[Back] As we move into an Information Age, there is a continual battle on the Internet between those who would like to track user activities, to those who believe in anonymity. The recent Right to be forgotten debate has shown that very little can be hidden on the Internet, and deleting these traces can be difficult. The Internet, too, can be a place where crime can thrive through anonymity, so there is a continual tension between the two sides of the argument, and, overall, no-one has a definitive answer to say which is correct.
To investigation agencies the access to Internet-based information can provide a rich source of data for the detection and investigation of crime, but they have struggled against the Tor (The Onion Network) network for over a decade. Its usage has been highlighted over the years, such as when, in June 2013, Edward Snowden, used it to send information on PRISM to the Washington Post and The Guardian. This has prompted many government agencies around the World to prompt their best researchers to target cracking it, such as recently with the Russian government offering $111,000.
At the core of Tor is its Onion Routing, which uses subscriber computers to route data packets over the Internet, rather than use publically available routers. One thing that must be said is that Tor aims to tunnel data through public networks, and keep the transmission of the data packets safe, which is a similar method that Google uses when you search for information (as it uses the HTTPS protocol for the search).
This article answers the following technical questions:
Can a remote Web site determine my IP address?
First let's access the same Web server, with Firefox and with the Tor browser (Figure 1). It can be see that the IP address differs for the same access. For a Tor browser when accessing the page: /ip/ we get:
Your IP Address 184.108.40.206 Your Hostname tor-exit0-readme.dfri.se Location Long: 59.33 Lat: Europe/Stockholm Country Code: SE Country Name: Sweden Region Name: City: Zip Code: HTTP_USER_AGENT Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
and for a non-Tor browser (using Firefox):
Your IP Address 220.127.116.11 Your Hostname zzzz2-zgyl27-2-0-custzzz.sgyl.cable.virginm.net Location Long: 55.94 Lat: Europe/London Country Code: GB Country Name: United Kingdom Region Name: Scotland City: Edinburgh Zip Code: EH11 HTTP_USER_AGENT Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
We can see that the IP address seen on the Web server is related to one of the routing elements of the Tor network.Then if we look at the IP address which appears in the log on the server, we see the Tor network address:
2014-12-23 21:24:59 18.104.22.168 GET /ip/details - 80 - 22.214.171.124 Mozilla/5.0+(Windows+NT+6.1;+rv:31.0)+Gecko/20100101+Firefox/31.0 200 0 0 2301
Figure 1: Accesses to a remote Web site (Tor and non-Tor)
If we quit the browser, and open another session on a Mac OS X browser, we see the IP address has changed and that the operating system and browser type has been hidden from the remote site.
Your IP Address 126.96.36.199 Your Hostname 12.transminn.cz Location Long: 50.08 Lat: Europe/Prague Country Code: CZ Country Name: Czech Republic HTTP_USER_AGENT Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
The log from the Web site now contains:
2014-12-23 21:55:47 188.8.131.52 GET /ip - 80 - 184.108.40.206 Mozilla/5.0+(Windows+NT+6.1;+rv:31.0)+Gecko/20100101+Firefox/31.0 200 0 0 41
On Tor, can someone view the details of my network packets?
With the Tor network, data packets are tunnelled through a number of routing elements. If we look at the IP address of the local machine we get:
Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : localdomain Link-local IPv6 Address . . . . . : fe80::98e2:a1b:dc21:5bfc%10 IPv4 Address. . . . . . . . . . . : 172.16.121.169 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.16.121.2
Now if we capture traffic from the Tor connection, we see that it communicates with a node at 220.127.116.11 on TCP port 9001.
No. Time Source Destination Protocol Length Info 5 11.546007000 172.16.121.169 18.104.22.168 TCP 597 1113 > 9001 [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=543 No. Time Source Destination Protocol Length Info 6 11.546397000 22.214.171.124 172.16.121.169 TCP 60 9001 > 1113 [ACK] Seq=1 Ack=544 Win=64240 Len=0
An example PCAP file can be viewed here It can be see from the trace that an analysis of the data packets does not contain any information that is useful, as a tunnel is used to transmit the data. There is thus no information related to DNS look-ups, or the standard signs of SYN/SYN-ACK and ACK (the three way handshake).
Figure 2: Sample network capture from Tor
This article has shown that, within the Tor network, the IP address of the user is not present on the remote Web site, and that the contents of the data packets cannot be viewed. Here are some examples of network forensics: Link
The Web traces a wide range of information, including user details from cookies, IP addresses, and even user behaviour (with user fingerprints). This information be used to target marketing to users, and also is a rich seem of information for the detection and investigation of crime. The Tor network has long been a target of defence and law enforcement agencies, as it protects user identity and their source location, and is typically known as the dark web, as it is not accessible to key search engines such as Google. Obviously Tor could be used to bind to a server, so that the server will only talk to a client which has been routed through the Tor network, which would mean than search engines will not be able to find the content on them. This is the closed model in creating a Web which cannot be accessed by users on the Internet, and only by those using Tor. If then users trade within the dark web servers with Bitcoins, there will be little traces of their transactions.
With the Tor network, the routing is done using computers of volunteers around the world to route the traffic around the Internet, and with ever hop the chances to tracing the original source becomes reduces. In fact, it is rather like a pass-the-parcel game, where game players randomly pass to others, but where eventually the destination receiver will eventually receive the parcel. As no-one has marked the parcel on its route, it’s almost impossible to find out the route that the parcel took.
The trace of users access Web servers is thus confused with non-traceable accesses. This has caused a range of defence agencies, including the NCA and GCHQ, to invest methods of compromising the infrastructure, especially to uncover the dark web. A strange feature in the history of Tor is that it was originally sponsored by the U.S. Naval Research Laboratory (which had been involved in onion routing), and its first version appeared in 2002, and was presented to the work by Roger Dingledine, Nick Mathewson, and Paul Syverson, who have since been named, in 2012, as one of Top 100 Global Thinkers. It since received funding from Electronic Frontier Foundation, and is now developed by The Tor Project, which is a non-profit making organisation.
The encryption involves each of the routing nodes having an encryption key, and the data is encrypted with each of the keys:
In this case the purple key is the encryption key of the first node, and is the last to be encryped. As the data goes through the network, each node decrypts with their key. The last part of the communciation, out of the gateway, will thus be non-encrypted, but a protocol such as HTTPS can be used to protect the last part of the communication.
Normally a Tor browser is used to make the accesses, so that the browser binds with the Tor network, and cannot be intercepted: