 So, hi everyone. First off, I'd like to have a show of hands. How many of you have heard about or used Tor? All right? How many of you run a relay? Yeah. So my talk is about the safety of the Tor network. And it's going to be three different topics. We're going to look at network diversity. We're going to look at the relay operators and we're going to look at malicious relays. My name is Runa Sandvik. I work for the Tor project. The Tor project is a nonprofit. We have somewhere between 15 and 20 employees and contractors right now working full-time on Tor and other projects. And we have volunteers all over the world. We're also hiring, so if anyone's looking for a job, come see me after. The goal of Tor is to promote free speech, free expression and privacy rights online. And we do that by developing Tor. We also do a lot of education and outreach. Over the past two years, we've done a lot of training for journalists. We've met with activists. We have done a lot of work with survivors of domestic abuse. And so we do a lot more than just developing this tiny piece of software. So, sort of like the background for my talk, over the past two years, I've had the opportunity to travel a lot. I've met with a lot of interesting people. I've met with activists in Beirut. I've met with journalists in Istanbul. I've met with university students in D.C. And a lot of them have the same sort of questions about Tor and the Tor network. How safe is the Tor network? Who are the relay operators? What about malicious relays? How much network diversity is there? And what about the CIA, NSA, Prism, and so on? So if we're going to just comment on one straight off, the CIA does not run Tor. Tor is not a CIA honeypot. Tor was originally developed by the U.S. Naval Research Lab. But that was before 2000. Since 2002, Tor has been completely free and open source and developed by the Tor project. So before we start kind of go deeper into these topics, I kind of start with a quick introduction to onion-reading. So there's two ways that you can run Tor. You can run Tor as a relay or you can run Tor as a client. When you run Tor as a relay, you will set it up on a computer or a Raspberry Pi or whatever it is, your toilet. And you can decide to run it as an exit relay or a non-exit relay. You can decide whether or not you want Tor users to exit onto the public internet from your computer. In the case that you're not running an exit, you'll be running what's called a non-exit. And that non-exit could also be what's called a guard relay, which is the first server that users connected. So running Tor as a client, you download Tor onto your computer, you open it up. And your Tor client will then, first off, download the list. It's called a consensus. Download the list of all the relays in the network. And out of those roughly 4,000 relays right now, it will pick three guard relays. And for the next two to three months, it will only choose between those three when it chooses the first hop. So after choosing that guard relay, it will choose the middle relay and the exit relay. And after that, Tor will set up a connection between your computer and the guard relay and negotiate a short-term session key. It will then connect through the first server to the second server and negotiate a second short-term key. And it will do the same for the exit relay so that when the whole circuit, which is the connection from you to the last, from you to the destination website, is set up, the data that you send, for example, I want to visit twitter.com, will be wrapped in three encrypted layers. So you send off the packet from your computer to the guard relay. And the guard relay will then peel off that third atom most layer and see that, okay, the packet came from you and it's going to somewhere else in Tor. So it will send the data off, it will send this blob of data off to the second relay. Second relay will peel off that second layer, see that the packet came from somewhere in Tor, it's going to somewhere in Tor, but that's all it knows. So it will send it off to the third exit relay, or the third relay, the exit relay, which will then peel off that final layer, see that it came from the middle relay and see that it's going to twitter.com. So in this model, there is no single hop that will see what you are doing online. Now the challenge here is that if someone, the same person owns the guard relay and the exit relay, that person can see what you are doing online. That person can see that you are using Tor to visit twitter.com. Another issue is the exit relay. The exit relay operator can't look at any traffic going from her relay to the public internet, and I'll get back to that later on. So at the moment there's roughly 4,000 relays in the Tor network, pushing around 2,500 megabytes a second in aggregate. And you would think that 4,000 relays, we have like 600,000 daily users, and you think that 4,000 relays is a good number. But if you look at this graph, it shows that out of those 4,000, only 1,000 of them are exit relays. And only 1,000 of them are guard relays. So when your Tor client is trying to choose which servers to send traffic through, it only has 1,000 or less options for the first hop and the third hop. So I figured a lot of you will probably want to know about how Prism or other spying programs affect Tor. And Tor was originally designed to protect government communications, to hide where you are and who you're talking to. So Tor can't hide the fact that you're talking, how much you're talking, or when you're talking. But Tor can give you location anonymity. If you're here at DEF CON and you're using Tor to connect to Twitter, Twitter will see that you're the one logging on, because you have a username and a password, but they won't know that you're here. So like I mentioned, if the same person owns the guard relay and the exit relay, they can see what you are doing online. And recently, after Snowden-Leedle, all of these documents, we learned that there are countries polluting, there are countries working together on other spying programs. So now the issue, the concern is not so much who's running the relays, but who owns the links, who control the ASS, who controls the internet exchange points. It's not necessarily about the relays. So this kind of all fits into whether or not we should consider different threats, if we should reconsider the threat model for Tor. And so this is a paper that is, it will be published later this year, that a group at the US Naval Research Lab worked on. It's called Users Get Routed, Traffic Correlation on Tor by Realistic Adversaries. So they took Tor the way it works right now and looked at what happens if you're sending your data through relays that it happened to be controlled by the same entity, by the same ASS or in similar internet exchange points or by countries that are now known to work together on different spying programs. We are sort of considering how we can approach this. We're sort of trying to figure out if changing the way Tor selects relays is something that we should actually do or if users are safer now, than if we were to choose a different algorithm. So that is ongoing research right now with considering, I guess, when you're using Tor. So that sort of fits in with the topic of network diversity. You probably can't see that table, but so all this data is public and this one is from compass, c-o-n-p-a-s-s.torpod.org and it shows the likelihood that you will have your guard relay, your metal relay and your exit relay in different countries. So at the top of the list, there's a 25% chance that your first server will be in the US. There's a 23% chance your metal server will be in the US and there's a 34% chance that you will exit in the US. And below that, there's a 29% chance that you will enter in Germany, and the metal relay will be in Germany, but only a 6% chance that you will actually exit in Germany. And the top of the list is US, Germany, Netherlands, France, Sweden. So we have 4,000 relays in like 150 different countries. But Tor will look at the relays that are offering the most bandwidth when choosing which relays to use for its path. It doesn't look at the countries, it looks at the bandwidth, and so the more bandwidth you offer, the more bandwidth that users will actually pick your relay. But that means that we may not actually have as much diversity as we would like to because all the relays are in countries like the US and Germany where bandwidth is free and where hosting providers are actually happy with us setting up relays. So I wanted to figure out, you know, who the relay operators are. I wanted to see if I could answer the question of has the NSA ever set up a Tor relay? So I looked at all the data, all the consensus documents that's been generated since 2007. It's all on metrics.torproject.org. And I tried to figure out, you know, who owns the IP addresses? That was sort of my starting point. Who owns the IP addresses for all of these relays? And I did not find any government entities running relays. That means, well, one, they're not running any relays in their own data centers. But also that maybe they're not running relays at all. We now know about all of these spying programs. We know they have access to links to internet exchange points. They have connections all over the world. Why would they need to run relays? Right? They have access to all of this information in a number of other ways they wouldn't necessarily have to run relays. A couple of sort of interesting observations or relays that did pop up was TBreg. If you use Tor back in like 2008 in your mailing list, you will have seen this name pop up. So TBreg was the nickname of a few Tor relays that were running inside China. And were running as Tor exit relays inside China. And over the course of a year, TBreg had 20,000 different IP addresses associated with it. Now, I don't know who inside China would have access to, well, one, be able to set up a Tor exit relay. And two, have 20,000 different IP addresses in a year. But my guess is that government, university maybe. But we don't know. We never actually caught this relay doing anything malicious. And after a year, it sort of just fell off the grid and we haven't seen it since. A couple of years later, Trotsky popped up. It was the name of a number, a couple of thousand relays in Eastern Europe, all running on sort of dial-up or at least offering very, very, very little bandwidth to Tor. So there was, it wasn't an exit. There was no contact information given as to who were the relay operators. And at that point, we decided to take it out of the consensus because we believed it might be a botnet. We haven't really been able to figure out whether or not it was a botnet, but we only saw Trotsky for two, three weeks and that was it. So when I said take out of the consensus, we have a way, and I'll get back to that later, we have a way to, when we see that there are relays misbehaving, we have a way to mark them as bad and then take them out of the consensus. It means that when client downloads the list of the Tor relays, they will just not choose bad exits for its circuit. So Orbot is, yes, Orbot is the Tor for Android. So you can run Tor as a client on your phone or your tablet and you can browse through Tor. You can also run Tor as a relay on your phone or set up a Tor hidden service. And I saw a number of nicknames, a number of relays with the Orbot nickname popping up in the Middle East. There are a lot of users with mobile phones, with smartphones, and apparently a lot of them set up relays a couple of years ago as well. So there are a lot of different groups sort of running relays. There are those who run relays on a Raspberry Pi. There are those who sort of try and run bigger groups of relays in the case of Orbot or Trotsky or TBreg. They may or may not actually be malicious. Then there's the groups that are sort of supporting the Tor network in a completely different way and in a very, very good way. So who's sort of TorService.net? Some. Okay, so TorService.net is a German nonprofit whose only goal is to increase network diversity. They will take donations and spend that money on relays for the Tor network, primarily TorExit relays, which is when you saw the list of, you know, there's a 23% chance that you'll exit in the U.S. or in the Netherlands, most of those relays actually belong to TorService.net. So when you're using Tor, you are more likely to end up using a relay owned by TorService.net or one of the other groups that I'll show because they're running so many relays and because they're offering so much bandwidth. So you're more likely to use relays that are run by people that we trust rather than some random guy in, I don't know, the U.K., for example. The Chaos Computer Club is sort of similar. They also run relays offering a lot of bandwidth. I think if you create a list looking at which relays offer the most bandwidth, Chaos Computer Club would come up as number two. So another group is BFRI in Sweden. They just set up, I don't think they have non-profit status yet, but they've just sort of managed to get everything together and they're able to accept donations and spend, just put the money towards actually running high bandwidth relays. Another group is Noise Tour out of San Francisco. They will also take donations. Some of these groups, I'm not sure about all of them, they will also take donations in Bitcoin. So if you can't run a relay, then maybe you can just donate to someone who can actually set it up for you. So malicious relays. There are, I guess, three groups of malicious relays. The first one is malicious but not intentional, meaning that someone set up an exit relay and they have, you know, they have open DNS or they have an antivirus that is blocking certain sites. And while they may feel safe using that, having that on a tour exit relay means that users will also, tour users will also sort of end up with the same filter. So if they can't visit Google.com then, you know, any tour user will be unable to visit Google.com. In those cases, we try to contact the relay operators. So when you're setting up a tour relay, you can sort of put in your contact information if you want and if something is actually wrong or we're asking you to upgrade your relay or something like that, we know how to contact you. So we will try to contact these relay operators and sort of ask what's going on and see if maybe they can reconfigure their computer to not censor users. The second category is straight up malicious. Those that, you know, try and strip off SSL or do some other sort of man in the middling or, again, censor sites just more actively. We will try to contact the operators when we can when there is contact information given. But if they're found to actually be just malicious and they don't have contact information we will just take them out of the list. The third category is passive sort of more malicious but not necessarily detectable in the sense that they will be logging traffic. So I mentioned that, you know, when you're using tour the traffic from you to the exit relay is visible to the exit relay operator. It means that the exit relay operator can see what people are doing online. They won't know necessarily who's doing what but they'll see what people are doing which websites people are visiting. And in some cases people set up exit relays just to log all of this information. That is not something that we can actually detect and that is a risk. Just a risk to be aware of. But I would say that it's probably safer to use tour than not these days. So a question I often get is how bad can it get? Say that, you know, you're using tour you happen to head up on a malicious exit relay how bad can it get? My answer is that it depends. I know that's usually an answer that you'd hear from a lawyer but it really does depend on what you're doing and for how long you're doing it and whether or not you're actually logging on. Say, you know, you're using tour to access Twitter. You go to twitter.com and your browser gives you a warning about a fake SSL certificate. Now, if you choose to accept that certificate and log on, you're giving your like the adversary, the attacker, your username and your password and you have lost. And that is true regardless of if you're using tour or not. In the other case, if the person is just logging traffic and you're not logging in anywhere and you're not communicating any sensitive information then that person will just get lots of random data lots of websites that you're visiting but not necessarily a way to tie that back to you. Another thing to note is tour when creating those circuits when choosing those three relays and using them to visit all of the websites that you're visiting tour will choose a new path for your traffic every 10 minutes. So if you're visiting Twitter and you spend, I don't know, 20 minutes on Twitter and then you open a new tab in your browser tour will create a new circuit for you. Whenever Twitter has to open a new TCP connection to pull a new content, tour will open a new connection for you. So I'm not sure how to like best answer this question of how bad can it get but it really does depend on what you're doing. But I think in a lot of cases it's probably better to use tour than to not to use tour and the threads that you see on tour are pretty similar to this, you know, we're using the open wireless network at Starbucks or elsewhere. So we have a couple of different tools for sort of finding these malicious relays. The first one is called the consensus tracker which we created somewhere between the time we saw TBreg pop up in the consensus and Trotsky. So consensus tracker is essentially just a script that every hour it will look at the list of relays and figure out which relays are new which relays just join the network and it will just send us an email and anyone can subscribe to the list and see the list of new relays joining the network. So the information we get is sort of the IP address, the port which ports the if it's an exit relay which ports it allow exit to a content information if that has been set just sort of like basic info. It doesn't really check for maliciousness but if we suddenly have like 1,000 relays pop up in Syria it's at least something that we can monitor and keep an eye on. So a couple of years ago we created snakes on a tour or SOAT as a Google summer code project. The goal of SOAT was to have a set of tests that would allow you to check for fake SSL certificates any sort of like tampering with DNS any other types of censorship and it sort of worked for a while it was written in Python 2.5 and it is no longer maintained. So for the past probably 2, 3 years we've been working on another project called UNI the open observatory for network interference which if you run what's called UNI Pro the clients it will check for censorship essentially and hopefully in like 6 months or so UNI Pro will be able to do what SOAT ones did so that we can more actively check for malicious relays or misbehaving relays. So the tool we have right now is the tour exit SSL checker and it is one thing it checks for fake SSL certificates it will take the list of exit relays and a list of URLs that you have given it say twitter and gmail.com and it will connect to the exit relays and download the SSL certificate and then it will do the same over non-tour and compare it to and if there is a difference it will give you a warning. So yeah, we only check for SSL certificates right now we hope to be able to check for other types of malicious behavior in the future so there's like 3 I guess 3 topics that I sort of wanted to touch on that I hope that you will leave this talk with 1, I want you to use tour it seems like a lot of people are already using tour in the case that you're not please do we always say that anonymity loves company so the more people that use tour the better off you are if you're the only person at DEF CON using tour you sort of stand out if you're one out of 12,000 people here using tour you're better off so the more people use tour the better 2, run or fund a fast relay not a lot of people here run relays I'm not sure why if it's like a bandwidth if you just don't know how if you're worried that you'll be an exit relay but no matter what the reason is you can always fund a fast relay fundingtourservice.net we're back we are I think you know the routine everyone else in the audience what are we going to do now I have the mic can I just get really close then no just talk really loud that was a good answer you all know the routine what are we going to do oh yeah do we have any first time attendees awesome you sir come on did you can I say that sure you can say that alright to our first time speaker and our first time attendee I got a lot of time for questions I sort of wish I had started with that um you can run or fund a fast relay and help increase network diversity or you can run an exit scanner or help us improve the ones that we already have and help us find new relays so at this point being first time speaker at DEF CON and sort of talking a lot faster than I usually do I have a lot of time for questions so if you have questions you can line up with the microphone up front I got half of that do you want to try and repeat it okay is it is it safe legally to run an exit relay if the people using your exit relay are doing illegal things running an exit relay is um in some cases it can be a bit risky so it means that any tour user 600,000 users a lot of them will be using your server to access the public internet so it means that anything that they do online will be seen as coming from your computer from your IP address over the past years there's been stories about people in Germany having their doors down and their computer is taken or a series of DMC takedown notices and similar we have spent a lot of time trying to educate law enforcement teach them what tour is how it works when or how they would encounter a tour when investigating people um and that's worked out pretty well we have sort of helped them understand that when they do hit an exit relay it is tour it doesn't actually log any information there is no information to be found there about the tour users but at the same time if you feel that that is a visc then running a non-exit is probably the safer option so we have a blog post called um tips for running an exit relay with minimum amount of harassment which sort of just lines out series of steps and things to consider if you want to set up an exit relay sort of you know running on a dedicated server don't have your personal photos and GPG key and whatever else chat logs on the same server that you're running a tour exit relay do not encrypt that drive in the server that is running the tour exit relay if you have a server with a non-encrypted disk running only tour as an exit relay and tour is not logging anything there will be no information on that server for law enforcement to dig through so I would say if you consider setting up an exit relay that would probably be the first um for sort of page I would send you to read up on whether or not it's safe legally I'm not a lawyer so I can't really answer that question that's right like sanitary tour yes list of it's a service that allows you enter an IP address and see if server X was running as a tour exit relay at time Y so in the case that you do run into issues with law enforcement you can use that service to sort of point them to this to our page sort of explain to them that you were actually running an exit relay if you do run an exit relay if you run into problems you can also email us and we will send a signed letter just confirming that yes you were running an exit relay at that point in time so there's hidden entrance nodes via bridges has there been any look or work into having hidden exit nodes in a similar way so having hidden exit nodes so question is about bridges the image that I showed of how tour works that mentioned the guard relay we also have something called bridges which is similar to the guards just that they're not listed on the internet you can't find a list of every single bridge which means that if you're in china and you need to connect to tour and tour is being blocked and you can use a bridge instead I don't think I'm not sure if we have even considered hiding the exit nodes would really be a good defense it sort of seems to me like it would be just a bit of an arms race you know would hide them, someone would find them and it would continue from there what about what about running relays in the cloud and how for instance if there are just a whole bunch of cloud based like Amazon AWS based relays what does that do to your network diversity okay relays so with Amazon specifically you are allowed to run a bridge running a relay is also allowed as for their terms of service but you will be paying too much money for bandwidth so you just don't want to do that and an exit relay is not allowed in their terms of service but if someone were to suddenly set up thousands of relays to join the network I'm not sure it would help the diversity too much so Tor will only pick fast relays to use for its circuits so if you have like a thousand slow relays joining the network then we would have a thousand slow relays joining the network I don't think it would do much to users my question is pretty specific regarding are you aware of whether or not google fibers restrict you from running an exit relay or not google fibers terms of service would that restrict you from running an exit relay or not I don't know if anyone from google is here can answer that question then we would all like to know no servers at all if anyone from google is here then I'd like to talk to you I didn't hear the full if there are more malicious relays than none if there are more bad users than good users okay we don't know so you go to our website and you download Tor and the only thing that pops up in our Apache logs is that someone visited Tor we know that people are downloading Tor but that is that we have no information we don't know what you're using Tor for back in the day someone did a study to see which protocols were used the most and it was mostly web traffic but apart from that we have no way of telling what people are doing over Tor we were accidentally banned by Facebook yes the issue that was a month ago okay so it does happen so someone used Tor and from publicly available content from Facebook and Facebook accidentally blocked a ton of Tor exit relays so it does happen but we have no way of telling how often it happens or how many users are actually misbehaving in that way what about hidden services for hidden services dubbed by the media is like dark web, deep web is a way of hosting content over Tor so it means that you can set up a website and it will have the URL of like 16, like a random string of 16 characters and dot onion at the end and it will only be accessible over Tor and no one will know that you are the one hosting the site and you will not know who is visiting the site because everything is over Tor the content cannot be censored we cannot find out who is actually running Tor hidden services and so it's sort of just anonymous hosting in a way recently there was a paper published pointing out a number of issues with Tor hidden services and we wrote a very long blog post explaining all the things that we would like to see improved with Tor hidden services so when you set up the question was how do you establish trust for the consensus how do you make sure that the list clients download is a safe list when you set up a relay your relay will tell nine directory authorities that it exists and these nine directory authorities will then confirm that your relay has the IP address that you've said that it has the nickname matches if it's an exit it will make sure that you can actually exit and then these nine directory authorities vote on this information whether or not that information is correct if the majority of them vote that yeah it's correct it's valid then that really makes it into the consensus and once they have done that for all the relays in the network that list is then signed by every single directory authority and when the client downloads this list they will check that the signatures are okay I had a follow up question to that who controls the directory authorities and who controls the onion domain name servers the directory authorities are run by core tour project developers or people that we trust so there's a good mix of some of them are in the US some are outside of the US some are run by tour people and some are not but you have to be a trusted member to be able to run one the second question was about the dot onion domains no one really controls that you generate a domain when you set up a tour hidden service and that's that Japan is there diversity in the directory authorities to protect from court orders for a specific country um if the NSA served us with any type of letter to mark really is as bad and to effectively redirect old tour traffic to the NSA then we just wouldn't do it is there any way for an exit relay to figure out who the tour user is no so the only information that the exit relay has is that people are doing stuff that people are watching videos of cats so the only thing that you can do if you were to attack tour users would be to make sure that you are that first hop that you are the guard relay and that you are the exit relay and doing that when targeting a person seems really really difficult I mean I'm sure you have way better options to actually target people than to try and spend a thousand tour relays so tour is TCP only right now we have a proposal for UDP but I'm not sure what the status is I don't think we've done a lot of work on that for a while we have done more work on getting tour to play nice with IPv6 sorry hardware can you repeat that hardware integration okay thanks so we have a project called the tour router which the goal is to just take like a stock router and put tour on it and make sure that it sets up a wireless network where everything that you do on that wireless network is sent through tour and that it is also running as a bridge or a relay or an exit relay for example that project will probably be announced in about six months projects like the onion pie I know freedom box I've sort of worked on some stuff there's a lot of work being done we need more people to sort of help us test those projects but we don't have anything right now if you're running an exit note to filter traffic then you just might as not don't run an exit note at all like sure okay if you want to talk about child pornography specifically running an exit relay to filter content in general means that who are you to decide what people can and cannot watch online right if you obviously I think we all agree child porn is bad but what if we gave people the ability to actually decide what tour users can and cannot visit through their exit notes and I decided watching the videos of cats is not bad so suddenly I am censoring a number of tour users who wanted to look at totally legitimate things so we just decided that we shouldn't decide what users can and cannot watch it also means that we cannot be asked or forced by anyone to censor anything or give out any type of information we don't have anything filtering certain sites like child porn sites that are illegal where I am in my jurisdiction do you think it's worth running an exit under that situation are you guys desperate for exit notes we are desperate for exit notes but we would prefer exit notes that are not touching user traffic regardless of what it is there are absolutely no logs none so the question was do we have any logs at all and the answer is no we don't have anything when you visit our website to download tour we write just zeroes in the log or we write all zeroes if you are visiting the HTTP version of the site and one at the end if you are visiting the HTTPS version so you download tour and we don't know that you downloaded tour you start up tour and the only there are sort of two entities that will know that you are using tour they won't know what you are using tour for and the exit really won't know that someone is using tour to do something but they won't know who so there are no logs there is nothing to be subpoenaed we cannot be given any magical letters to forces to do anything we don't have any info battery users it's a good point the ISP yeah the ISP whoever the backbone provider is it's a good question if they actually look at that traffic do you know is that like a common thing for ISPs or service providers on a top level does a backbone provider log incoming connections to websites that are hosted by by people sorry if we want if we are going to put together a list of tour projects is that the question tour apps do we have a list on our website talking about products and services that we have and if you're not in that list then it is not a project that is maintained or developed by the tour projects no I have not seen any tour exit notes attacking browsers so for users running like the tour browser bundle what safeguards are in place to prevent the exit relay like a malicious twitter.com and sending some sort of malicious program back to their computer to kind of make a connection on the open web so if there are any restrictions on what kind of protections are there so the tour browser bundle blocks a lot of things by default like flash and java things like that but that is it if an exit relay is actually able to inject a very specific type of exploit into the user's traffic then there are no if you can do that without flash or java or getting the user to open an attachment then you win so he's waving at me saying that I'm out of time so I figured we can chill out room if you have more questions and we can kind of continue there thanks