I received excellent feedback on the first draft of the technical guide to internet anonymity I wrote a few days back for Global Voices. One of the questions I was asked (multiple times, and sometimes quite forcefully!) was why I hadn’t included the Tor (The Onion Router) network in the draft document.
The simple answer: I hadn’t had time to play with the system yet, and couldn’t talk about it in other than theoretical terms. (And I have this thing about not praising or panning software without actually using it…)
But I had some “free” (heh) time this morning and wanted to fire it up so I could add a section to the document, and see if Tor is something I’d want to run on a regular basis.
I was pretty damned impressed with the ease of installation of Tor on my Mac. I was all set to blame the Tor folks for releasing a broken .dmg file (the format used for Mac installation packages), when I discovered that I couldn’t install any .dmgs after installing Apple’s 10.3.9 update – nice work, Apple. (If you’re getting this page as a response to a search query for error -536870208 after installing 10.3.9, try running Disk First Aid, fixing any permissions errors you encounter and restarting. Worked like a charm for me.) But Tor installed itself and Privoxy, an exemplary adblocker and proxy, with almost no intervention on my behalf. After a restart, I only had to change preferences in Firefox, setting 127.0.0.1:8118 as my proxy for HTTP and HTTPS, to get the system up and working.
(Uninstallation is another matter. The installer doesn’t have an uninstall option. And the Tor-FAQ wiki is less than helpful regarding uninstallation: “This depends entirely on how you installed it. If you installed a package, then hopefully your package has a way to uninstall itself. If you installed by source, I’m afraid there is no easy uninstall method. But on the bright side, by default it only installs into /usr/local/ and it should be pretty easy to notice things there.” Gee, thanks.)
Uninstallation aside, it’s pretty clear that the developers of Tor are thinking hard about usability – as I read the draft of the paper they’re now working on, Challenges in Low-Latency Anonymity, I felt a certain amount of contrition about the rant I wrote last week about usability and anonymity. (Only a little contrition. I am a blogger, after all.)
Paper authors Roger Dingledine, Nick Mathewson and Paul Syverson make it clear that usability is one of the major goals of the system:
“The ideal Tor network would be practical, useful and anonymous. When trade-offs arise between these properties, Tor’s research strategy has been to remain useful enough to attract many users, and practical enough to support them. Only subject to these constraints do we try to maximize anonymity.”
This isn’t just because Tor’s architects are trying to be nice to their users. It’s because no anonymity strategy works if there are insufficient users. If you’re the only user of a particular strategy, you’re pretty damned visible to someone doing network analysis.
“Usability for anonymity systems contributes to their security, because usability affects the possible anonymity set. Conversely, an unusable system attracts few users and thus can’t provide much anonymity.”
Because they’re worried about maintaining large networks of users and anonymizing servers, they’re also very concerned about who uses Tor. If all the users are bad guys, it’s unlikely that universities, ISPs and other organizations capable of hosting high-bandwidth nodes will continue to participate.
“…the network’s reputability affects its operator base: more people are willing to run a service if they believe it will be used by human rights workers than if they believe it will be used exclusively for disreputable ends… So the more cancer survivors on Tor, the better for the human rights activists. The more malicious hackers, the worse for the normal users.”
So how well does Tor work, from the perspective of someone trying to recommend tools to human rights workers? For the most part, it works really, really well. Using IPID and noreply, I checked the IP I appeared to be coming from a couple dozen times. Six different “exit nodes” registered, from around the world. (Oddly, the first was a Harvard server, which caused me to worry for a few seconds.)
Tor automatically generates a path through proxy servers, encrypting traffic so that each router only knows the next router in the chain, and doesn’t know the contents of your packets. I’m guessing that Tor maintains each of these chains for a few minutes, changing them if they get congested, or otherwise when they “time out” – I noticed that I had the same exit node for a couple minutes at a time. (It’s, of course, possible that the intervening chain changed and the exit stayed the same.)
The ever-changing IP addresses lead to some odd web behaviors. Google, which uses geolocation to determine what nation you’re coming from, has greeted me in English, Dutch, Japanese and German over the past four searches. (And, by the way, Google clearly is using different algorithms for different languages – I get very different results for searches involving “Tor” in countries where the word means “bridge”.) That’s okay – I keep meaning to brush up my language skills. But it looks like I’m not going to be an especially good Wikipedian while using Tor. I’m blocked from editing pages because I’m coming from an anonymous proxy. Logging into my user account doesn’t help – I’m still blocked. (Oddly, this turns on and off as well. Perhaps Wikipedia is only blocking certain Tor routers?) The block page invites me to email Jimmy Wales to request a block exception and tells me that if I’m really in so much danger that I need strong anonymity that I shouldn’t contribute to Wikipedia. (I got this block page twice, but have not been able to recreate it lately, so I apologize that I don’t have the exact language.)
And Frontier, the weblog server that Harvard runs, fails utterly, complaining when I post that “the referrer did not match the expected referrer”.
Oh, and it’s slow. Noticeably slower than just using a single proxy, especially when accessing sites with a lot of images. (Flickr, for instance, is a miserable experience through Tor.) This makes sense – each file requested (each image) needs to get encrypted and decrypted several times. Even though each of those operations is pretty quick, they add up when you’re requesting a couple dozen images at a time.
How useful is Tor for the theoretical whistleblower I talk about on Global Voices? Pretty darned useful. There’s three major drawbacks to the system for that imagined user:
That said, I’m impressed so far, and suspect that Tor will become increasingly popular for net surfing and publishing in highly monitored countries. I’ll be very interested to hear from my buddies at the Open Net Initiative whether they’re seeing active attempts to block Tor – I guarantee that we’ll see these efforts soon if Tor keeps growing.