web analytics

How to peel an onion

August 7, 2013

For all of us overwhelmed by haute cuisine (that’s french for I can cook better than you), I’ll start with a series of posts on how to peel an onion. Knowing how to peel an onion is so important, so fundamental, that even the feds are doing it. Go ahead, read the linked article, it’s well worth it.

Pots and pans aside, Tor was cracked. And the reason it’s news it’s because Tor was though as a sort of haven where anything goes from drug trafficking to child abuse. Nothing further from the truth. As we are used by now, when the press in their infinite wisdom talks about a crime involving technology, they don’t bother to separate the tool from the usage.

Technically speaking, Tor is a router network comprised of volunteers all over the world. Yeah like the mighty Internet, but in this case it’s much smaller and its inner workings are different. In Tor, when a user sends a request (note that this might be any request, not just HTTP requests), the request is encrypted and re-encrypted ad nauseum. Then it is forwarded to a series of (randomly chosen) routers, which decrypts one layer of the encryption and forwards it to the next one. Like an onion! With Tor you can communicate over an insecure network (Internet) privately, with a guarantee that you’ll have privacy and freedom to conduct private matters. In fact, it works so well that shady persons decided to use it for questionable endeavours.

Have you ever been to the so called deep Web? I have. And it’s easy to see why the general public might frown at the idea of something like the deep Web merely existing, and our beloved government doing nothing to prevent it. Why hasn’t it been legislated out of existence? Thanks to the way the Internet is built, that’s not an easy task to do.

The way the Internet works, all the intelligence is not at the core of the network, but at the periphery. The fact that 80% is porn and 19.9% are pictures of cats is a testament to the intelligence of what’s found at the periphery of the network. This dumbness (or rather, the intelligence of the periphery) allows anyone with mad skillz to come up with new uses of the network. Take Bittorrent for instance, it creates an overlay on top of the Internet so large files can be transmitted between multiple peers and whatnot. The same can be said of Tor, it creates a so called dark overlay, and there’s nothing you can do about it.

Eoin Marques realised the same and decided to launch Freedom Hosting: a hosting provider with a no strings attached policy. A number of hidden services sprout from Freedom Hosting, some illegal (like selling illegal drugs) and some legit (like Tormail anonymized email service). Freedom Hosting is now infamous for facilitating child pornography and the connection between Freedom Hosting, the Tor Project and child pornography may be hard to undo in people’s minds.

The onion was peeled by a JavaScript vulnerability no less. The Tor project distributes a browser bundle, so you can get some anonymous browsing as easy as possible and keep your normal browsing and your Tor browsing as separate as possible (you may even keep your Tor browser inside a VM for extra safety). However in recent iterations, the browser bundle turned JavaScript on by default as a convenience for users. A large part of the Web these days don’t work with JavaScript turned off, so that was a sensible choice to make it appears.

Freedom Hosting servers were compromised so they serve a JavaScript vulnerability. The JavaScript vulnerability works only in Firefox 17 (the version used by the Tor browser bundle) and only works in Windows. It runs an iframe injection and then loads the exploit through that. Check it out if you fancy some JavaScript yourself. Smart people analysed the exploit and what it does is it tricks Firefox JS engine into calling WINAPI’s gethostname(), gets the host name and MAC address and sends it to a server in Virginia (whose IP is part of a ghost block of 8 IP addresses with no known organization listed). How exactly the servers were compromised to begin with is currently unknown. The Tor project was all over this exploit and quickly came up with a patch to prevent it, as well as an advisory to avoid using Windows thankyouverymuch. It’s important to note that, in this case, the flaw is not on Tor itself but in the JavaScript engine used by the version of Firefox used in the Tor browser bundle. The fact that it works only in Windows is inconsequential to the exploit itself, as it was written specifically targeting the Windows platform. It means the only reason the exploit doesn’t work in other OSes is because the payload was written for Windows, but once you broke out of the JavaScript sandbox, anything is possible.

And that’s how you peel an onion. While I root for the home team (go Feds!) when bringing pedophiles to justice is the name of the game, the same exploit can be used to expose political dissidents, journalists and whistleblowers, not to mention you and I for whatever reason. Now we’ll see who steps up to the plate. Freedom Hosting-like services are a necessity and it seems OpenWatch is actively seeking to fill that void with OnionCloud. Know coding? Get to it. Don’t be scared off of Tor. Upgrade, stop using Windows, use a VPN, disable JavaScript on your Tor browser if you can, and use it inside a VM. Protect your privacy.