Tor Security for Android and Desktop Linux
Introduction
Internet service providers in the United States have just been given the green light to sell usage history of their subscribers by S J Res 34, opening the gates for private subscriber data to become public. The law appears to direct ISPs to provide an "opt-out" mechanism for subscribers to retain private control of their usage history, which every subscriber should complete.
This comes at an interesting time for the new Trump presidency, as he appears to be preparing the Justice Department to prosecute Susan Rice for accessing telephone records of his associates while she was the National Security Advisor for the Obama administration. It is ironic and unconscionable that President Trump has chosen to erode internet usage privacy for his constituents while fiercely defending the telephone records of those closest to him.
The Tor Project presents an effective countermeasure against hostile and disingenuous carriers and ISPs that, on a properly rooted and capable Android device or Linux system, can force all network traffic through Tor encrypted entry points (guard nodes) with custom rules for iptables. This action renders all device network activity opaque to the upstream carrier—barring exceptional intervention, all efforts to track a user are afterwards futile.
Orbot for Android
A rooted Android device is required for the highest levels of service for Tor and is now a "must-have" for users who place great value on privacy. Android stock devices (where root is controlled by the Original Equipment Manufacturer [OEM] and/or the carrier) are able to use the network with applications that are aware of the local Tor client, but full root control of User ID zero is a precondition for total obfuscation of device network traffic. Carriers and OEMs work very hard to lock devices and prevent users from rooting, but they are also quite lazy in applying security updates, and a thriving industry has emerged for Android owners seizing privileged access by exploiting security flaws. A few relevant resources for rooting are Sunshine, KingRoot and KingoRoot. Depending upon the hardware model, these programs can be effective in breaking Android systems free. Research on these tools and methods is best conducted in the discussion forums for XDA Developers.
Not all rooted devices are capable of using the full services of Tor. Of particular note is the Samsung Galaxy S7, which appears incapable of running the standard Orbot client, and will use only the basic modes of the network with a newer alpha release even when rooted. If your device is so constrained, it may be time to consider a downgrade.
Note that Android Pay and Samsung Pay specifically will not function on rooted devices. Networking performance will noticeably decline while using Tor. Google web pages also will present constant "captchas" that impede access when run through Tor. These limitations are now a small price to pay in light of current events.
A proper Tor installation on Android includes both Orbot and Orfox, both products of The Guardian Project. Orbot is the Tor client control agent, and it can provide either a local proxy for Tor-aware applications or, granted root access, force all traffic to Tor entry points (guard nodes). Orfox is a custom version of the Firefox web browser with several additional add-ons and custom privacy settings. The Tor Project recommends that Orfox should not be modified, either by adding or removing add-ons or modifying the privacy related settings—load classic Firefox for this activity.
The best way to load Tor software on any Android device (rooted or not) is via the F-Droid Repository, which accepts contributions only in source code form and produces packages themselves for their binary repository. Orbot is also available on Google Play, but the F-Droid source is more trustworthy. F-Droid will provide upgrade alerts for its installed applications, which is a valuable feature for both Orbot and Orfox.
To load F-Droid, first enable third-party application installation (Settings→Security→[Enable] Unknown Sources), then Download F-Droid and install it, then open. Click the settings in the upper-right corner, and configure the repositories.
Enable the entry for the Guardian Project. Enable them all, if desired. Click the circular reload, and allow F-Droid several minutes to re-synchronize.
Search for "tor" and find Orbot and Orfox in the list (alphabetically). Note that "Orweb" is discouraged and deprecated due to security concerns. Select Orbot.
Below is the Orbot detail screen. Install it.
Below is the Orfox detail screen. Install it.
Launch Orbot. Click the second icon from the top right (the bars with dots).
If you have rooted your device, select the option to request root access.
Grant the access if you are able.
Enable the transparent proxy and run everything through Tor. It might be necessary to back out and re-enter the settings.
Use a country code to limit your Tor exit nodes. Do the same for your entrance (guard) nodes if you wish.
Note there is also a menu to select specific apps to run through Tor. Streaming services or other high-bandwidth applications will slow down Tor for everyone—exclude them if you can, and they are not a privacy concern.
Return to the main control and long-press the center button to activate Tor.
Once Tor is active, run the browser check. Note that you have loaded a new browser and likely will be presented with a dialog of available browsers. If you don't select Orfox, you will connect with a fingerprint/JavaScript warning ("does not appear to be the Tor browser").
After the browser check is complete, examine the Tor console. This will provide some reference as I discuss the theory of the network.
Tor Network: Theory of Operation
Tor is designed to be penetrated by hostile parties with vast resources. This is critical to understand and is required for safe use of the network. Do not use Tor to connect to clear-text services hosting sensitive content. If you use Tor for clear-text pop, imap, ftp, telnet, smb or http, be aware that your traffic likely will be recorded by a hostile agent, and your credentials (passwords) may well be used by parties acting against your interests, as has been established in honeypot trials by researcher Chloe. Tor is designed to trust nearly nothing and almost no one—you must do the same to use it safely.
If you have no interest in cryptography, skip this paragraph. Tor communication begins with an "ed25519 handshake" that is based upon renowned cryptographer Daniel J. Berstein and his famous prime (2255 – 19). Symmetric exchanges appear to use AES-CTR, but AES-CCM and chacha20-poly1305 have surfaced in recent release notes. As amazingly forward thinking as the Tor network is for its age, sha1 was chosen for a number of MAC functions, but remediation efforts are well underway.
It now will be useful to present a graphic aid (with our old friends, Alice and Bob), which simply begs for greater detail.
Attribution: By Electronic Frontier Foundation, minor modifications by me. (https://www.torproject.org/about/overview.html.en) [CC BY 3.0 (https://creativecommons.org/licenses/by/3.0)], via Wikimedia Commons
The first column of servers above are known as Guard Nodes (variously referred to elsewhere as entry points or entrance nodes). They are the servers that communicate directly with Alice, and they are supposed to be the only servers in the chain with any detailed knowledge about her.
The second column of servers are known as Relay Nodes—there is an entry in the Orbot configuration menu to become a relay node. You are encouraged to do so if you have a hard connection to the internet and extra bandwidth. Relay Nodes that demonstrate high and reliable network bandwidth are promoted to Guard Nodes by Consensus Votes, which I will discuss shortly.
The third column of servers are known as Exit Nodes. Unencrypted traffic that emerges from Tor will appear to come from Exit Nodes. This includes hostile attacks, harassment, and sundry illegal and immoral activity. Some Exit Node operators are altruistic individuals and groups that value privacy at all costs. Others are hostile actors. Exit Nodes are commonly involved in legal action, and Tor will provide exoneration services for Exit Node operators and otherwise make every attempt to legally assist those who are called before a judge.
The Tor software running on Alice's computer will build a Circuit through systems in each of the columns. The Circuit will involve at least three separate servers. By virtue of the ed25519 keys, Alice will be able to send secret messages to each separate server in her Circuit. Alice will send a secret message to the Relay Node containing the identity of the Exit Node, and in so doing she will prevent the Guard Node from learning where her traffic will exit Tor. Alice will send a secret message to the Exit Node containing the session password to her AES traffic, and in so doing prevent both the Guard and Relay nodes from seeing her encrypted network data. Circuits are broken and rebuilt constantly to maximize privacy. This stepwise removal/addition of encryption as traffic moves through the Circuit is known generally as Onion Routing.
Not shown in this graphic aid are Directory Authority Nodes, which are analogous to DNS root servers. DA nodes operate in several countries, and Tor is built to survive up to four of the ten Directory Authority Nodes falling into the hands of a hostile party. Note that the United States appears to host four DA nodes. DA nodes conduct a vote once per hour, then publish a Consensus that promotes/demotes Guard Nodes and sets policies for a number of other Tor activities.
Purposefully hidden from the graphic aid are Bridge Nodes. These are "unpublished" Guard Nodes that are made available by automated request for users under carriers, ISPs and other forces who block traffic to the published Guard Nodes in order to ban access to Tor. There are a number of procedures to request access to a Bridge Node. Anyone making such a request should use great caution in choosing public/anonymous networks for Tor access in order to avoid detection and punishment.
***Note: the URL below (https://3g2upl4pq6kufc4m.onion/) doesn't work. emailed Charles 4/11. Also not shown in the graphic aid are Hidden Services, which are informally known as a "dark web". These services are visible only within the Tor network. Tor circuits involving Hidden Services never reach an Exit Node. As an example, the Duck Duck Go search engine operates as a Tor Hidden Service as the site https://3g2upl4pq6kufc4m.onion—anything ending in the .onion suffix is a Tor Hidden Service that is not visible on the open internet. A short list of popular Hidden Services can be found at https://thehiddenwiki.org. Tor is designed to prevent users from learning the identity or location of the providers of Hidden Services. Guard Nodes are given no direct information that a user is seeking access to a Hidden Service versus an Exit Node, but they can conduct traffic analysis to loosly determine this.
With this vocabulary for Tor out of the way, now I'll address specific security concerns:
Guard Nodes communicate with you for a short time through an established Circuit. You cannot trust them, and you must assume that one will port-scan your computer and attempt to break in eventually, so keep your security patches up to date if at all possible. Guard Nodes are also free to analyze your traffic to loosly identify what you are doing.
Exit Nodes remove the last layer of Tor encryption and are free to analyze and record all of your traffic. Once again, do not use Tor to connect to clear-text services hosting sensitive content. Malicious Exit Nodes were caught stealing and using passwords in honeypot trials by researcher Chloe.
The bittorrent protocol is unsafe and discouraged over Tor.
JavaScript is disabled in the Tor browser. If you enable it, or use another browser where it is enabled, your anonymity might be broken. If your sole goal is to deprive your carrier or ISP of tracking data, this might be a reasonable sacrifice.
The Tor browser is the only reviewed and highly assured program to use with Tor that will not reveal your IP address or other private data unintentionally when traffic leaves an Exit Node. Such confidence is diminished if you use other programs with Tor. Tor is able to hide the activity of most programs from your carrier or ISP with equal ability—the concern is the path from the Exit Node to the destination.
It is important to keep your system up to date with security patches. The FBI is known to exploit users of Tor who do not. It has seized the machines behind Hidden Services and installed its "Operation Torpedo" malware to break the anonymity of Tor. The NSA has used zero-day exploits and in-house Tor nodes for these purposes.
Again, Tor is designed to trust nearly nothing and almost no one—you must do the same to use it safely.
Tor for Desktop Linux
The simple answer to Tor on desktop Linux is to use Tails, a custom Debian-derived distribution that forces all traffic into Tor guard nodes. Please reference Kyle Rankin's previous Linux Journal article on Tails. There have been critical flaws in previous versions of Tails, so it is important to keep up to date.
Given that Tor functionality is desired on non-Tails distributions, let me investigate the installation of Tor components on Oracle Linux 7 (similar to CentOS/Red Hat/Scientific Linux).
A preconfigured Tor browser and proxy is available from the project website. The Tor browser package is the safest way to use Tor on a (non-TAILS) Linux client. Download the package, move it to your desktop, and unpack it:
$ tar xvJf tor-browser-linux64-6.5.1_en-US.tar.xz
...
$ head tor-browser_en-US/start-tor-browser.desktop
#!/usr/bin/env ./Browser/execdesktop
#
# This file is a self-modifying .desktop file that can be run from the
# shell. It preserves arguments and environment for the start-tor-browser
# script.
#
# Run './start-tor-browser.desktop --help' to display the full set of
# options.
#
# When invoked from the shell, this file must always be in a Tor Browser
# root directory. When run from the file manager or desktop GUI, it is
# relocatable.
Use a graphical file manager to navigate to the tor-browser_en-US directory and launch Tor. A dialog will be presented asking if bridge nodes are required before the browser will launch.
If you wish to use exit nodes in a specific country code, shut down your Tor browser and add this setting to your torrc:
$ cd tor-browser_en-US/Browser/TorBrowser/Data/Tor/
$ echo -e "ExitNodes {us}\nStrictNodes 1" >> torrc
After restarting your browser, your exit nodes should be restricted to the selected countries.
While the Tor browser is running, you will find two new processes,
./firefox --class Tor Browser
and the Tor proxy:
tor-browser_en-US/Browser/TorBrowser/Tor/tor
--defaults-torrc
tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults
-f tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc
DataDirectory tor-browser_en-US/Browser/TorBrowser/Data/Tor
GeoIPFile tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip
GeoIPv6File tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip6
HashedControlPassword xxx __OwningControllerProcess 1234
If you wish to join the Tor network as a relay node, you likely should load a version of Tor that interfaces with your init system. Such a version exists in the EPEL repository. Load EPEL, then install the system version of Tor (note that this approach does not include Orfox):
# yum install tor
Loaded plugins: langpacks, ulninfo
Resolving Dependencies
--> Running transaction check
---> Package tor.x86_64 0:0.2.9.10-1.el7 will be installed
--> Processing Dependency: torsocks for: tor-0.2.9.10-1.el7.x86_64
--> Running transaction check
---> Package torsocks.x86_64 0:2.1.0-1.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=========================================================================
Package Arch Version Repository Size
=========================================================================
Installing:
tor x86_64 0.2.9.10-1.el7 epel 2.4 M
Installing for dependencies:
torsocks x86_64 2.1.0-1.el7 epel 61 k
Transaction Summary
=========================================================================
Install 1 Package (+1 Dependent package)
Total download size: 2.5 M
Installed size: 11 M
Is this ok [y/d/N]: y
Downloading packages:
(1/2): torsocks-2.1.0-1.el7.x86_64.rpm | 61 kB 00:09
(2/2): tor-0.2.9.10-1.el7.x86_64.rpm | 2.4 MB 00:20
-------------------------------------------------------------------------
Total 125 kB/s | 2.5 MB 00:20
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
Installing : torsocks-2.1.0-1.el7.x86_64 1/2
Installing : tor-0.2.9.10-1.el7.x86_64 2/2
Verifying : tor-0.2.9.10-1.el7.x86_64 1/2
Verifying : torsocks-2.1.0-1.el7.x86_64 2/2
Installed:
tor.x86_64 0:0.2.9.10-1.el7
Dependency Installed:
torsocks.x86_64 0:2.1.0-1.el7
Complete!
From here, you can configure your relay policies as outlined in the FAQ.
Conclusion
Verizon and AT&T have been granted "common carrier" status as a courtesy from the citizenry, but they are now abusing this privilege. While they acknowledge that phone records deserve privacy, they contend that network traffic that passes over the same infrastructure should be theirs to take. This is reprehensible.
The only answer for a concerned individual is to blind them with Tor. This comes at a cost—network performance is reduced, potential exposure to hostile guard and exit nodes requires more care, and a large amount of software must be loaded and maintained to participate in the Tor network. This is a price that we must pay.
I have avoided the discussion of Tor on non-Linux systems here as documentation on the subject exists elsewhere. A few relevant resources include Apple iOS and Microsoft Windows, but these are now secondary platforms, as Linux has become the most popular operating system on the internet.
We can only hope that, first, a significant percentage of subscribers load Tor clients, and second, the citizenry takes a far more active role in restricting the privileges that have been granted to these undeserving and abusive corporations. They must know unambiguously that this is a step too far.
Disclaimer: the opinions expressed in this article are those of the author and do not necessarily represent those of Linux Journal.