Tor Developer Busts Myths, Announces New Features

Tor cofounder Roger Dingledine sets the record straight at DEF CON on popular myths, and at the same time teases upcoming features.

The Tor Project gets a bad rap as being a playground for the guilty. That’s why Tor Project co-founder Roger Dingledine took the stage last week at DEF CON to bust popular myths and announce upcoming features related to the anonymity network that averages 2 million users a day.

Dingledine’s biggest beef when it comes to Tor misinformation is the network’s alleged association with the “dark web.”

“Most people use Tor to safely reach ordinary websites. A tiny fraction of Tor traffic makes up what overhyped journalists call the ‘dark web,'” he said. “Yes, there are bad people in the world. And some of them use Tor. But at this point with the millions of people using Tor every day, the average user is the average internet user.”

He estimated that only 3 percent of Tor users use the service to connect to hidden websites and services. He argued criminals don’t need or want Tor.

“Bad guys can easily build a temporary tool that can be used for a week that only 10 people use and they’ll never tell anyone about it. That’s the terrorist or the bad guy problem. They have so many more options beyond Tor.”

Dingledine said there are misconceptions about funding of the Tor Project by the U.S. government in some way compromises Tor’s core mission.

“If you only learn about Tor through some in the media, they have been spreading inaccurate memes such as ‘the Navy wrote Tor so how can I trust it?'” he said. “The very short answer to that is, I wrote Tor – not the Navy.”

He said 80 percent of the funding for the Tor Project comes from government agencies such as the U.S. State Department, the National Science Foundation and the Open Technology Fund. “Our funding comes from a diversified number of groups within the U.S. government. That’s not as (diversified) as I’d like to be,” he said. About 15 percent of funding comes from outside donations.

Additional government conspiracy theories include the myth that the National Security Agency runs half the relays used in the Tor network. A Tor relay is also called a router or a node. There are 8,000 relays spread strategically around the world. They receive traffic on the network and pass it along to other relays, making it difficult for a third-party to know what website or service a Tor user is accessing.

“Indeed some intelligence agencies have run relays every so often. But, I know two-thirds of the people who run the relays personally. They simply aren’t,” he said of government snoops.

It doesn’t make any sense for the NSA to run relays, he maintains. “They are already watching AT&T, Deutsche Telekom and the cables underneath the oceans. They are already invested in surveilling the internet, so it makes no sense,” Dingledine said.

Fifteen years ago, Dingledine said, Tor received a well-deserved bad rap for being slow. Today that’s changed.

“My last talk at DEF CON was eight years ago and the topic was on why Tor is slow and what we are going to do about it,” he said. “Since then we have moved up to 100 gigabits of traffic and two or three times that in terms of capacity.” He said Tor is no longer slow – not by a longshot.

The last myth is, if you use Tor, the NSA is watching you. “Imagine if a friend came to you and said, ‘I heard if I use HTTPS the NSA is watching me so I’m not going to use encryption anymore. And from now on I’m going to be safe,” he said. “That’s crazy talk.”

What’s New: “Next Generation Tor Services”

During his DEF CON talk, Dingledine reviewed a bevy of new innovations and third-party improvements that users will see in the months and years ahead. There is a project with Privacy Enhancing Technologies Symposium community to improve Tor traffic analysis resistance. Part of those efforts include “Vanguard” which is a design that will (if it works out) make it a lot harder for people to locate (“de-anonymize”) onion services, he said.

“Tor clients and onion services already protect against many attacks by sticking to a single relay (called a Guard) for the first hop in all the paths, to limit the number of places that get to see their connection into the Tor network. It looks like we can do even better for onion services by sticking to the same second hop and third hop too. But getting the design right is complicated, because there are many subtle ways to mess it up, so it will be a while yet until we build and deploy it,” wrote Dingledine in an email interview with Threatpost.

That said, the next generation of Tor includes a host of updates and fixes that are already rolling out. “We have a working version right now, but we haven’t put out a release yet that has this new code in it. We’re still cleaning it up and looking over it for potential bugs. We’re about to finish the Tor 0.3.1 branch — we put out another alpha version of it on Tuesday,” he said. A tentatively schedule for Tor 0.3.2 is December.

Topping the list of new features is switching from the old cryptosystem which includes the first 80 bits of the SHA-1 of the 1024-bit RSA key to a new system that uses the much stronger elliptic curve cryptography (ECC) keys, such as Ed25519 signature scheme.

“Switching from the old cryptosystem, which is not actually known to be a problem quite yet, but is probably going to look increasingly weak in the coming years, so now’s a great time to update it,” he said.

Other next-gen efforts include focusing on making it hard to set up relays in advance that target a particular onion service. This is accomplished via better hidden service directory (HSDir) design. Within Tor, HSDir functions similar to DNS serves, allowing a Tor client to ask one of the HSDirs to “resolve” the name of an onion site into information that can be used to reach it — its public key, plus how to rendezvous with that onion service over the Tor network.

Dingledine said, currently the HSDir relays are too predictable. “The six daily HSDirs for a given onion address are predictable into the future,” he said. The solution is to make the HSDir mapping include a communal random value that everybody agrees about, but that nobody can predict, according to Dingledine. “The directory authorities pick this value each day as part for their consensus voting process,” he said.

“Now it should be hard for jerks to run relays and discover otherwise unpublished onion addresses,” he added.

Lastly, Dingledine said Tor has designed and implemented a number of different deployment models (e.g. “Single Onion Services” and “OnionBalance”) that let you trade off location privacy for performance and scalability. “For example, Facebook and Debian use these features to provide faster, more scalable onion services,” he said.

“If you are not trying to hide the location of the onion service, and want users to be able to benefit from all the other Tor security features, than it makes a lot of sense to do this,” he said.

“Somehow we need to get to a place in the world where Tor is normalized enough to where people think that’s it’s totally crazy to say, ‘I’m not going to protect my metadata, because if I protect it then they will be watching me.'”

Suggested articles