Tor and the darkweb (co-authored, unpublished paper – please comment/feedback)

This article was anonymously co-authored, as he is still living in China today.
Since late 2005 Western media have been filled with reports of Beijing’s increasingly heavy-handed attempts to silence dissent and block references to politically sensitive topics such as democracy and human rights. The so-called Great Firewall of China is managed by nine state-licensed internet-access providers that use technologies and an army of censors to patrol the gateway between China and the rest of the world. This army of censors are referred to as ‘net nannies’, and their numbers are thought to be in the tens of thousands that monitor computers in every home and over 100,000 internet cafés in China every day [i].

This is why anonymity is important. Without anonymity you cannot see the truth in China, because you will be blocked. According to the co-author of this article, living in China feels like being on the front line of the anonymity battle. Anonymity in internet cafés is almost impossible. People have to buy credits via an internet cafés account that is linked to their ID card, everyone’s online activities, are tied to a workstation and are monitored. Surfing from home is similar. It was after the network connection of the co-author of this article was cut off for the umpteenth time that he started researching ways of anonymizing his online activity using The Onion Router (TOR) which is an anonymity-enhancing network. After he had installed Tor, he had unrestricted Internet access. He had in effect found one of the many holes in the Great Firewall of China. He was seeing the truth as it was, he was looking at China’s underbelly, and China’s net nannies couldn’t see his for once!

This article is about anonymity, why it is needed, TOR and how it works, and the co-author’s experiences with TOR and his what he found in the darkweb.

Why online anonymity is difficult

Even if you are living in a country whereby freedom of speech is not inhibited true online anonymity is not easy. The reason being is that the Internet was not designed to provide anonymity; all Internet endpoint systems, machines, routers, wherever your communications travel are identified uniquely on the Internet by an IP address. This is because the Internet assumption is that you are going to create some sort of a record of the path that the data took, i.e. the IP address that originated the data so that you’re able to send something back. So as a consequence, the Internet is about being non-anonymous. Not necessarily identifiable to an individual or a corporation, but certainly traceable to the physical source of the data.

Basically Internet data packets have two parts: a data payload and a header used for routing. The data payload is the contents of the packet, whether that’s an email message, a web page, or an audio file. This could be likened to the letter in the envelope when you send something by snail mail and the header can be likened to the envelope. On the envelope is the destination address and a stamp, and on the back could be optionally the address of the sender. The stamp will be marked with the ink stamp from processing post office. The difference with the Internet is that the header is appended with the stamp (IP address) of every Internet endpoint that the packet travels over. This offers a basic problem for those wanting anonymity in that the recipient of your communications can see that you sent it by looking at headers, likewise applies to authorized intermediaries such as Internet service providers. A very simple form of traffic analysis might involve sitting somewhere between sender and recipient on the network, looking at headers and this is what the Chinese net nannies are doing.

Even an anonymizing proxy doesn’t give complete anonymity, although it will not add those optional headers because it will make the request just as if it was making it on its own behalf, and then turn around and send the response back. So although there is anonymity being provided the vulnerability is that the IP address of the sender is stored in cache on the service that can be retrieved by those parties whom have access to the proxy and this can be matched to actions. Although you cannot see which user is doing what unless you have just one user using a proxy when it’s obvious who they are and what sites they’re visiting because anything they do is being done on their behalf by the proxy. Now when two users are using the proxy it becomes more difficult. However by looking at the timing of the arrival and departure of packets and the relative sizes of the packets, you could still probably disambiguate the actions of two users across a single proxy. Increase the number of users on the proxy to four and five and six and so on then it becomes increasing complicated to disambiguate queries, but it’s not impossible. Whoever has access to the proxy could just capture a huge blob of traffic and then take it offline for analysis to any level of detail needed in order to make determinations on about who was making queries where. In effect a single proxy cannot guarantee anonymity.

The Onion Router (Tor)

The Onion Router, is a programme “massive network of nodes controlled by all kinds of distributed entities all over the globe and foreign countries” “anonymous secure private tunnel” (or some such) that is designed to give you an individual complete anonymity. As of the end of April 2014 Tor was comprised of 4500 relays and of these 1000 are exit relays [vii].

Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the Naval Research Laboratory. It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications. Today, it is used every day for a wide variety of purposes by the military, journalists, law enforcement officers, activists, and many others. For example journalists use Tor to communicate more safely with whistleblowers and dissidents. Non-governmental organizations (NGOs) use Tor to allow their workers to connect to their home website while they’re in a foreign country, without notifying everybody nearby that they’re working with that organization. Activist groups like the Electronic Frontier Foundation (EFF) recommend Tor as a mechanism for maintaining civil liberties online. EFF has also previously funded the development of Tor[ii]. Corporations use Tor as a safe way to conduct competitive analysis, and to protect sensitive procurement patterns from eavesdroppers. They also use it to replace traditional VPNs, which reveal the exact amount and timing of communication. Law enforcement uses Tor for visiting or surveying web sites without leaving government IP addresses in their web logs, and for security during sting operations[iii].

The beauty of this massive network of nodes controlled by all kinds of distributed entities all over the globe and foreign countries, and the need not to trust individual nodes is that no government is a sole controller. This means that no government can issue a subpoena and demand to know who is using the service. Tor will never be forced legally to do something they would rather not do[iv]. . Governments can be pretty persuasive.

How does Tor work?

To use Tor you need to first install the Tor client. TOR software allows access to the TOR network. Once installed you can see a world map displaying all currently active publicly broadcasted Tor entry nodes. You only have to connect to one of these to be able to use the internet securely.

Your client searches for a Tor entry node, and you choose exit node, and the number of hops. The route is chosen automatically. What happens next is that you start at the selected last Tor node (exit?) and build what is referred to as an onion.  An onion because the encryption is created in layers and decryption can be likened to peeling off the layers of the onion. If you are familiar with how a VPN works, encryption of the payload with a randomly generated symmetric key and encryption of the symmetric key using an asymetric (public) key and in order to decrypt the payload you first need the private key pair in order to decrypt the symmetric key.

All Tor nodes have a public key pair, their own private key that only they know, and a public key. This key pair is created using a special one-way algorithm. Encryption can be done by using their publicly available key which everyone can know, and once encrypted, that data can only be decrypted using the matching private key that each specific Tor node keeps secret. Tor is effectively building nested tunnels that provide at each layer origin authentication, along with confidentiality and integrity of data.

To create a private network pathway with Tor, your client incrementally builds a circuit of encrypted connections over Tor nodes. The circuit is extended one hop at a time, and each node knows only which node gave it data and which node it is giving data to. No individual node knows the complete path that a data packet has taken. The client negotiates a separate set of encryption keys for each hop along the circuit to ensure that each hop cannot trace these connections as they pass through. This is nested multilayer encryption, each layer encrypted with a successive Tor node’s public key, which only that node knows how to decrypt, and each layer containing a symmetric key which was generated randomly by the user’s client.


When you have finished creating the onion using your Tor client, you give it to that first Tor node in the chain to decrypt the outer layer. The Tor node uses its private key to decrypt the outer layer of the onion and finds a symmetric key which it will use for decrypting the outer layer of the packet and the routing instructions for the next Tor node. The packet is still encrypted N times minus one, using keys it has no knowledge of because those keys were buried in layers of the onion which were encrypted using the public keys of the other Tor nodes that can only be decrypted using their private keys.

There is no way to know by looking at the onion what the path will be. Only the Tor node that decrypts its layer knows the identity of the next node in the chain. It knows nothing about any other nodes in the chain. It doesn’t even know how many other nodes there are. So this onion then moves through the Tor network, basically informing each node only the information it has to have: how to decrypt what you receive, who to send it to.

Other factors that enhance the anonymity provided by Tor is the number of people who use Tor, this actually makes it more secure[v]. Tor hides you among the other users on the network, so the more populous and diverse the user base for Tor is, the more your anonymity will be protected.

What’s more is that Tor actually pads out the packet to a fixed size. This is to make traffic analysis based on packet size as shown in the simple proxy example impossible. No matter how big the packets actually are, Tor pads them out to full size so that all packets moving among the routers within the onion router system are the same size.

Tor however, is slow. It will turn a fast broadband connection in to a pre-millennium dialup connection. Websites take a long time to load, and pictures reveal themselves a nail biting line at a time. What’s more is that some research has been done on identifying vulnerabilities in Tor, and this is shown in the following diagram in the Exit relay. If this is owned by malicious parties, there is a chance of a Man-in-the-Middle (MitM) attack. Find more here.


.onion and the rabbit hole

Tor also has a .onion pseudo domain which is Tor’s intranet. Hosted on Tor servers, links to these sites, will be encrypted from beginning to end. The web surfer is completely anonymous. Nobody knows who you are, and you don’t know who anybody else is. Many .onion domain names are very difficult to find. It requires patient searching on the Internet to find one. And when one does, ones perception of the Internet instantly morphs. Like Alice in Wonderland, tumbling down the rabbit hole, the route from one’s computer to the final Tor exit node changes into a long dark corridor with many many locked doors running along it. Except, you can only see the doors that you know about, then, those doors might also be locked. If one taps on a stretch of wall long enough another door might appear. Tor is the portal into what is known as the darkweb, or deepnet (Freenet[vi]).

Navigating through feels like playing an old text based adventure game, if you don’t know exactly what command to write, you aren’t going to be able to turn left, turn right or put the silver key in the brown door. Now jump over a few walls to a quieter part of town, and knock on a nondescript door leading to a much darker, seedier underworld. For those that find the doors and the pass codes, there are forums where they practice complete freedom of speech; forums where the rules of our physical world don’t apply. Places where you can say whatever you want about whatever topic you can think of without fear of recrimination. This concept of complete freedom of speech feels liberating in a very fundamental way. As you dive deeper into the rabbit hole, you will discover that it is liberating for other people too. Not just for those like yourself: those trying to escape Government monitoring in repressive regimes, searching for the truth, but also for those with criminal intentions, and for those looking for places to release their abnormal desires. The .onion network is a breeding ground for pedophiles.

These specific forums are buzzing with activity in a perverse way. It is an upside-down world, where paedophiles who have created these meeting places to exchange child pornography and tips on how and where to find victims, advice on successful ‘grooming’ techniques, basically fulfilling the role of what we would associate as a peer support group in the physical world. The impact of these groups is profound in that paedophiles are able to ‘normalise’ abnormal desires, enabling them to view their behaviour as socially acceptable and possibly lowering their inhibitions to act on impulses that would otherwise remain fantasy. If you had unexpectedly ended up in this rabbit hole, you will not be able to resist making yourself heard, tell them they are sick, cyber YELL at them that they are not normal, or you can threaten that you will “report them to the TOR administrator,” to which they will reply “Fool, we run TOR!”

Freedom of Speech vs. darkweb

TOR and .onion network make it possible for those living in repressive regimes a glimpse of the truth, and a freedom of speech that would otherwise be impossible. Activist groups like the Electronic Frontier Foundation (EFF) recommend Tor as a mechanism for maintaining civil liberties online. Nonetheless if you go there and end up down one of those rabbit holes you will find that there is the dark side of TOR, the darkweb. how does one end up there?

It is the distributed nature of Tor that indicates that no single organisation, legal or not, country, or person can claim to run Tor completely. Although some entities they may feel that they do. Finally the question that begs to be asked is: Are those ethical organisations and persons that support Tor both financially and otherwise, are to all intents and purposes fuelling the darkweb and all it represents, even if this is unintentional?  This is also a question that begs to be answered…

[i] Oqvist, K. (2009), Virtual Shadows: Your Privacy in the Information Society, ISBN 978-1-906124-09-0, British Computer Society

[ii] Tor development is coordinated by the Tor Project, Inc., a 501(c)(3) notforprofit organization. See (last accessed 16 March 2010).

[iii] Tor (2009), (last accessed 16 March 2010).

[iv] Gibbons, S . & Laport, L. (2006) Security Now! Podcast transcript episode #70, Achieving Internet Anonymity, (last accessed 16 March 2010).

[v] Acquisit, A. Dingledine, R. & Syverson, P., On the Economics of Anonymity ((last accessed 16 March 2010).

[vi] Freenet users basically share unused hard drive space to participate in a distributed Freenet database, what this means is that each user gives up a chunk of their hard drive in return for being able to use chunks of everybody else’s hard drive in this network.

[vii] Spoiled Onions: Exposing Malicious Tor Exit Relays,

Angela pushing for protection of EU data

I really like this. It came out last week just when I was mentally preparing to travel up to Mora for Tjejvasan on Tuesday 😉

Angela wants to try and keep EU data in the EU boundaries, especially personal data.

Concerns voiced by experts talk about the amount of work involved to redo all the router configuration tables, after all networks are configured to get packets from A2B as quickly as possible, it may not always be the most direct route. For example when it is often faster to take the motorway bypass when driving your car, than it is to take the small roads. Packet routing is working exactly the same, depending on traffic congestion, fastest routes are calculated. A redo of router configuration tables would be like removing option to take a faster route if one route is congested.

Cryptography expert states that it would be much more effective to encrypt packets, that way it would not matter where they go, even over hostile territory. Some issues here are that: 1) Cryptography has some overhead cost, this is like adding additional packaging for post, it makes the package larger and heavier; 2) How does a non-technical person know when to encrypt? After all it doesn’t make sense to send everything encrypted? 3) I love the evolutions with quantum computing, as it can solves many problems simultaneously, although each quantum processor must be designed with a purpose in mine…e.g. for security it could be the decryption of a specific algorithm. It’s extremely expensive, but imagine when NSA or criminal networks that have this kind of money start using quantum computing for intelligence and data-mining purposes?

I believe that we have enough networks in EU to route packets within the EU before they are sent outside of the EU. This also prepares us for the future when it will be much easier to decrypt even the most secure algorithms used today. So yes, it requires some work, but just as we in the EU would like to keep our cloud services in the EU, so would we like to keep our personal information, encrypted or not!

Lavabit forced to close down

Thanks to David Misell for sharing this on LinkedIn.

Lavabit the email provider in the US that Edward Snowden used has been forced to close down following FBI demands for the private keys for emails of users. The U.S. Government obtained a secret court order demanding private SSL key from Lavabit, which would have allowed the FBI to wiretap the service’s users

You can read more here at Hacker News. And here at Wired.

I did also hear though that he had intentions to setup shop again outside of the U.S., so I am really interested to see if this happens 😉

This is an outrage !

Seems that the email service that Edward Snowden recommended as actually protecting your privacy in the US is being forced to share all data and subsequently shut down! The owner and operator of the service, Ladar Levison, has been gagged. Reading between the lines, it looks like he will move his services outside of the US.

His advice is don’t share any of your data on US servers! Read more in infosecurity.

TRUST is a currency

The PRISM exposure has presented non-US companies with a dilemma. The drive is into the cloud, but they don’t want their information outside of safe EU jurisdiction. According to Forbes it is estimated that the US will lose a lot of $USD as a result.

What needs to be clear here is that PRISM is about government nosing around in our social media activities without us being informed of this. Organizations could say that this is not a risk as they are not in the social media space (unless it is their core competence)… or is it?

What these undercover eavesdropping indicates is that the US government can’t be trusted. They have not been transparent in what they are doing. They are eavesdropping behind the backs of their own citizens. Even after Edward Snowden exposure they continued to deny. I see ‘trust’ as a world currency. Each one of us creates or destroys trust based on our personal/professional actions. This is especially pertinent now in this very connected world we live in today. Transparency is a foundation for trust, and governments that continue this facade of lying to its citizens, are at the cost of trust.. and eventually $USD will pay the price!

Whistleblowers & ‘transitional data’ the way forward?

Natasha Lomas at TechCrunch talks about how “Systematic Surveillance Will Eat Itself“. She talks about how there is some positives product from this surveillance epidemic. In main it is represented by:

1) whistleblowers, e.g. Edward Snowden; and,

2) the rise in ephemeral type technologies that place information online in a more transitional, temporary state than what is normal today.

My take is more the move towards a ‘transparent’ society, but I am now thinking that maybe this is either the compromise, end-point that we come to, or maybe a stopping house on-route to transparency. The reason why I really do not see a strong place at this ‘half-way house’ is because it is still assuming that governments are lying to its citizens and the rest of the world, and hence the need for whistleblowers (who pay a hefty personal price for their efforts) and hence the need for ephemeral type technologies for the citizen to cover their backs… not cool!

You are being watched!

Interesting TEDx talk from 2012 on surveillance (thanks Dave Eddey down under ;-)). What Christopher Soghoian basically says is that you are being watched. Internet companies hang on to our personal information for as long as is practicable. When they receive a request from government requesting information on users, they have no choice but to comply. There is a couple of the Internet companies that have tried to inform users of these orders, one of these was Twitter. Want more info? Then grab a coffee and take 5 😀


More on Snowden

There has been another Guardian exclusive – online access to Snowden Q&A that is worth a look if you’re just a little intrigued by all the excitement. Make yourself a cup of coffee first though 😉

What seems to be clear is that when Snowden says NSA has direct access to the 9 main Internet services, he means direct access. When questioned about denials made by Google, Facebook, Apple, etc., his response was that they had no choice. It seems they have some sort of ‘gagging’ order and break the law by admitting to these top-secret operations.