Phenquestions
Introduction to TOR and .onion
What is TOR For?
That is the first question that comes to mind. The Onion Router (aka TOR) is a tool that allows you to stay somewhat anonymous while using the internet. You might ask yourself, I did nothing wrong or illegal, why do I need to stay anonymous? That's a very good question.
The Internet is global and is not a subject to any one country's regulations. Even if you are not doing anything that your government would consider illegal there is still pretty good chance that your activities are going to upset someone. Imagine this, one day you log into your account and discover that it has been hacked (through no fault of your own) and used to make posts that are directly opposite (not to mention extremely offensive) of what you believe in. You check your email and it is full of “hate mail” from your now former fans. While the damage might not be irreparable, do you also want to worry about the attackers actually knowing you real-world identity and where you live? Do you want them contacting your employer, your landlord and your real life friends with the links to the horrible things they put online while pretending to be you? Need I continue?
And that is why you would be wise to stay anonymous online and learn to use tools that facilitate it (including TOR).
How TOR Works.
The core ideas behind TOR are: it channels your communication through a number (at least 3) of relays. Each relay has its own layer of encryption. So, even if a relay (except for an exit node, more on that later) gets compromised, there is no easy way to know what your final destination is or where you are coming from because everything (except the information about next relay) is encrypted.
In fact, each relay uses a separate layer (like onion) of encryption. When the TOR client sends the data it is first encrypted so that only the exit node can decrypt it. It adds some metadata to it and then encrypts it again with a different key. The step is repeated for every relay in the circuit. Check out this post for more details on how TOR works.
The Bad Exit
You might ask yourself: it is all well and good that TOR still keeps you safe even if some of the intermediate nodes have been compromised. What happens if it is the exit (the one that connects to your final destination) node? Short answer: nothing good (for you). That's the bad news. The good news is that there are ways to mitigate the threat. The community is identifying and reporting (they get flagged with BadExit flag) bad exit nodes (see this for up to date list) on a regular basis and you can take some measures to protect yourself as well.
It is hard to go wrong with using HTTPS. Even if the exit node is controlled by the attacker they don't actually know your IP address! TOR is designed in such a way that each node only knows the IP address of a previous node but not the origin. One way they can figure out who you are is by analyzing contents of and modifying (injecting JavaScripts is a fairly common tactic) your traffic. Of course, you have to rely on your destination site to actually keep their TLS (check out this article for more details) up to date and even then you might not be safe depending on the implementation. But, at least using encryption will make it *lot* more expensive if not impractical for the would-be attackers. This fun interactive online tool can help you see how the TOR and HTTPS fit together.
By the same token, it is also a good idea to use a VPN - preferably the one that does not keep more logs then necessary (IPVanish is pretty good). This way, even if your encryption was cracked and your origin IP was tracked down, the attackers still don't have much to work with. Besides, with the net neutrality, it is a good idea to obscure your online activities from your ISP. Unless you like your internet access being throttled and the data about your online habits being sold to the highest bidder, of course.
Use .onion And Disable JavaScript
There are more measures you can take to stay safe. One thing you can do is check if your website (quite a few do, including DuckDuckGo search engine) has .onion service and use that if it does. What that means: the website itself is also the exit node. This makes life lot harder for the would-be attackers as the only way they can control the exit node is by controlling the service itself. Even then, they still won't know easily know your IP address.
One way they can find out your IP address is by injecting a certain JavaScript into the response. It is highly recommended that you disable JavaScript in your TOR browser for that reason. You can always enable them for an specific site if need be.
TOR Helps Everyone Stay Safe
They say: “If you have nothing to hide, you have nothing to fear”. Unfortunately, the opposite is also true. Even if you did not do anything wrong, you could still be targeted by someone. Your data can also be used for questionable things (such as identity theft) without your knowledge - why should you let everyone see it?
Besides if you use TOR you create more traffic for the “bad guys” to analyze and make their life more difficult in general thus helping everyone else to stay safe. Keep calm and use open source.
Works Cited
“How HTTPS and Tor Work Together to Protect Your Anonymity and Privacy.” Electronic Frontier Foundation, 6 July 2017
“How Tor Works: Part One · Jordan Wright.” Jordan Wright, 27 Feb. 2015
“Net Neutrality.” Wikipedia, Wikimedia Foundation, 14 Dec. 2017
Project, Inc. The Tor. “Tor.” Tor Project | Privacy Online
TLS vs SSL, Linux Hint, 8 Dec. 2017
