Tor Threat Models

Tor Threat Models, Tor Browser Bundle

The Tor Browser Bundle is a terrific security tool.  Tor is a decentralized, anonymization network. To use it you need a specific internet browser, and it allows you to be as close to anonymous as one can be on the internet.  It also strongly encrypts your traffic, and best of all, it is free.  Readers have asked my opinion on Tor, and why I have not written about it.  There are some potential downsides to using Tor.  As a result, I have very mixed, very nuanced feelings about using it.  Before jumping into and using this tool you should take some time to consider these Tor threat models.  Though I typically analyze variations of the tool itself, my Tor threat models are in relation to use cases and user profiles rather than the tool.

How Tor Works

The Tor network works by routing your traffic through three “nodes”.  Your traffic is routed through these nodes, rather than being sent directly to the intended destination.  Each node strips off a single layer of encryption and forwards it to the next.  The next node repeats the process, until your traffic reaches the final node in your circuit.  This node strips off the last remaining layer of encyrption and forwards the traffic to the desired website.  This provides anonymity and each node only “sees” the node on either side of it.  This prevents any node from seeing both the originator and the recipient of your traffic.

Additionally, your traffic is strongly encrypted within the network.  This prevents any node from seeing the actual contents of your traffic…sort of (more on this later).  The network maintains its independence by using volunteers.  Each server (node) is an individual volunteering his or her computer and internet connection.  This has some obvious benefits.  The network is decentralized and highly resilient.  Unfortunately this also means there is very little oversight, which can become problematic when your traffic is decyrpted.  And it must be decrypted.

Tor Threat Models

Potential Problems

When your traffic exits the Tor network it must be usable by the desired website.  This means packets are stripped of the Tor’s encryption when they are not in the network.  This decryption happens at the last node in your circuit, the infamous “exit node”.  This means that the operator of an exit node can log and monitor your traffic.  This might sound far-fetched, but it happens.  Many malicious exit nodes have been discovered.  Some even believe that certain high-volume exit nodes are funded by governments to intercept Tor traffic.  There are some ways you can defend against this, like visiting HTTPS-enabled websites.  These sites encrypt traffic between them and your computer.  Tor encourages this by including the HTTPS Everywhere add-on in the its browser.

There are other issues with Tor, and a number of ways your anonymitiy can be pierced.  You should understand that Tor is not a silver bullet or panacea.  Though Tor is very hard to break (as this classified document would indicate), it is not impossible.  Tor is vulnerable to timing attacks.  This requires an adversary with worldwide reach.  The adversary could time your initial connection with the exit node’s traffic.  This is a very sophisticated attack and (as far as we know) not scalable for mass surveillance.  There are also a number of user errors that can compromise you.  These including conducting true-name and operational transactions during the same session, opening attachments while still connected to the internet, browser fingerprinting, and modifying the Tor browser.  The Tor threat models below should be used to determine when you should use Tor.

Tor Threat Models

The Tor threat models here assume Tor is being used to access regular websites.  If Tor is being used to access “dark web” sites, it is the only tool for the job.  If these sites must be accessed, the threat model is irrelevant.

Tier III – Casual User/No PII: The Tor network is an excellent option for users in this profile.  Users in this Tier will use Tor for casual surfing and are unconcerned with profile elevation.  Users in this category should be careful not to transmit certain information.  This includes Personally Identifiable Information (PII), login credentials, and financial information.  This information may be captured at the exit node.  Tor will prevent ISPs and hackers on the local network from viewing your internet traffic.  It will also make it difficult for websites to track you.

Tier II – Elevated Profile, PII, or Undisciplined User:  Tor may be counterproductive if a user is already concerned about an elevated profile.  Tor traffic is distinctive.  Criminals use the Tor Network.  Hence, it is interesting to law enforcement and intelligence organizations (see Principle #3).  Also, I do not recommend Tor for individuals logging into true-name accounts or making purchases (for reasons outlined above).  Tor is also not a great tool for undisciplined users who are working against opposition.  There are many ways your anonymity can be breached, even when using Tor.  If your profile is already elevated because you are using Tor, disciplined usage is required (see Principle #4).

Tier I – Disciplined User/Opposition:  Tor may or may not be the right tool for users in this Tier.  Users working against an adversary fall into this Tier.  Threat modeling is required to develop a comprehensive understanding of the adversary’s capabilities.  One on hand, Tor gives the strongest protection available.  On the other, it may make the user more conspicuous.  This can lead to more targeted collection against the user.  In some cases it may be better to hide in the billions of non-Tor connections.  In some countries, Tor may be the only realistic option.  In these cases, Tier III users provide “noise” for those who need it.  Lives of journalists and political dissidents may depend on Tor in some regimes, and Tier III users perform a noble service by providing this noise.

The Bottom Line

I know this post sends mixed messages: Tor provides great privacy protection/Tor can elevate your profile.  I do believe in Tor, and believe Tier III users should use it to provide noise for Tier I users.  However, I believe it is faulty to blithely tell everyone to use Tor.  It is not the perfect tool for all, or for all situations.  For me it is an occasional-use item.  Ultimately only you can decide if Tor is the right tool for you.  It is my hope that these Tor threat models can help you decide if Tor is the right tool for you.

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

Leave a Reply

Your email address will not be published.