Illusion of privacy, Tor is hackable
The notion of having privacy is an illusion even by using the state of the art tools such as Tor. In this article I present a type of attack that governments, phone operators, ISPs, Microsoft, Google, Mozilla, Dell and many other big players can perform to spy on civilians. One might think has nothing to hide from government but the big picture is frightening. Nobody can deny that a majority of our life is recorded as data and our dependent on data gets even more accentuated every day. Putting personal privacy aside for one minute, national security is at stake; governments are starting a very dangerous game by spying on other nations in cyber world that can be as bad as nuclear war.
Trust without any question is the main problem with computer security. It's not hidden from any security expert that today the communication security heavily, if not solely, relies on Public Key Infrastructure (PKI), which is an encryption scheme. PKI on the other hand heavily relies on the trust to the Certificate Authority (CA). CA helps the internet browsers to authenticate a website identity and prevent a Man In The Middle (MITM) attack. The trust to the chain of certificate authorities though has been taken for granted; from a user point of view, the green notification on the browser guaranties end-to-end privacy while in reality the user actually delegates her trust to the CA.
Christopher Soghoian and Sid Stamm in their paper titled, “Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL” introduce “compelled certificate creation attack”. Simply put, in this attack a government agency accesses the CA certificate and performs a Man In The Middle (MITM) attack that the end user can never notice. In VeriSign fraudulent Microsoft certificate in 2001 , Comodo fraudulent certificates in 2011, DigiNotar scandal in 2013, Lenovo pre-installed root CA certificates on the browsers and Dell preinstalled CA certificates you can see the trails of compelled certificate creation attack. I personally believe that even in StuxNet case you can find the trail of this attack. Although hash collision has been known as the source of the validity of StuxNet certificate I believe CIA politely asked CAs to give them the certificate.
If FBI bugs Apple for months for a phone encryption key, why wouldn't CIA ask CAs in other cases for a certificate?! How many CAs are not actually of government body? Some people event went further and claimed that hacking the whole internet costs 40K. If this trust chain is broken, how a new solution like Tor can ensure privacy given its reliance on PKI? Or even worse, how can one ensure privacy while using a browser built by somebody else?! Even if the browser is open source, nobody knows about the compiler! The compiler may behave maliciously and this is not a new open problem. In this article I aim to explain how in action governments may spy on civilians even if you use Tor to hide yourself.
Who are certificate authorities?
There are 651 organizations owning certificate authorities. These organizations are distributed in 52 countries. You can see all of them here. Interestingly some important players are actually government bodies. Instances are Staat der Nederlanden from Netherlands government, Government Root Certification Authority of Taiwan, Japanese Government and Government of Korea organizations. One may think that these governments can maliciously act on just their physical territories and on their own nations. However, a malicious player can compromise the whole internet. Your internet browser cannot actually authenticate if the issuer CA is actually what it shall be. Provided that, Iranian government after compromising DigiNotar security could forge certificates of google, Yahoo, Tor and much more though the original certificate issuer of these companies was not DigiNotar. That being said, if any competition between countries happen over spying on other nations Iran is in a weaker position since Iran doesn’t own any certificate authority. As a matter of fact, from my perspective, all of the 52 countries owning CAs have an upper hand over the others that don’t. To have a clearer picture of what might happen look at the example from the introduction of Christopher Soghoian and Sid Stamm’s paper.
How does Tor work?
Before jumping on the hypothetical attack over Tor users we shall first understand how Tor actually works. Tor claims to ensure anonymity. Tor achieves this by providing multiple layers of encryption. Figure 1 shows the general idea behind Tor network. By providing such architecture, neither Tor server nor any middle node in the Tor network can get anything from eavesdropping a communication. In order to achieve layers of encryption, several keys are needed. These keys are provided randomly by Tor nodes. In order to start the communication a new node needs to have the node keys. These keys are very important for the systems and they need to be communicated securely. The Tor master servers facilitate the communication to fetch the encryption keys since it’s only the master servers who can provide the trust between the endpoints. On the other hand, the user’s internet browser relies on certificate authorities in order to make sure that it is actually contacting Tor masters. The mechanism is as follows for a new node:
- The new node (named as Alice) initiates a connection to the master server using s TLS connection.
- Alice’s browser checks the validity of Tor server identity using the CA signature on the packet
- Over a secure encrypted connection, Tor server sends the list of nodes in the network to Alice.
After fetching the network list, Alice communicate as follows:
- Alice starts a secure end to end communication with some random nodes to fetch the encryption keys.
- Alice encrypts the packet multiple times using different keys.
- Alice sends the packet to the first node in the network
- Nodes are only aware of the nodes before and after themselves and they pass on the packet after decrypting their corresponding layer of encryption
- The final node passes the packet to the internet endpoint server known as Bob (or to a darkweb server in the Tor network)
Figure 1. Tor at a glance
In this stage nobody including even Bob doesn’t know where the packet originated from.
Compelled certificate creation attack on Tor
Tor can guarantee anonymity only if the first step is done in a secure way. In other words, if the attacker sends a list of malicious nodes to Alice, all the subsequent communications are unsecure and prone to eavesdropping. The first step on the other hand relies on TLS and as mentioned earlier, TLS relies on CA certificate. Now imagine what can happen if a certificate authority leaks its certificate and the government uses it to forge a list of malicious nodes that has control on. In order to clarify the concept, I present a hypothetical scenario and the details of the attack:
- Alice is an American journalist who goes to an Asian country X and wants to communicate securely with somebody over Tor. Alice starts Tor browser
- The X country doesn’t like what Alice does and wants to spy on her activities. The X country who owns a certificate authority forges a certificate for addons.mozzilla.org and Tor website. I used verb “forge” but it is a perfectly legitimate certificate since it’s signed by a valid CA and the browser doesn’t hesitate its validity for a second.
- The country X creates a network of malicious Tor nodes by simply joining them to the Tor network
- Using this forged-but-yet-valid certificate they run MITM attack as the ones I explained here. For this government needs the network operator (phone operator or ISP) cooperation if the government already doesn’t already control the network. History already proved how even a free country like USA spy on civilians in collaboration with network operators.
- Country X gives Alice browser only the list of the nodes it has control over
- From now on Alice just has an illusion of having privacy because everything she does is eavesdropped, decrypted and recorded
If you’re a security professional you may think this would not work due to the public key pinning enforcement in the Tor Browser. Public key pinning aims to hardcode the certificate in the browser so that country X cannot forge a certificate that is issued by another authority that country X does not control. Well you’re absolutely wrong! First, around one week ago before this post, a hacker could successfully bypass Tor public key pinning for arbitrary code execution. In theory, all the evidences suggest that it shouldn’t work if you downloaded and installed Tor in a secure way (which may not be the case, I’ll get back to this). But it does and after reading this post I am quite convinced that it is not a claim since they answered all the doubts. You can read the post on your own, here I am just going to quote that “any ‘addons.mozilla.org’ certificate that validates through any CA that is shipped with Firefox should bypass pinning restrictions and work”, Ryan Duff says. Second, public key pinning is based on Trust on First Use (TOFU). This means the attack is only possible if Alice had already used the Tor back in home and he was not hacked by her own government. What if Alice as a journalist is not safe in her own country? Yes in summary your government owns you and you don’t control your own privacy.
Can using Tor get any worse in terms of privacy?
Yes it can and it does. What I mentioned here was a threat from a nation/state authority against a specific civilian to spy on her communication but the big picture is even worse than this. Movrcx in his post says that a government can run a mass scale attack by which they can arbitrary run code on the victim machines and control their systems; yes every computer who’s using Tor in the territory of a country is under full control of the government. Thus it’s not just about what you communicate over the internet but every single piece of information that you own.
Our privacy is in the hands of players who you may not trust spanning from governments, phone operators and laptop manufacturers to the allegedly private certificate authorities in south Asia. The chain of trust to the public key infrastructure (PKI) is already broken and the following technologies like Tor cannot improve anything. In a short term, the vulnerability showed by Movrcx will be fixed but the problem and the attack mentioned in this article still remains. Even state of the art solutions like public key pinning does not insure your privacy as long as big players can betray your trust.