasons, from another point-of-view, it can be seen as a place that criminals can build their businesses in the Cloud, and provide a place where there can be few traces left of their activities. Overall it’s an impossible debate to say exact which is the right approach. From a law enforcement point-of-view, there are problems in investigating sites bound into the Tor network, but it also it is also a place where citizens have the rights to privacy.


The latest target compromised things for a while, but once detected, it has managed to heal itself, but it is a major target, along with cracking cryptography. For those in defence agencies the question remains “Why do you want to keep things secret … do you have something to hide?”, which is a pretty fundamental question. At the current time, the Tor team have managed to fix the cracks, but with such a concerted probing around the World, you must wonder if they have the resources to cope with the probes. With OpenSSL, the Heartbleed bug had been uncovered for many years, so there will be weaknesses, it’s just that they haven’t been found yet. The recent tail of the TrueCrypt developers bailing of their project, leaves many questions around the maintenance of Open Source security software.

In their defence, the Tor project is setting up a special group to monitor for malicious relays, and also to detect any compromises on the system. So, it’s one blow, but Tor has stood up to it, and came out fighting, and it is the research team who have been pin-pointed as the possibly stepping over the mark.

The issues around this issue seem to be more about the ethics of a research project and its dissemination, than by any pressure that might have been placed by external parties. When you have a funder of your research, there are various terms and conditions that are applied, and approval routes, and perhaps, in this case, that these did not happen?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s