The Internet was not designed with anonymity in mind; in fact, one of the original design goals was accountability [1]. However, anonymity has become a necessary and legitimate aim in many applications (browsing the internet, chatting, sending instant messages etc.). In these applications, encryption alone cannot maintain the anonymity required by users. The main reason for this is the fact that in this case only the communication is encrypted; it is still possible to know the source and destination of the communication. Thus, it is possible to identify who is initiating the communication, and for whom this communication is intended. This alone defeats the sole purpose of anonymity on the Internet.
Therefore, many tools providing anonymity emerged and were made available for the general public. Tor is one of them. In a short amount of time, usage of this tool became increasingly widespread amongst business networks and it is now considered one of the largest and most famous anonymity networks available. On the other hand, it becomes very important for organizations to understand the risks associated with the use of this software in their business network. This article highlights some major risks of using Tor in a business network, and provides some recommendations to prevent and/or detect it.
Tor is a software that allows users to browse the Web anonymously. Tor stands for “The Onion Router” and it is called so because it is using the Onion routing protocol to conceal information about user activity, location and usage from anyone conducting network surveillance or traffic analysis. People use Tor to keep their privacy, security and anonymity on the internet. It is steadily used by journalists, political dissidents and criminals to keep their communications and locations private.
Originally, the development of the onion routing protocol was sponsored by the U.S. Naval Research Laboratory in the 1990s, and Tor itself was developed by the Navy and independent researchers in 2002. The protocol is still being worked on and supported under the Tor Project, a nonprofit organization.
Now that we know a bit about Tor, let’s talk about how it works. At a high level, when you connect to Tor, your computer becomes a node and can be used by any other Tor users to relay their traffic. The Tor network hides your identity by moving your traffic (that was encrypted) across different computers, or nodes, located all across the world. Instead of taking a direct route from source to destination, the data packet sent on the Tor network takes a random pathway through several servers that cover your tracks. No individual will ever know the complete path that a data packet has taken (no one at any single point can tell where the data originally came from and where the final destination is), and anyone who tries would see traffic coming from random nodes on the Tor network, rather than your computer. For greater security, all Tor traffic passes through at least three relays (Entry node, Middle Node and Exit node) before it reaches its destination. Each of these has a specific role to play:
Below an excellent set of diagrams (extracted from www.Torproject.org [2]) which helps to understand how Tor works at a high level. An important aspect is that when a user wants to connect to the Tor network, he needs to first obtain the list of all the nodes, which is available in the directory authorities’ server. He then selects a node from the list that meets certain characteristics (mainly bandwidth, uptime …) and chooses it as its first node. It’s also important to mention that the final exit node has zero knowledge about the entry node. It is this architecture which allows the anonymization of the communication (source and destination IP addresses, data …).
To access the Tor Network, you just need to download the Tor Browser and to install it. It is free to use and doesn’t need any specific configuration or setup from the user. It can be used as a web browser and everything done goes through the Tor network automatically.
Risk management plays a critical role in protecting an organization’s information assets. Every organization should evaluate the risk and the impact that the use of any new technology in its corporate network can have on its business. Tor is one of these tools that organizations should understand, to be aware of its associated risks and its benefits as well. While it is true that Tor can be used with the legitimate goal of anonymity on the internet, it can represent a gigantic problem for an organization: bypassing network security, connecting to criminal sites on the ‘darknet’ or ‘dark web’ (websites only accessible from within an anonymized network), involving the organization in criminal activities, exposing the corporate network to malware infections, etc. In this section, we will try to identify the main risks a company is exposed to when allowing Tor inside its network. The end goal from this analysis is to sensitize and to help companies in making appropriate decisions on whether to allow or not allow the use of Tor in their network.
People operating one of the "exit nodes" can use the device to add malware. So, any user downloading through Tor exposes the organization network to malware infection. In addition to that, it’s important to know that criminals are starting to use Tor as a communication channel for malware (C&C).
Having one or more computers operating as Tor nodes exposes the company to the risk of DDoS (Distributed Denial of Service: saturation of the network bandwidth, preventing others from using it). The fact that one or more corporate servers are relaying Tor network traffic can result in a high consummation of the corporate network bandwidth which makes the organization permanently exposed to a DDoS attack
The fact that Tor encrypts all the traffic over the network makes the monitoring of the network activities between the Tor node and the Internet very hard. This way, people can bypass the security policies and controls of the organization very easily. They can connect to illegal websites, reach the darknet and purchase illegal goods and services, and steal sensitive data without anyone's knowledge.
Traffic can be sniffed at the exit node. People operating the exit node can monitor the traffic transiting through his device and then capture any non-encrypted (HTTP, FTP, SMTP without TLS …) sensitive information such as, but not limited to, login/password. That being said, employees using Tor are exposed to the risk of seeing their data and the information belonging to their organization stolen, which can have a major impact on their business. This attack is also known as MiTM (Man in The Middle) attack.
Organizations operating Tor nodes can be held responsible for others' (illegal) activities. Thus they can face the possibility of serious criminal penalties if one of the nodes they are operating is discovered transporting illegal material (child porn) or performing illegal activities (hacking, DDoS attacks, spying, etc). This usually happens when you are operating an exit node because it is the exit node’s IP that appears when the authorities start investigating the digital fingerprints of the crime.
Setting up a Tor node inside a network runs a risk of an organization’s IP being added to an Internet blacklist, notably if the node is involved in illegal activities.
How can we know if an employee is using Tor on a corporate resource? How can we detect/block Tor inside a network? The truth is that detecting/blocking Tor is never an easy thing. The solution to this problem cannot purely rely on technology, but the combination of training and awareness, security policies, security best practices, and technologies could be the best solution. Here are some of our recommendations:
Tor is an important tool. It has its benefits and it might sound like the perfect way for everyday people to cover their tracks, but it's not anywhere near perfect. Using this tool in a corporate network can open up organizations to security risks, liability and potential litigation. In fact, organizations need to pay attention to the risk of having Tor in their corporate networks.
Detecting/blocking Tor in a corporate network is never an easy thing. Organizations should consider the deployment of more than one solution, as cited above, to enhance the chance of preventing the use of Tor in their corporate network.
People should understand that Tor is not the only anonymity network designed with ultra-security in mind. I2P (Invisible Internet Project) is another example of a tool that should be considered seriously, at the same level as Tor.
Finally, proxies such as Ultrasurf, Hide my IP, Hide My Ass, ExpressVPN, etc. should also be monitored and evaluated as they can be used by employees for bypassing the security policies of their companies and performing malicious activities, although these are much easier to spot and block.
1- D. Clark. Design Philosophy of the DARPA Internet Protocols. In Proceedings of the ACM Special Interest Group
on Data Communications, pages 106–114, August 1988.
2- https://www.torproject.org/about/overview.html.en
Learn more about's Managed Security Services by downloading our Free Case Study below:
