It's been a while since I've made a blog post. I've had a family emergency that's been occupying a lot of my free time lately, but here we are again. Today I wanted to talk about TOR. Lots of people have never heard of it, but there's also a lot of misinformation out there. That's understandable as it's a complicated thing. My hope here is to explain to you what it is and why you might want to use it.
Before we get into that, I want to talk a little about VPNs. VPNs are services—usually run by big companies—that tout themselves as the be-all and end-all of security. They make bold claims of allowing you to browse the web anonymously, but they are often anything but anonymous. When you connect to the internet, you do so through your Internet Service Provider (ISP). All of your traffic is routed through them, and they usually keep logs of everything you do. When you use a VPN, you encrypt all of your traffic and run it through the VPN. This prevents your ISP from knowing what sites you're visiting. All they know is that you're using a VPN, and the amount of traffic you're putting through it. Also, the site you are visiting has no idea who you are. It appears, for all intents and purposes, that the traffic is coming directly from the VPN. Sounds great, right?
The problem with this is that it doesn't eliminate the logs, it just moves them. While your ISP doesn't know what you're doing, your VPN provider does. Many claim not to keep logs, but there's no way of actually verifying that; you just have to take their word for it. The question that this raises is this: what makes your VPN a more trustworthy steward of that information than your ISP? I've never gotten a good answer to this question. In fact, I've never gotten any answer to this question... unless you count the VPNs' unverifiable claims that they don't keep logs.
What if there were a way to make it extremely difficult, if not impossible, to keep meaningful logs of what you were doing with your connection? It turns out, there is. It's called TOR.
TOR operates much like a VPN, but in a fundamentally different way. The TOR network is made up of multiple nodes. These nodes are machines connected to the internet—often run by volunteers—that act basically as mini VPNs. When you run the TOR software, your computer will select multiple (typically three) nodes at random and route your traffic through them in a chain. This is done in a way such that none of the nodes in this chain know anything about the connection apart from the node they got directly the request from, and the immediate next node in the chain that they're relaying to. Only you know the full route.
One important thing to consider is the last node in the chain. It's referred to as the exit node, and is so called because it's the place where your traffic exits the TOR network. If the service that you're connecting to doesn't use encryption, it is trivial for the exit node to log everything you send through it, and can collect any sensitive information you might send, or even to inject their own malicious content in the response they send back. Since anyone can operate a TOR node, there are often untrustworthy nodes operating on the network. This is why it's important to make sure that you're using a secure protocol (such as HTTPS) when using TOR. The network is designed in a way so that you don't have to trust any individual node. As long as an attacker doesn't control the whole chain, and you're diligent about ensuring the connection is properly encrypted, you should be reasonably safe.
Tor also comes with an added bonus: hidden services. Hidden services are basically web servers that can only be accessed from within the TOR network. Rather than having a URL like https://jlamothe.net, hidden service URLs look like this: http://2fd6cemt4gmccflhm6imvdfvli3nf7zn6rfrwpsy7uhxrgbypvwf5fad.onion.* This site can not be accessed from a regular web browser; it can only be connected to using TOR. Since the traffic never leaves the TOR network, there is no exit node to exploit, and it is very difficult to physically locate and/or censor such a service. For that reason, it is wise to exercise caution with TOR hidden services, because there's no real way of verifying who's running them. I actually run a couple hidden services on my home network as a sort of back door into the system when I'm out and the SSH tunnel I normally use for connecting is unavailable for whatever reason.
With all this talk of the merits of TOR, I'd be remiss if I didn't at least mention a couple of the down-sides. First off, TOR is slower than a typical VPN. This is because it's made up of people who are sharing their bandwidth to allow the network to work. It is very common for a TOR node to throttle the connection speed that runs through it to keep from overwhelming their bandwidth. As such, your connection will only be as fast as the slowest link in the chain.
Secondly, TOR doesn't do anything to protect the actual content of what you send. If for instance, you connect to your Gmail or Facebook accounts through TOR, it defeats the anonymity factor as the accounts are registered to you. They don't know where you're connecting from, but they know who you are.
Finally—and this is by no means an exhaustive list—you can't route UDP traffic through TOR. If you don't know what this means, don't worry too much about it. If you're just browsing the web, it'll probably not be an issue for you. If you want to use TOR for things like BitTorrent though, it's best to find another solution. It won't work.
With all that said, the easiest way to connect to TOR is by using The TOR Browser. That link is also a great resource for more detailed information about the TOR project itself, as I've only really given a 30,000 foot view here.
To summarize: TOR is not perfect, but it's a great tool to have in your privacy tool box. Hopefully this information is helpful to some.
Have a good one.
* Please note: this service is not operated by me, and I have no responsibility for what may or may not be posted there. At the time of writing, it's a TOR search engine, but I will change or remove this link if it comes to my attention that it's changed to something malicious or objectionable. Proceed with caution.