MC3003
Dark Side of the Net
Lecture 4
The Onion Router (TOR)

Introduction
• This week we will look at The Onion Router (TOR) a system that allows for anonymous use of the
internet.
• TOR allows anonymity on the internet and is used by about 4.5 million people world wide (about
.02% of the total users of the internet).
• TOR is one of several systems that can be used to achieve anonymity, others include:
• I2p – a peer to peer system that has lots of ‘hidden services’ – see later for discussion of this.
• Tails – an operating system that can run on a USB stick, Uses TOR but with added security.
• TOR is widely used by journalists in countries with heavy censorship, people who wish their
communications to remain private and others who may have fear of law enforcement agencies for
various reasons.
• In this lecture we will look at:
• A bit of back ground on TOR
• How the internet works and some of its implicit problems – especially the problem of anonymity;
• How TOR works;
• Some of the applications to which it has been put;
• Disadvantages

Anonymity
• TOR permits anonymity on the
internet.
• This is fundamentally making
ourselves unidentifiable when we use
the internet.
• It is about de-linking specific people
from actions – trying to ensure that
our actions on the internet cannot be
traced back to us.

Normal use of the internet
• When we use the internet our communications are very ‘open’:
• People can see what we are looking at, emails we are sending, the sites we
visit and who visited individual sites.
• This happens as the internet was designed to be a public network – it
did not have security as a core concern in its conception.
• How traffic moves around the internet is public information.

Basics of how the internet works…
• Information transmitted across the internet is broken down into small ‘packets’ of
data.
• These are labelled with information on who sent them and their eventual
destination.
• Every computer connected to the internet has a unique address – the IP (internet protocol)
address.
• There are two types of address IP v.4 and IP v.6
• IP v. 4 set of 4 3 digit number each between 0-256. EG 123.231.103.003.
• IP v.6 8 hexadecimal numbers. EG. 2001:0db8:85a3:0he2:3ts37:8a2e:0370:7334
• When a packet is sent onto the internet ‘routers’ – computers that relay internet
traffic - look at the destination and send it on to the next closest router.
• The packets may go across a number of different routers before reaching their
destination where the receiving computer will reassemble the packets back into
the information.

R
R
R
R
R
R
R
R
R
R
R
R
R
R

What can Eve do?
• If Eve can take control of a node / router on the network she can install bits of
software that do things.
• Like Packet sniffers – these can look at data that is passed across that computer as it
works its way across the network /internet.
• From this she can see where the packet has come from, where it is going and its
contents.
• At the very least she can tell who is looking at what websites, the kind of thing they
are doing (are the uploading, down loading files, email, looking at web pages etc).
• However if the packets are unencrypted he can read them.
• They may contain login information and passwords, confidential information,
commercially sensitive information, bank details, credit card numbers etc…
• All sorts of juicy data that people do not want known and could be used to build
profiles for identity theft and other issues – later lecture on spam ‘spear fishing’.

What else do network analyser apps have on
them?
• The software also includes a programme called packet sniffer.
• Packet sniffers allow network engineers to look at the individual packets that are being sent across a particular node or
computer that is on a network.
• You need to be on the local network to look at anything.
• They will not see all the information being passed around.
• But they may see some interesting stuff.
• You can only use a packet sniffer on WIFI (so you become part of the network)
• Warning: do not use a packet sniffer from a device where you log into the network with an account – it is
usually against T&Cs.
This is the
captured packet.
It is in
hexadecimal, the
translation is to
the right.

Why was it designed like this? It’s stupid!
• Great if you have nothing to hide…
• This approach come from the early days of the internet when those
using it were did really have much to hide or want to do so.
• They did not care if people saw what they were doing on the internet.
• They didn’t see the amount of widespread use that would emerge or
the centrality of ICT to our daily lives.
• This why cryptography was developed.
• It hides the contents of packets of data.

Beyond the ability to ‘listen in’
to unencrypted data…
• Your actions on the internet can be tied to your IP address which is your
computer.
• ISP retain connection records for at least a year.
• The police can demand such records.
• Investigatory powers bill (passed Nov 2016) requires ISPs to retain detailed records
of “account reference, a source [Internet Protocol] and port address, a destination IP
and port address and a time/date” for a year. This is accessible without a warrant.
• Browsers can also give away valuable information to the websites you
view.
• The cookies you have on them, HTML 5 and e-tags give away valuable aspects of
your identity.
• And your computer and network activity may well be held onto for some
time by your employer, university etc.

Public key helps…
• As we noted previously public key encryption has now done a lot to
assist help challenge this and if used correctly emails can now be
mostly secret.
• Many websites are also a lot more secure.
• However even when we do encrypt information - such as when use a
secure site (ones with a ) - our identity is revealed.
• Even if we do encrypt messages and communications we can still see
who is communicating with who without knowing what they actually
said.

• From Eve’s point of view knowing that people said something, looked at
something, spoke with someone is useful even if we don’t know what.
• This is called traffic analysis.
• Used in military intelligence and anti-terrorism a lot.
• In tracing leaks in government – who communicated with journalists, even
though we don’t know what was said, we can find out who said it.
• But also in commercial usage and corporate espionage.
• If you found out one of your competitors was having lots of discussions with your
client you might be concerned (if it was one way from the competitor to the client it
would be advertising but if both ways).
• What if one of you top staff members was in communication with a competitor?
Traffic analysis

So who wants to remain anonymous?
• If you live in a society which has censorship rules or you are engaged in
activity that the government or powerful organisations object to:
• Green activists attacked by corporate and government surveillance;
• Civil society and minority activists opposed to civil rights infringements;
• Trade unionists opposing blacklisting;
• Journalists investigating political corruption.
• Such people find being able to communicate covertly very useful.
• Also it is useful to:
• Law enforcement (they may not want people running dodgy sites to know they are
looking at them).
• Business people (corporate espionage is very common) - hiring hackers to find out
the cost of bids etc.
• Abuse victims hiding from abusive partners.

Also whistle blowers like Edward Snowden
• Computer scientist who worked for the
CIA.
• Found out some very bad things
governments were doing.
• Monitoring all internet traffic coming in and
out of the UK;
• Installing hidden aps on phones that allow
monitoring of the microphone, data and all
calls (this is now legal for the security service
to do due to the Investigatory Powers Bill
(2016));
• Used TOR and other systems to revel the
secrets to the Guardian and other
newspapers.

So what we need is…
• We saw in week 2 how we can encrypt messages.
• We now need to make ourselves anonymous.
• So Eve cannot see what we are looking at;
• So Eve cannot see who is looking at something;
• This is where TOR comes in as it offers a way to hide anonymise the
information.
• It serves as an anonymising bridge between the user and the normal
internet.
• It is a way in which the user can browse the internet without fear of being
identified.
• It also has another function (explored in a minute)

TOR a history
• Developed in mid 1990s by the US Navy Research Laboratories.
• Taken on in 1997 by DARPA.
• Released for public use in 2002 and then taken over and developed
by Electronic Freedom Foundation, they then handed control to The
TOR Project.
• Largely funded by the United States Government, Swedish
government and private contributors.
• However other parts of the US government vigorously oppose TOR
seeing it as helping terrorism.

Where it is used…

How TOR works - the TOR network
• TOR produce a browser that a user installs on their computer.
• TOR uses the same cables and communication pathways as the normal internet.
• It is a ‘shadow’ network layered on top of the normal internet.
• There is a network of routers across the internet that volunteer their services to
TOR.
• These routers (currently about 7000 of them) route traffic for TOR and do so
using a different from the normal way of passing on internet traffic.
• TOR takes the user’s packets and passes them through its network and then feeds
them onto the normal internet.
• Going through the TOR network removes any means of identification of the
user.
• (geographical and user data that is included in data transmission without the
user’s permission)

Anonymising process
• The TOR browser will determine three TOR routers on the network that it will use
to convey its message.
• Using the public keys of the three chosen TOR routers, the TOR browser wraps
packets in 3 layers or skins (hence the name Onion) of encryption.
• The normal information is stripped off the packet neither the source nor
destination of the packet is available - this is why a normal router cannot deal
with TOR data.
• The user’s computer running TOR sends out the packet onto the TOR network to
the first router it encounters, this is know as the ‘Entry Guard’.
• The entry guard knows where the data has come from – but it does not know
where the eventual destination.
• It decrypts the first layer of encryption and this reveals the next destination on
the network of the packet.

The second and third rings…
• When the data packet arrives at the second router, that knows which
computer sent it but does not know the original source (this was stripped
off in the decryption process by the first router) and nor does it know the
final destination.
• The second computer decrypts the next layer and finds the third router.
• It then forwards the packet on.
• The third router, referred to as the ‘exit node’ knows which computer
forwarded it the message but not the first computer and certainly not the
original sender. It then decrypts the third layer and reveals the final
destination.
• It then send the packet on to the proper internet which routes it on.

R
RR
Onion
router
Onion
router
Onion
router
Onion
router
Onion
router
Onion
router
R
R R
R
R
Internet
TOR Network

Normal packets vs TOR packets
Sender To
Packet contents
(may be
encrypted)
First layer of
encryption
contains ‘from’
and ‘location’
of 2 TOR router.
Second layer of
encryption
contains
location of 1st
router and 3rd
TOR router.
Third layer of
encryption
contains
location of 2nd
router and final
destination.Packet
contents, (may
be encrypted)
sender
information
removed.

R
RR
Onion
router
Onion
router
Onion
router
Onion
router
Onion
router
Onion
router
R
R R
R
R
Internet
If eve attacks…

Eve…
• Eve can see someone communicating
with Bob.
• But cannot see what is being said due
to encryption.
• And cannot identify who Alice is due to
TOR.
• Eve is not pleased.
hdsuieFGjhnakxjkTjslzsnckT
nakjUI12hasjmn9Hjkasdjh
?
Alice’s
identity
unknown
Content of
message
unreadable

Hidden sites - The dark web
• TOR allows people to browse and visit websites without being identified.
• For many this is considered a good thing.
• But is also has a further application that is slightly more problematic use.
• Hidden sites and services.
• These are sites and services that are only viewable through the TOR
browser.
• They have a different suffix and no useful address: xgter$67asn.onion
• They can’t been seen by normal browsers and there are two ways they
hide….

Hidden services - 2 ways of hiding
No. 1 No spiders allowed.
• The hidden services are not indexed by
search engines
• (Week 1 we discussed how search
engines work - spiders crawl web sites
identify content and then send it back to
the search engine for indexing).
• Spiders cannot get onto the TOR network
and are denied access to hidden services
on TOR.
• So the content of dark net sites cannot be
found in the normal way.

No. 2 Web browsers can’t reach them
• The name of a web site is designed for people.
• These are translated into computing language by a
computer called a Domain Name Server (DNS) this
contains a list of where the web site is stored for a
particular name.
• When you visit a website your browser consults this list
and brings up the correct site.
• Onion sites do not register with the official DNS registry
so cannot be found.
• A normal browser will not know what to do with the
address to be able to reach the website.
• Instead TOR browsers send a encrypted message to TOR
servers – this goes through a multistep process before
revealing allowing the browser to display the page.

Disadvantages of TOR…
• Speed – because of the complex encryption it can be slow. Watching video
not really an option.
• Alternatives using p2p eg Ip2 are faster.
• The slow speed makes sit vulnerable to traffic analysis – they can see continually
slow interactions, isolate them and see if anything can be gleaned from them.
• Security – recently some big attacks have been made public- traffic analysis
possible - some even argue that though the ideas are strong the
implementation has been ‘holed’.
• If all three nodes are owned by the same person your id is revealed.
• If your data is not encrypted the exit node sees everything you send – user names for
accounts. These will of course help to reveal who you are…
• It can be blocked – the Great Firewall of China (legislative and technical
means to limit China’s internet interaction with the outside world) has
stopped TOR services working in China. (Iran has blocked it however)

Conclusion
• A partial solution to traffic analysis problem for anonymity.
• Needs other actions to fully work.
• Relies on encryption technology.
• Very useful for journalists and similar.
• Also used by deviants to establish new markets – more on this next
week.