How Tor works. How Tor works Your guard node cannot be changed

On the importance of eliminating exit nodes in TOR.
Everyone knows that TOR hides the real IP address and encrypts traffic. However, few people understand how the Onion Router works. I’ll try to tell you clearly and clearly about this router and the importance of excluding exit nodes.
For reference: What many call a tor is actually not a tor, but a tor browser. Tor browser is a complex for anonymous surfing, which consists of:
1. Mozilla browser Firefox
2. TOR (The Onion Router)
3. HTTPS Everywhere add-on
4. NoScript add-on
5. Add-on TOR Button
6. Add-on UBlock Origin
7. Configurator
How TOR works.
Without a torus, packets from our machine to the final site go straight. That is, the final site sees our IP address.
When TOR is launched, several chains are generated, each of which consists of three random evils: input, middle and output. Moreover, each packet is encrypted three times. After this, the packets go from our machine to the first node. It removes the first layer of encryption, sees where to send the packet next and transmits it to the middle node. The middle node removes the second layer of encryption, sees where to send the packet and sends it to the exit node, where the last layer of encryption is removed from the packet, after which the UNENCRYPTED packet is sent to the final site.
The default chain lifetime is 10 minutes. After ten minutes, all three nodes will change randomly.
Everything seems to be fine, but only at first glance. Unlike i2p where packets are transmitted through several “one-way traffic” tunnels, in TOR all packets go along one chain both from us to the recipient and from the recipient back to us. This means that if the output node is captured by a “probable enemy” or even created by him (which most often happens), then we can get into trouble, one of which is traffic analyzers.
To prevent this, the Tor browser has the HTTPS Everywhere add-on enabled by default. And it is also configured by default to run SSL encryption IF IT IS SUPPORTED by the site or server. If not, then it will let through unencrypted HTTP traffic - which even a schoolchild can capture. As a result, you can lose Accounts and much other confidential information.
Defense strategy.
Prevent this with two settings. The first is the exclusion of nodes that may belong to a “probable enemy”. The second is to switch the HTTPS Everywhere addon to the “Block all unencrypted request” mode.
To exclude nodes in TOR, we need to find its configurator. The configuration file is called torrc and looks like a regular one text file. You need to add the following line to the bottom of this file:
Code:
ExcludeExitNodes (ru), (ua), (by)
Then save the file and restart TOR or the TOR browser. You can track circuits either in the Tor Button (if you have Windows) or using Onion Circuits (if you have Linux). Advanced Linux users can instead use TOR ARM - which not only shows the circuits but also allows you to configure the router.
Android OS.
In the Orbot settings you can also exclude nodes, but not weekends, but all. We look for the ExcludeNodes option and enter the same thing (the letters will change to capital ones).

The following materials were used when writing:

Tor is an anonymity tool used by people seeking privacy and fighting internet censorship. Over time, Tor began to cope with its task very, very well. Therefore, the security, stability and speed of this network are critical to the people who rely on it.

But how does Tor work under the hood? In this article, we will dive into the structure and protocols used on the network to get a closer look at how Tor works.

A Brief History of Tor

The concept of onion routing (we'll explain the name later) was first proposed in 1995. Initially, this research was funded by the Department of Naval Research, and then in 1997, DARPA joined the project. Since then, the Tor Project has been funded by various sponsors, and not so long ago the project won a donation campaign on reddit.

The modern version of Tor software was open sourced in October 2003, and was already the 3rd generation of onion routing software. The idea is that we wrap traffic in encrypted layers (like an onion) to protect the data and anonymity of the sender and recipient.

Tor Basics

Now that we've sorted out the history, let's get down to the operating principles. Actually high level Tor works by forwarding your computer's connection to targets (for example, google.com) through several intermediary computers, or relays.

Packet path: guard node, intermediate node, exit node, destination

Currently (February 2015) there are about 6,000 routers transmitting traffic on the Tor network. They are located all over the world and are powered by volunteers who agree to donate some traffic to a good cause. It is important that most nodes do not have any special hardware or additional software - they all run using Tor software configured to work as a node.

The speed and anonymity of the Tor network depends on the number of nodes - the more, the better! And this is understandable, since the traffic of one node is limited. The more nodes you have to choose from, the harder it is to track a user.

Node types

By default, Tor forwards traffic through 3 nodes. Each of them has its own role (we will analyze them in detail later).

Client, security node, intermediate node, exit node, destination

Entrance or guard node is the entry point into the network. The input nodes are selected from those that operate for a long time and have proven to be stable and high-speed.
Intermediate node – transmits traffic from security to exit nodes. As a result, the former know nothing about the latter.
The exit node is the exit point from the network and sends traffic to the destination that the client needs.

Usually safe method launching a sentinel or intermediate node - virtual server(DigitalOcean, EC2) – in this case, server operators will only see encrypted traffic.

But exit node operators have a special responsibility. Since they send traffic to the destination, all illegal activities done through Tor will be associated with the exit node. And this can lead to police raids, notices of illegal activities and other things.

Meet the exit node operator - thank him. He deserves it.

What does onion have to do with it?

Having understood the route of connections going through the nodes, we ask ourselves the question - how can we trust them? Can you be sure that they won't hack the connection and extract all the data from it? In short, we don’t need to trust them!

The Tor network is designed so that nodes can be treated with minimal trust. This is achieved through encryption.

So what about bulbs? Let's look at how encryption works during the process of establishing a client connection through the Tor network.

The client encrypts the data so that only the exit node can decrypt it.
This data is then encrypted again so that only the intermediate node can decrypt it.
And then this data is again encrypted so that only the sentinel node can decrypt it

It turns out that we wrapped the original data in layers of encryption - like an onion. As a result, each node has only the information it needs - where the encrypted data came from and where it should be sent. This encryption is useful for everyone - the client’s traffic is not open, and the nodes are not responsible for the content of the transmitted data.

Note: output nodes can see the source data because they need to send it to the destination. Therefore, they can extract valuable information from traffic sent in clear text over HTTP and FTP!

Nodes and Bridges: The Problem with Nodes

Once the Tor client starts, it needs to get lists of all entry, intermediate, and exit nodes. And this list is not a secret - later I will tell you how it is distributed (you can search the documentation for the word “concensus”). Publicity of the list is necessary, but there is a problem with it.

To understand it, let's pretend to be an attacker and ask ourselves: what would an Authoritarian Government (AP) do? By thinking this way, we can understand why Tor is designed the way it is.

So what would AP do? Censorship is a serious matter, and Tor allows you to bypass it, so the AP would want to block users from accessing Tor. There are two ways to do this:

block users leaving Tor;
block users logging into Tor.

The first is possible, and this is the free choice of the owner of the router or website. He just needs to download a list of Tor exit nodes and block all traffic from them. This will be bad, but Tor can't do anything about it.

The second option is seriously worse. Blocking people leaving Tor users can prevent people from visiting a certain service, and blocking all incoming messages will prevent them from going to any sites - Tor will become useless for those users who already suffer from censorship, as a result of which they turned to this service. And if Tor only had nodes, this would be possible, since the AP can download a list of sentinel nodes and block traffic to them.

It's good that the Tor developers thought about this and came up with a clever solution to the problem. Get to know the bridges.

Bridges

Essentially, bridges are nodes that are not publicly available. Users behind censorship walls can use them to access the Tor network. But if they aren't published, how do users know where to look for them? Is there a special list needed? We'll talk about it later, but in short, yes - there is a list of bridges that the project developers are working on.

It's just not public. Instead, users can receive a small list of bridges to connect to the rest of the network. This list, BridgeDB, only gives users a few bridges at a time. This is reasonable, since they don’t need many bridges at once.

By issuing several bridges, you can prevent the network from being blocked by an Authoritarian Government. Of course, by receiving information about new nodes, you can block them, but can anyone discover all the bridges?

Can someone discover all the bridges

The list of bridges is strictly confidential. If the AP receives this list, it will be able to completely block Tor. Therefore, network developers conducted research into the possibility of obtaining a list of all bridges.

I will describe in detail two items from this list, 2nd and 6th, since these were the methods used to gain access to the bridges. In paragraph 6, researchers are looking for Tor bridges scanned the entire IPv4 space using the ZMap port scanner, and found from 79% to 86% of all bridges.

The 2nd point involves launching an intermediate Tor node that can monitor requests coming to it. Only sentinel nodes and bridges access an intermediate node - and if the accessed node is not in the public list of nodes, then it is obvious that this node is a bridge. This is a serious challenge to Tor, or any other network. Since users cannot be trusted, it is necessary to make the network as anonymous and closed as possible, which is why the network is designed that way.

Consensus

Let's look at how the network functions at a lower level. How it is organized and how to find out which nodes in the network are active. We have already mentioned that in a network there is a list of nodes and a list of bridges. Let's talk about who makes these lists.

Each Tor client contains fixed information about 10 powerful nodes maintained by trusted volunteers. They have a special task - to monitor the state of the entire network. They are called directory authorities (DA, list managers).

They are distributed around the world and are responsible for distributing a constantly updated list of all known Tor nodes. They choose which nodes to work with and when.

Why 10? It is usually not a good idea to make a committee of an even number of members so that there is no tie in the voting. The bottom line is that 9 DAs deal with lists of nodes, and one DA (Tonga) deals with lists of bridges

DA List

Reaching Consensus

So how do DAs keep the network running?

The status of all nodes is contained in an updated document called "consensus". DAs support it and update it hourly by voting. Here's how it happens:

each DA creates a list of known nodes;
then calculates all other data - node flags, traffic weights, etc.;
sends the data as a “status vote” to everyone else;
gets everyone else's votes;
combines and signs all parameters of all voices;
sends signed data to others;
a majority of DAs must agree on the data and confirm that there is consensus;
the consensus is published by each DA.

The consensus is published over HTTP so that everyone can download the latest version. You can check it yourself by downloading the consensus via Tor or through the tor26 gate.

And what does it mean?

Anatomy of Consensus

Just reading the specification, this document is difficult to understand. I like visual representation to understand how the structure works. For this I made a poster in corkami style. And here is a (clickable) graphical representation of this document.

What happens if the node goes wild

In our detailed examination of the principles of network operation, we have not yet touched upon the principles of operation of output nodes. These are the last links in the Tor chain, providing a path from the client to the server. Because they send data to its destination, they can see it as if it had just left the device.

This transparency implies a great deal of trust in the exit nodes, and they usually behave responsibly. But not always. So what happens when an exit node operator decides to turn on Tor users?

The case of the sniffers

Tor exit nodes are almost the standard example of a man-in-the-middle (MitM). This means that any unencrypted communication protocols (FTP, HTTP, SMTP) can be monitored by it. And these are logins and passwords, cookies, uploaded and downloaded files.

Egress nodes can see traffic as if it had just left the device.

The catch is that there is nothing we can do about it (except using encrypted protocols). Sniffing, passively listening to the network, does not require active participation, so the only defense is to understand the problem and avoid transmitting sensitive data without encryption.

But let’s say the exit node operator decides to do major damage to the network. Listening is a fool's business. Let's modify the traffic!

Making the most of it

Recall that the exit node operator is responsible for ensuring that traffic flowing from and to the client is not altered. Yeah of course…

Let's see in what ways it can be changed.

SSL MiTM & sslstrip

SSL spoils everything when we try to mess with users. Fortunately for attackers, many sites have problems with their implementation, allowing us to trick the user into unencrypted connections. Examples are redirecting from HTTP to HTTPS, enabling HTTP content on HTTPS sites, etc.

A convenient tool for exploiting vulnerabilities is sslstrip. We only need to pass all outgoing traffic through it, and in many cases we will be able to harm the user. Of course, we can simply use a self-signed certificate and look into the SSL traffic passing through the node. Easily!

Let's hook browsers to BeEF

Having examined the details of the traffic, you can begin sabotage. For example, you can use the BeEF framework to gain control over browsers. We can then use the Metasploit function “browser autopwn”, which will result in the host being compromised and allowing us to execute commands on it. We've arrived!..

Back door binaries

Let's say binaries are downloaded through our node - software or updates to it. Sometimes the user may not even be aware that updates are being downloaded. We just need to add a backdoor to them using tools like The Backdoor Factory. Then, after executing the program, the host will be compromised. We've arrived again!..

How to catch Walter White

And while most Tor exit nodes are well-behaved, it's not uncommon for some of them to behave destructively. All the attacks we talked about in theory have already taken place.

In part, the developers thought about this and developed a precaution against clients using bad output nodes. It works as a flag in a consensus called BadExit.

To solve the problem of catching bad exit nodes, a clever exitmap system has been developed. It works like this: for each output node, a Python module is launched, which handles logins, downloading files, and so on. The results of his work are then recorded.

Exitmap works using the Stem library (designed to work with Tor from Python) to help build diagrams for each exit node. Simple but effective.

Exitmap was created in 2013 as part of the "spoiled onions" program. The authors found 65 traffic-changing exit nodes. It turns out that although this is not a disaster (at the time of operation there were about 1000 output nodes), the problem is serious enough to monitor violations. Therefore, exitmap still works and is supported to this day.

In another example, the researcher simply made a fake login page and logged in through each exit node. Then the server's HTTP logs were viewed for examples of login attempts. Many nodes tried to penetrate the site using the login and password used by the author.

This problem is not unique to Tor.

It's important to note that this is not just a problem with Tor. There are already quite a lot of nodes between you and the photo of the cat you want to look at. It only takes one person with hostile intentions to cause a lot of damage. The best thing to do here is to force encryption to be enabled where possible. If traffic cannot be recognized, it cannot be easily modified.

And remember that this is just an example of bad operator behavior, not the norm. The vast majority of exit nodes take their role very seriously and deserve great gratitude for all the risks they take in the name of the free flow of information.

The Tor system allows you to hide final (target) addresses from the provider, thereby breaking through a possible blockade of access to network resources blocked by it. The Tor system also hides the sender’s address from target resources, thereby removing the possibility of finding a user or blocking users.

However, both the provider and network resources can fight Tor itself by blocking its public nodes. The following are techniques for dealing with such Tor blocking.

1. Using non-public input nodes (bridge nodes)

In countries with Internet censorship, providers often try to block access to “forbidden” Internet resources. (I don’t understand why some idiot will decide which sites I visit and which ones I don’t!)

The information flow of data coming from the user to the Tor network is disguised as encrypted SSL traffic ( https protocol) and recognizing it by some features is unrealistic. However, the provider always knows the primary address to which data is sent. When working through Tor, this is the address of the first node in the anonymizing chain.

Tor- open system, therefore, all addresses of public Tor nodes are known and it is not difficult to include them in the “black list” and then block them.

Sometimes such blocking is even considered as a vulnerability of the Tor system.

The developers of Tor foresaw this situation and created a certain subset of non-public input nodes (bridge nodes or bridges), the addresses of which can only be found out manually and in small portions.

On the page https://bridges.torproject.org you can find the addresses of the three current bridge nodes in the format proxy_host:proxy_port (for example 188.40.112.195:443). It will be there brief instructions for the installation of bridges. (True in English.)

If this page is also blocked, then you can get the addresses of bridge nodes by mail by sending a request letter to [email protected] with a title and a single line get bridges in the body of the letter.

You can insert the resulting bridge nodes into the Tor client through its Vidalia graphical shell.

What you need: open the window Vidalia, press the button " Settings" ("Settings"), in the window that opens, select the tab " Net" ("Network"), check the box there " My InteRNo-ISP blocks access to the Tor network" ("My ISP blocks connections to the Tor network").

Copy the address of the first bridge node into the " field Add bridge" ("Add bridge") and click the "+" button. Insert the remaining bridge nodes in the same way.

Click the "Ok" button. Restart Tor.

2. Adding an external proxy to the end of the Tor chain

Currently, some Internet resources block or restrict the access of visitors when they use Tor. Apparently they want to control their visitors (!?). (Unfortunately, this includes even such well-known sites as Wikipedia, Gmail, LiveJournal, Linux.org.ru and others.) For such blocking, a “black list” of all (or almost all) public output servers of the Tor system (blocklist) is compiled and visits from these servers are prohibited or limited. Sometimes you can look at the “blacklist” at https://proxy.org/tor_blacklist.txt, but most likely there will be a message like “Come back tomorrow”

A simple way to overcome blocking from Internet resources is to add an external proxy server to the Tor chain. (It is not included in the “black list”.) There are a lot of external proxy servers and they can be easily found on the Internet (for example, http://www.proxy-list.org/en/index.php/) . It is only necessary that they support SSL traffic encryption (for logging in via a secure https channel) and preferably be “foreign”. Copy its address in the format: proxy_host:proxy_port.

Then find configuration file filtering proxy Polipo:....conf and add the line parentProxy=proxy_host:proxy_port to the end of it, where proxy_host:proxy_port is the address of the “external proxy”.

After this, you need to restart the anonymous channel, i.e. Tor Browser .

You can check the anonymous channel on IP analyzer sites (for example, http://www.ip-adress.com/what_is_my_ip/, or http://whatismyipaddress.com/, or http://geotool.servehttp.com/. Received The IP address must match the external proxy address.

As a result of adding an external proxy to the end of the Tor chain, communication with the target address (site) will go through this “clean” “external proxy” for the blocker.

| |

Hello, dear readers of the blog site. You probably know that any of your actions on the network (website pages viewed, files downloaded, videos watched) can be tracked, and from completely different places (by contacting your Internet provider, rummaging through your computer, or searching in the logs of the sites you visited ). Anonymity on the Internet exists only if you don’t start “digging deep.”

There are some solutions to the “leaving trace problem” that we have already covered. For example, you can and then no traces of your visits will be saved on your computer. Or, for example, when blocking access to some sites (for example, to log into Contact or Odnoklassniki from a work computer).

But there is a much more comprehensive solution - this is the so-called TOR. Essentially this is software, which with a very high degree of probability allows you to hide from prying eyes everything you do and have done on the Internet. It’s precisely on the basis of this technology that it works Tor Browser, which will be discussed today. Essentially, it wraps complex technology in the shell of a normal-looking browser, accessible to any Internet user, which everyone can use. But its filling is unusual...

What is TOR?

I don’t want to overload you with technical terms and concepts that, by and large, will be superfluous. I’ll just literally outline in a nutshell (on my fingers) the principle of operation of the Tor technology and the Tor Browser built on its basis. This knowledge will allow you to understand what to expect from this software, what strengths and weaknesses it has, so that you can consciously use it for your needs.

So, initially all this was brewed in one of the US military departments. Why they needed it, history is silent, but at the beginning of the 2000s, the beginnings of Thor technology were completely unexpectedly laid out in general access. And they were open source codes and this software became freely distributed. What does it mean? And how much can you trust such a “gift”?

The question is fair, but you can trust it precisely because the code of this technology is open. The fact is that since then (over a decade and a half) these program codes Hundreds, if not thousands of people who understand this have studied (and made changes) and no “bookmarks” or “secret doors” were found. Where it's about safety(in our case, transfer and storage of information), it is better to work with open source software (software).

By the way, this is why when choosing n, but for . They simply belong to the category of free software and their code has been checked by thousands of competent specialists. It’s somehow calmer, because I store a lot of passwords for services tied to money and losing them would be very expensive.

So, TOP technology allows you to access websites and download something from the network without leaving any traces behind. That is, when you open, for example, a website through the Tor Browser, it will be impossible to track the IP address of your computer on this website (and therefore to identify you). Even your Internet provider will not understand (even if you want) that you visited this site (and it will be impossible to prove it). Well, the browser itself will not store all traces of your wanderings on the Internet.

Wonderful, isn't it? I understand that in this way people can cover up their dark affairs. Not without this, of course. But the general idea of Thor is still bright - to provide the Internet user with real freedom in the form of complete anonymity. For example, in some countries access to certain resources may be blocked without justification, but Tor Browser will allow you to bypass these obstacles and not be punished for this violation, because they will not know that you did it (or will not prove it). But that's not the point...

How TOR works? This is called onion routing. Look. There is a network of nodes owned by adherents of this technology. Three arbitrary nodes are used to transmit data. But which ones? And this is precisely what no one knows.

The Tor browser sends a packet to the first node, and it contains the encrypted address of the second node. The first node knows the key for the encryption and, having learned the address of the second, forwards the packet there (it’s like removing the first layer of an onion). The second node, having received the packet, has a key to decrypt the address of the third node (another layer has been removed from the onion). Thus, from the outside it is not possible to understand which site you ended up opening in your Tor Browser window.

But please note that only the path is encrypted(routing), and the contents of the packets themselves are not encrypted. Therefore, to transmit secret data, it would be better to first encrypt it (at least in the TruCrypt mentioned above), since the possibility of intercepting it (for example, using sniffers) exists.

In addition, this technology there are a few more disadvantages(or features):

Your ISP (or anyone else who monitors your traffic) may realize that you are using Tor. He won't know what you're watching or doing online, but sometimes the mere fact of knowing you're hiding something can have consequences. Take this into account and, if possible, study ways to enhance camouflage (and they exist), if this is critical for you.
The TOR network does not use special high-speed equipment, but, in fact, ordinary computers. This brings up another drawback - speed the transmission of information in this secret network can vary significantly and sometimes it is clearly not enough for, for example, viewing media content.

Where can I download the official Russian version of Tor Browser?

On this blog I have already published an article on that. There was also mention of the Torah. Naturally, it is better and safer to download any product from the developers’ website, i.e. the official one (I think you know). The Tor Browser download page is located at this address (I repeat once again that for security reasons it is better to download from the official website):

Please note that before clicking on the download button, you must select a language. The default is English, but you can select a dozen more options from the drop-down list, including fully localized Russian version. This is how it will work more pleasantly when the interface language is native.

Although, during installation you will again be asked about your preferred interface language and you can also select Russian there. Otherwise, the installation process is no different from installing any other browser.

However, when you first start you will be asked if you need to additional settings to connect to the TOR network. In the vast majority of cases, it will be enough to simply click on the “Connect” button:

It will take some time for the browser to successfully connect to the Tor network:

After this, a window will open in a browser that looks normal at first glance, but works with the Internet by creating encrypted tunnels (analogues).

However, the developers themselves emphasize that Thor is not a panacea(at least with default settings). Therefore, those who are paranoid about absolute anonymity are advised to follow the link for clarification on this matter.

How to use the Tor browser?

When you first load the browser, you are immediately prompted use anonymizer to search at disconnect.me. Actually, it is this service that will be used as “ ” in this browser (you can change this in the settings), i.e. when entering a request for again open tabs browser or when you enter it through the address bar on any tab, the disconnect.me anonymizer will open with search results.

The search is actually carried out by Google (you can select from the settings in the top panel of the service - see the screenshot below), but no traces of who exactly conducted the search remain (remember, I wrote about the fact that, but in fact, nothing can be permanently deleted , so those who are concerned about anonymity need to remember this).

Don't forget also select search language(in the top panel of the disconnect.me window on the right), because thanks to the anonymizer, Google will not be able to recognize your preferred language automatically. Although, by choosing, for example, Russian, you to some extent lift the veil of secrecy about your incognito for this search engine. But here you need to make a compromise - either convenience, .

Yes, the Tor browser will also warn you when you first click on the link that it is better to load pages in English, to avoid, so to speak.

Personally, I chose the “No” option, because convenience is more important to me, and I don’t speak any other languages besides Russian. Alas and ah.

By the way, you can check it yourself that you have indeed been “encrypted”. To do this, it will be enough to go to the site from any other browser, and then do the same from under Thor. As you can see, TOR replaces (I became a sultry Norwegian) and this is only a small part of protecting your anonymity.

By the way, if you click on the onion to the left of address bar, then you can see the same chain of three nodes (proxy) that separates your computer from the site you are visiting (I wrote about onion routing just above):

If desired, this chain of nodes can be changed. You can also change your “browser-created personality” if you don’t like the current one. However, this will close all open tabs in Tor and it will be automatically reloaded.

Here you can also access security settings:

By default, all privacy settings (anonymity are enabled), but the security level is at the lowest level due to the fact that only in this case you all functions of this browser will be available. If you set the security settings of the Tor browser to “high”, a whole bunch of browser functions will be available only after you force them to be activated (i.e., everything is disabled by default). For me this is overkill, so I left everything as it was, but you can choose something in the middle (compromise).

Otherwise Tor Browser is similar to Mozilla Firefox , because it is essentially assembled on its basis. This will be clearly visible when you go to settings (by clicking on the button with three horizontal lines in the right top corner):

Good luck to you! See you soon on the pages of the blog site