Tor network 'bridges' help evade blockers

A new feature developed for the Tor network helps avoid websites from blocking Tor by using relays with IP addresses not listed in the Tor directory.

CAMBRIDGE, MASS. -- Internet users in dozens of countries around the world where governments tend to look askance at freedom and civil liberties have come to rely on the Tor network for dependable, anonymous access to the Web. But those governments and some popular websites have caught on to the game and begun to make it more difficult for users to connect to the Tor network.

This has turned into an arms race [with the governments and enterprise who block access to Tor], but hopefully it's an arms race we can handle.
Roger Dingledine,
project leaderTor

But the folks who run the Tor Project are at work on a slew of new features designed to outflank filtering and censors and enable users to go about their online business anonymously. Tor, short for The Onion Router, is a network of Internet relay servers that serve as middlemen for users who don't want anyone knowing who they are or where they're going. The traffic flows from the user to the Tor router in the clear where it is encrypted and anonymized and sent through a number of other hops in the Tor network before it comes out the other side through an exit node and is then sent to the destination.

The network has attracted hundreds of thousands of users in the last few years and now has more than 1,500 relays. But countries such as the United Arab Emirates and others have begun blocking access to the Tor relays. So the project's developers have come up with several features to get around that problem. Speaking at the Source Boston conference here Wednesday, Roger Dingledine, Tor's project leader and the original developer of the sofwtare, said the new version of the software will include a feature that enables users to connect to one of several "bridges," or Tor relays whose IP addresses aren't listed in the Tor directory. So the traffic from a user connecting to one of these relays just looks like a simple connection to another user. The bridge then routes the traffic to the regular Tor network and on to the its termination point.

"This has turned into an arms race [with the governments and enterprise who block access to Tor], but hopefully it's an arms race we can handle," Dingledine said.

Dingledine, who spends a lot of time talking to governments, law enforcement agencies and corporations about the benefits and capabilities of Tor, said that some enterprise IT managers who are worried about what their users are doing online have been setting up their own Tor relays inside the corporate network that are the first hop on the way to the Internet. This enables the company to monitor all of the Internet traffic leaving company, but also to anonymize that traffic on the way out.

"Privacy is this stupid, wishy-washy thing to corporations," he said. "But if they set up a relay inside the network, they can have the best of both worlds.

Outside contributors to the project also have been working on the problem of finding a way to allow Tor users to authenticate themselves to websites that have blocked Tor, without divulging their identities. Some sites, such as Wikipedia, have blocked Tor users periodically in response to actions by some small number of users. Because the sites can't identify individual Tor users, they block all traffic from Tor relays.

One tool, called Nym, allows a user to take his IP address to a certificate authority as proof of identity. The CA then issues the user a blind token that the user signs and presents to a second CA and exchanges for a browser certificate. The user can then present the browser certificate to the site. Another tool, a Firefox browser extension known as Nymble, performs a similar function, but prevents sites from linking together the transactions of any particular user.

Despite the advancements, Dingledine cautions users that Tor is not a magic security button for the Internet.

"Tor will anonymize your traffic, but it won't magically solve the rest of it," he said. "It can't magically encrypt the whole Internet."

Dig deeper on Open Source Security Tools and Applications

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close