Zum Inhalt springen

Tor and Anonymity Networks

Zusammenfassung

Tor — The Onion Router — is a network of volunteer-operated servers that routes internet traffic through multiple layers of encryption, making it difficult to trace communications back to their origin. Originally developed by the US Naval Research Laboratory in the 1990s to protect American intelligence communications, Tor was released as free software in 2002 and turned over to a nonprofit that maintains it today. The same technology that protects political dissidents in authoritarian countries, whistleblowers sending documents to journalists, and abuse survivors communicating safely also routes drug markets, child exploitation material, and ransomware operations. Tor is the clearest example in computing history of dual-use technology: the same properties that make it valuable for human rights protection make it valuable for criminal concealment, and there is no technical mechanism to provide one without the other.

The Naval Research Laboratory Origins

The mathematics behind Tor — onion routing — was developed by Paul Syverson, Michael Reed, and David Goldschlag at the US Naval Research Laboratory (NRL) in the mid-1990s. Their goal was practical: the US intelligence community needed a way to communicate online that would not reveal the identity of the communicating parties to adversaries monitoring internet traffic.

The problem with standard internet communication was not encryption — by the mid-1990s, encrypting message content with SSL or PGP was practical. The problem was traffic analysis: an adversary watching network connections could see who was communicating with whom even without reading the content. A CIA officer connecting to a known foreign contact’s server revealed the connection regardless of message encryption.

Onion routing’s solution was elegant. Instead of connecting directly to a destination, a user’s traffic travels through a sequence of volunteer relay nodes:

  1. The user’s software selects a path through three relay nodes: a Guard node, a Middle relay, and an Exit node.
  2. The message is encrypted in three layers — one for each relay. The outermost layer addresses the Guard node; inside is a layer for the Middle relay; inside that is a layer for the Exit node; inside that is the actual message.
  3. Each relay decrypts one layer (“peels the onion”), learns only the previous and next hop, and forwards the traffic.

No single node knows both the origin and destination of a communication. The Guard node knows the user’s IP address but not the destination. The Exit node knows the destination but not the user’s IP address. Only the user knows the complete path.

The NRL published the onion routing concept in 1996. The design was intentionally released publicly — a secret anonymity protocol known only to intelligence agencies would be useless for protecting those agencies’ communications, since an adversary monitoring unusual encrypted traffic could infer that a small number of users were likely intelligence operatives. A public network with millions of ordinary users provides better cover.

Tor as Free Software

In 2002, Roger Dingledine and Nick Mathewson — both computer scientists who had worked with NRL on onion routing — released the first implementation of Tor (The Onion Router) as free, open-source software. The code and protocol specifications were published openly; anyone could run a relay and contribute to the network.

In 2004, the NRL released Tor to the public domain, and Dingledine, Mathewson, and Jacob Appelbaum established the Tor Project, a nonprofit organization that maintains the software and advocates for online privacy. EFF provided early funding; the US State Department and Broadcasting Board of Governors provided grants — the US government funding a tool primarily used to circumvent censorship in countries the US government opposed.

By 2008, the Tor Browser (Firefox configured to route traffic through Tor) made using the network accessible to non-technical users. Before the Tor Browser, configuring Tor required technical knowledge; after it, any user could download a single application and achieve network anonymity within minutes.

How Tor Works in Practice

A user who installs Tor Browser and visits a website achieves several properties:

  • The website sees the Exit node’s IP address, not the user’s.
  • The user’s ISP sees that the user is connecting to Tor (specifically to a Guard node or bridge), but not the websites visited.
  • Tor relay operators see only adjacent hops — never both origin and destination.
  • Network observers (surveillance systems, traffic monitors) can detect Tor traffic and can see that someone is using Tor, but (in the typical case) cannot determine what sites the user visits.

Tor also enables Hidden Services (now called Onion Services): servers whose IP addresses are unknown even to the Tor network’s operators. An onion service creates a cryptographic rendezvous through the Tor network; neither the client nor the server reveals its real IP address. Onion addresses — 16 or 56 characters of Base32 followed by .onion — are not resolvable through the public DNS system; they are only reachable through Tor.

Onion services were designed for legitimate confidentiality: a newspaper could operate a secure submission portal invisible to censors, a company could provide an internal service inaccessible from the open internet. Facebook operated an onion service (facebookwkhpilnemxj.onion) from 2014 to give users in censored countries a secure way to access Facebook. The New York Times, BBC, and Deutsche Welle ran onion services enabling readers in China, Iran, and Russia to access their content when blocked.

The same mechanism enabled drug markets. Silk Road, launched in 2011, allowed sellers and buyers to transact in Bitcoin for drugs, with the market accessible only through Tor. At its peak, Silk Road processed approximately $1.2 billion in sales before the FBI identified and arrested its founder, Ross Ulbricht, in 2013. Silk Road’s closure spawned successors — Agora, AlphaBay, Hansa, Dream Market, White House Market — that used the same Tor-hidden-service model.

Users and Adversaries

Tor’s user base is diverse and reflects the technology’s dual-use nature:

Journalists and sources: SecureDrop, a system for anonymous document submission used by major news organizations, relies on Tor hidden services. Edward Snowden recommended that journalists use Tor. The Committee to Protect Journalists and other press freedom organizations train journalists in Tor use.

Political dissidents: Citizens in China, Iran, Russia, and other authoritarian states use Tor to access blocked content and communicate without government surveillance. Tor’s use spikes measurably after major censorship events.

Privacy-conscious ordinary users: People who wish to avoid commercial surveillance — targeted advertising profiling, data broker tracking — use Tor for general browsing.

Security researchers: Security professionals use Tor to research threats without revealing their organizational IP addresses to hostile sites.

Criminals: Tor hidden services host drug markets, hacked credential markets, ransomware command-and-control infrastructure, and other illegal operations. The FBI, Europol, and law enforcement agencies globally devote significant resources to Tor de-anonymization.

The Tor Project has never attempted to prevent criminal use because it is technically impossible to do so: the same properties that protect a dissident protect a criminal. The organization’s position — shared by most privacy advocates — is that the free speech, privacy, and safety benefits to the far larger legitimate user population outweigh the costs of criminal access.

Attacks and Limitations

Tor is not anonymous against all adversaries. Several attack classes exist:

Traffic correlation attacks: An adversary who can monitor both the entry and exit traffic of the Tor network — a Global Passive Adversary — can potentially correlate the timing and volume of entering and exiting traffic to identify users. The NSA’s XKEYSCORE and related programs, revealed by Snowden, included Tor traffic; NSA analysts discussed statistical techniques for de-anonymizing Tor users. Nation-state intelligence agencies with access to major network infrastructure are the adversaries Tor is least effective against.

Exit node monitoring: Tor encrypts traffic between the user and the exit node, but the exit node connects to the destination over the open internet. An exit node operator can monitor unencrypted HTTP traffic leaving through their node. Users who connect to HTTP (rather than HTTPS) sites through Tor and submit sensitive information are visible to the exit node operator.

Browser fingerprinting: Even when network anonymity is maintained, browser characteristics — fonts installed, screen resolution, JavaScript capabilities, timezone — can identify individual users across sessions. The Tor Browser is configured to reduce these fingerprints, but sophisticated fingerprinting can still distinguish users.

Malware and operational security failures: Tor does not protect users who are running malware, who log into identified accounts through Tor, or who make other operational security mistakes. Ross Ulbricht was identified not through Tor attacks but through ordinary investigation: he had used his real email address in early Silk Road forum posts.

End-to-end timing attacks: If an adversary can see traffic entering the Tor network from one location and traffic leaving to a destination, they can correlate timing patterns even without reading the content. This is difficult at small scale but feasible for intelligence agencies.

The Broader Anonymity Landscape

Tor exists within a broader ecosystem of anonymity technologies:

I2P (Invisible Internet Project), launched in 2003, provides a parallel approach using a “garlic routing” variant of onion routing. I2P is optimized for internal network services and is more commonly used for file sharing and internal communications among its user community.

Freenet, developed by Ian Clarke in 2000, provides a distributed file storage network where content is replicated across volunteer nodes, making censorship and deletion difficult. Freenet’s approach stores content; Tor’s approach routes traffic.

VPNs (Virtual Private Networks) provide privacy against ISP monitoring and simple traffic analysis by routing traffic through an operator’s servers, but require trusting the VPN provider — which may log traffic, comply with legal orders, or be compromised. Tor distributes trust across three independent nodes; compromise requires controlling multiple nodes simultaneously.

Zero-knowledge proofs and privacy-preserving computation technologies represent emerging approaches that provide verifiable properties without revealing underlying data — relevant for financial applications, identity systems, and other domains where anonymity and accountability must be balanced.

📚 Sources