When it rains, it pours. Following the fuss over the Storm worm impersonating Tor, today Wired and The Register are covering the story of a Dan Egerstad, who intercepted embassy email account passwords by setting up 5 Tor exit nodes, then published the results online. People have been sniffing passwords on Tor before, and one even published a live feed. However, the sensitivity of embassies as targets and initial mystery over how the passwords were snooped, helped drum up media interest.
That unencrypted traffic can be read by Tor exit nodes is an unavoidable fact – if the destination does not accept encrypted information then there is nothing Tor can do to change this. The download page has a big warning, recommending users adopt end-to-end encryption. In some cases this might not be possible, for example browsing sites which do not support SSL, but for downloading email, not using encryption with Tor is inexcusable.
Looking at who owns the IP addresses of the compromised email accounts, I can see that they are mainly commercial ISPs, generally in the country where the embassy is located, so probably set up by the individual embassy and not subject to any server-imposed security policies. Even so, it is questionable whether such accounts should be used for official business, and it is not hard to find providers which support encrypted access.
The exceptions are Uzbekistan, and Iran whose servers are controlled by the respective Ministry of Foreign Affairs, so I’m surprised that secure access is not mandated (even my university requires this). I did note that the passwords of the Uzbek accounts are very good, so might well be allocated centrally according to a reasonable password policy. In contrast, the Iranian passwords are simply the name of the embassy, so guessable not only for these accounts, but any other one too.
In general, if you are sending confidential information over the Internet unencrypted you are at risk, and Tor does not change this fact, but it does move those risks around. Depending on the nature of the secrets, this could be for better or for worse. Without Tor, data can be intercepted near the server, near the client and also in the core of the Internet; with Tor data is encrypted near the client, but can be seen by the exit node.
Users of unknown Internet cafés or of poorly secured wireless are at risk of interception near the client. Sometimes there is motivation to snoop traffic there but not at the exit node. For example, people may be curious what websites their flatmates browse, but it is not interesting to know that an anonymous person is browsing a controversial site. This is why, at conferences, I tunnel my web browsing via Cambridge. I know that without end-to-end encryption my data can be intercepted, but the sysadmins at Cambridge have far less incentive misbehave than some joker sitting behind me.
Tor has similar properties, but when used with unencrypted data the risks need to be carefully evaluated. When collecting email, be it over Tor, using wireless, or via any other untrustworthy media, end-to-end encryption is essential. The fact that embassies, who are supposed to be security conscious, do not appreciate this is disappointing to learn.
Although I am a member of the Tor project, the views expressed here are mine alone and not those of Tor.
I did note that the passwords of the Uzbek accounts are very good
They’re long and non-mnemonic, but they all take the form ([a-z][0-9])*, which yields a smaller password space than, say, [a-z0-9]*. They do get points for effort, though, particularly compared to “password”, “asdfgh”, “12345678” (“That sounds like the combination an idiot would put on his luggage!”), and all of the Iranian passwords. Wow.
Have I missed the explanation of why embassy personnel are using ToR to forward email? I wouldn’t have thought anonymity was an issue, and apparently security isn’t either…
When even smallish private companies use VPNs for access to internal mailservers from remote locations, the notion that the foreign services of some major countries do not is hard to credit. Amazing!
@Mark
I haven’t seen any authoritative explanation for why embassy personnel are using Tor, but I can think of some reasons. Tor is an anti-surveillance technology, and embassy employees are in the type of jobs where they worry about that.
For example, suppose an embassy worker is checking their email from a public access point. By using Tor, they hide their affiliation, potentially reducing the risk that they will be attacked. They might also want to hide their employment from their ISP.
Of course, they should be using encryption but I can understand why embassies might have encouraged the use of Tor. A VPN hides the data, but not the identify of the user, so the security added by Tor could be beneficial.
This is an interesting side effect of Tor. Normally packet sniffing is very hard to perform unless you are very close to the one end of the link, because no-one is going to let you or I near the core Internet routing fabric. With an overlay network, it is much easier to become a core router, and that makes attacks that were previously only theoretical achievable in practice because you can effectively ask Tor ‘Please route a bunch of packets to me’, and that isn’t possible on the IP internet.
@Phil
That is precisely what BGP lets you do on the normal Internet. It comes with some limitations, and you need to be an ISP, but who says all ISPs are honest? Similarly, if you set up a high-power access point in a busy airport, plenty of people will send their packets your way.
The difference is that an exit node on Tor can’t choose what data it receives and doesn’t know where it comes from (unless the content gives that away). Whereas the BGP and fake-AP attacks are much more targetted and give more information.
If you trust the people around you more than a random stranger, then you’re right – Tor makes the risk of sniffing worse. But people in sensitive occupations, like embassy employees, might worry about those nearby far more than someone who randomly sees their traffic.
I’m not condoning the absence of encryption, instead I’m just pointing out that the question of whether Tor increases the risk of sniffing does not have a simple answer. That depends on the content in question and the risk-environment of the user.