Is the Tor browser safe?

Disclaimer: I am not encouraging any and every illegal behavior, neither on tor or anywhere else. This is a purely theoretical analysis of the actual strength of The tor network, which is a great tool for anonymity, and is vital for the freedom of the Internet.


Malicious Tor nodes are a problem, and a constant subject of discussion, with many people believing that the Tor network is compromised.
I am here with Facts, Math and Logic to determine how easy/hard it would be to compromise Tor

There are three ways a tor user can be de-anonymized:

  1. Human Error
  2. Malicious Nodes
  3. Traffic Analysis

I will cover 1 in another post, but 2 and 3 here:


What can be Achieved

Since everyone can contribute tor nodes (you should too), users or even entire government organizations could contribute malicious nodes, which log the activity in the tor network.

If a users circuit is comprised of all malicious nodes, the entity in control knows which IP is connecting to which hidden service.

Please note that IPs are not unique and there is nothing illegal about visiting any hidden service.

Due to encryption, a outside observer cannot see what you are doing at said hidden service. Either your device, or the hidden service has to be compromised by said outside observer for it to know whats going on.


Malicious Nodes

Now that we established, what can happen if your real IP gets linked with your browsing on Tor:
Whats actually the mathematical probability for me to get a bad circuit?

The Math is quite simple actually:
f(x) = x^3 for 3-hop clearnet circuits
f(x) = x^6 for 6-hop .onion circuits

tor

The Orange Line represents a 3 hop clearnet circuit
The Red Line represents a 6 hop .onion circuit
The X axis (left to right) stands for the percentage of bad nodes in the tor network
The Y axis (up and down) stands for the probability of getting a full circuit of bad nodes.

To check the amount of tor nodes go to Tor’s metric page

The Tor network consists of around seven thousand nodes and almost three thousand bridges at the time of typing this, so a malicious entity would have to own 5000 (3500 Nodes + 1500 Bridges) separate computers with individual IP addresses, email addresses, nicknames and configurations, only to get a 1.6% chance of compromising a .onion circuit.


Traffic Analysis

Theoretically a malicious entity could de-anonymize users by comparing the traffic coming into the tor network with the one leaving the tor network.

Instead of a full circuit, they would just need to have control over the first and last node.

The Tor project knows this however, and has implemented security measures to make this harder. You can read about it here, but here’s how I would explain it:

  • Cover traffic:
    The tor network generates “fake” traffic. You can picture it like trying to decipher morse code while listening to the static of a radio, which sounds exactly like the signal you are trying to hear out for.
  • Static Guard Nodes:
    If you only have one entry node, but do different things, this node will not be able to categorize the traffic, making it virtually useless.
  • Timing:
    By purposefully delaying your traffic at multiple nodes, the malicious entity cannot determine your traffic by estimating how long its journey through the tor network is. This does make the tor network a little bit slower, but way more secure
  • Padding:
    The Tor Traffic leaving your machine is encrypted twice. When it comes to the first node, the first layer of encryption is decrypted, and the package plus randomly generated binary is encrypted and sent to the next node, where the process repeats itself.
    You can visualize this by imagining the encryption as a box inside a box, and the padding like packing peanuts. The size of the outer Package the mailman sees varies, but the content inside is always the same.

This makes traffic analysis very hard. Its pretty much guesswork, but with these kinds of countermeasures a nearly impossible task.

Keep in mind that all they could do is guess which IP connects to which hidden service. They never know if its a real connection, or just a coincidence.

Again: IPs are not Unique, connecting to any hidden service is not illegal and due to encryption the malicious entity would not even know what you are doing.

3 Likes

Do note the Tor browser is built on Firefox, not very well known for it’s security. It’s essential you use something like Tails or Qubes for browsing through tor. Security is linked to Privacy so no security equals no privacy.

Although the tor circuit design is pretty solid, there are quite some criticisms of it.

1.https://news.mit.edu/2015/tor-vulnerability-0729

1 Like

Sure, but let me add that the security difference is minimal.

So: If Tor relied on Chrome, or Chromium, and Firefox were to be discontinued, google would wait a few months and cancel Chromium as well, leaving us with no private and secure browser at all. New chrome security vulnerabilities would be found, and tor would be unsafe.

A big NO

No, the security difference is not “minimal”. The sandbox implemented by firefox is extremely weak. On Windows it’s somewhat meh, but on other platforms like Android and Linux, the sandbox is laughably insecure.

In Windows, Firefox don’t implement win32k lockdown( which are some dangerous syscalls that expose a lot of attack surface.) It is planned, but as of today it’s not there. Chromium implements these btw.

In Android, Chrome uses the isolatedProcess for sandboxing while Firefox doesn’t have a sandboxing as of today.

Mozilla is just more busy paying its CEO instead of serving it’s users. It’s time we ditch it for good.

What about the Browser Monopoly stuff?

That shouldn’t be the justification for a piece of software which journalists and people facing life or death situations use. The most secure and best stuff should be there for tor.

1 Like

Then go and use Chromium for Tor, if you feel like this, but there is not a single documented case of Tor browser actually exposing someone because of a zero day.
Sandboxing is already implemented by Android by default, and the entire point of sandboxing is assuming a program is unsafe. If someone manages to compromise Tor, they can easily crack sandboxing as well.

Now if a journalist uses Tor, they already have the solution: Tails. Its a official tor project and makes more than up for the few malware mitigation systems FireFox lacks.

The only thing that infuriates me is that tor browser does not remove Mozilla Telemetry, makes unsolicited connections and has a worse fingerprint than optimized LibreWolf.

Does anyone know if there is a terminal (CLI) version of tor? No browser at all and similar to old school BBS.

1 Like

Do you mean tor-browser, since the tor package is already cli

ok i didn’t know that. i formed my question incorrectly. is there a way to use the tor network but through the terminal without a browser? sorry but I only know a little bit about tor.

1 Like

No need to apologise. To “use tor” through a terminal can be done in various ways, for example the XMPP (messaging protocol) client PROFANITY, which is cli based and can be routed through Tor

There is also the CLI webbrowser Lynx.

Tl,Dr: Every application can be routed through Tor, no matter if its cli or gui

idk. seems to me tor browser is too much of a hassle to deal with. maybe i’m wrong. maybe it’s more practical just to use Profanity and Lynx.
I’ve been reading about and researching various so called privacy browsers. Most people in the privacy preservation community are not really happy using them. That includes stripped down Firefox called TOR. A lot of people heavily criticize its soundness.

I’ll keep reading your post to see what various minds have to say. BTW thanks for providing such valuable information. In the mean time I’ll read more about PROFANITY and Lynx.

1 Like

A cool, minimalist browser you might enjoy is Links.
It is as minimal as it gets, cannot even run Javascript, just basic html and css.
Many people would like Tor browser to be based on it, since theres pretty much no chance you will find a vulnerability in it, but on the other hand journalists and activists which need to visit sites that rely on js to do their work, would not be able to use this browser.
It would basically only work inside the .onion space because there are virtually no sites that rely on .js

Threading to a tangent here:

When I want to use TOR more extensively I bring up a Whonix VM. And I keep the browser inside it very minimal in footprint.

1 Like