TOR: Is There a Viable Alternative?
When I first heard about TOR it was probably the most exciting thing I had ever encountered since I had started using computers. I probably jumped onboard when it had been around long enough to be useful and had become quite popular; but was not yet at the point where everyone felt the need to attack, de-anonymize and discredit it. After the Silk Road went down, many began to question TOR’s safety and since then multiple claims and studies have come out concerning the anonymity of TOR nodes. Some studies have shown that TOR exit nodes can be controlled and monitored using tools like NetFlow; however these “de-anonymization” tactics often required highly controlled environments. Regardless, it’s safe to see that we all feel a little less safe running just TOR Browser and Hidden Services and in this day and age it’s wise to mix TOR Browser with additional security software like VPNs, Proxies and even custom Operating Systems designed to keep us all John Does on the internet.
The first time I looked I was able to find maybe 2 or 3 systems similar to TOR, but lately anonymization OSes and applications are being released at an incredible rate. This article will take a look at what else is out there, compare and contrast them with TOR; and then ultimately determine if there is indeed a viable alternative to TOR. Although, there are many similar pieces of software out there they do not all server the same function as TOR and therefore may not qualify as an alternative. We will take a look at 2 major classifications of anonymizing software: Network Anonymity Systems and Anonymous Operating Systems. As far as I could find there are only a handful of what seem may deem “TOR Alternatives”; however I’m sure that I will leave out some out, so please don’t think that I consider this to be a complete definitive list; I’m only going with the well-known and popular options.
The first “TOR Alternative” I had ever encountered, and arguably one of the biggest is I2P. I have heard a lot of talk that some kind of revolution or mass exodus was underway from TOR to I2P, because TOR was just becoming too hot and unsafe. I had heard this about two years ago and then again about a year ago, but I am still waiting for this mass exodus. I have heard of one or maybe 2 major DNMs (Dark Net Markets) on I2P that I could find easily and I wouldn’t even think about using them at this point. So what’s I2P all about then? The annoying thing about the “DarkNet” is that there is no “DarkNet”; instead there are DarkNets – all specific to their particular system.
I2P is no exception and it is absolutely considered to be a DarkNet. Somewhat like TOR, I2P (Invisible Internet Project uses layers or a layer to encrypt network traffic with the use of public and private keys. I2P builds an additional network layer within TCP/IP (and some UDP) sessions – this is why some call it “internet within the internet”. Where it differs from TOR is that it uses a P2P system to share and find services – TOR makes use of central databases to track Hidden Services (Figure A). Since I2P is a network layer, it means that many applications can make use of it for network communications: Torrents, HTTP, Web Services, Email, IRC and many others.
Some say that I2P is superior to TOR because of the way it functions and consequently as a result of its safer Threat Model. Where TOR allows us to access Hidden Services and the Clearnet alike, I2P does not and seeks to create its own network within in the internet. The debate rages on whether I2P is superior and more secure than TOR. I have used I2P and like many, I found that there was a bit more to setting it up. This is a double edged sword as it can be a drawback or an advantage (if it’s harder to use, it will be harder for LE and script kiddies to set up). Either way the Pros and Cons of each seem obvious, but at the end of the day the people will go where the supply is. At this point I don’t see I2P taking over, or even as a viable alternative to TOR, because the same services just aren’t there yet. If we start to see markets opening up on I2P as well, or migrating completely, then it could be time to consider making the switch, but until then I don’t see this as a solution for those into to DNMs.
The other major DarkNet contender out there is known as Freenet. Like I2P (and unlike TOR) Freenet is also a P2P system that offers anonymous content through its software. Instead of providing access to a web server like Clearnet or TOR, the content is actually stored and served up on Freenet. Freenet is known to be extremely de-centralized as it has no central servers and cannot even be controlled by the folks who build and maintain it (Figure B).
Freenet makes use of the peers and stores uploaded content all over its nodes. The fantastic part is that the data is encrypted before it’s stored, so even if you have other people’s data stored on your nodes, you have no idea what it is. This is fantastic because tit means that data can’t be intercepted or pulled off of a node and used against someone. It also means that people hosting nodes could not possibly know if they were storing illegal or politically oppressed information. From a 40,000 foot technical level Freenet is a P2P anonymous service that makes use of nodes and sharing – it sounds to be somewhere in between TOR and I2P (although probably closer to I2P). The simple fact that the data is de-centralized and encrypted before stored, makes it VERY appealing. The Freenet folks will even admit that this provides hosters with plausible deniability when storing encrypted data. Although, I have not had much opportunity to use Freenet yet it sounds like a promising alternative; however I am not aware of any major DNM communities on it. So for file sharing and political asylum it sounds like a perfectly sound alternative; however if you’re part of the drug underworld (buyer or seller), it’s probably not for you.
I2p and Freenet have and probably will be the big TOR challengers for at least some time, but I did run across some other widely mentioned systems popping up. Some other similar systems worth mention I have come across are: GNUNet, which is included with a GNU software package, again uses a peer-to-peer end-to-end encryption system that runs “on top” or “within “ the ‘insecure TCP/IP stack’ and seems to possess a similar goal and high level design to I2P and Freenet. Another P2P system called Lantern does not provide anonymity like the popular systems, but merely provides a way around filtered and blocked content and sounds like it’s generally aimed towards countries with restrictive internet policies and oppressive freedom to information policies. GNUNet sounds to be somewhere between Lantern and I2P and Freenet.
Now that we have reviewed the high level technical make-up of I2P and Freenet it’s probably a good idea to look at risk and vulnerability; after all, that’s the whole point here. IT appears that multiple attacks have been successfully executed against Freenet over the last couple of years. The IEEE Computer Society has able to execute several successful attacks against Freenet as indicated in their paper “A Routing Table Insertion (RTI) Attack on Freenet” and “Using Randomized Routing to Counter ROuting Table Insertion Attack on Freenet”. The papers indicate that in a test environment they were able to exploit vulnerable nodes on Freenet by placing malicious nodes adjacent to the real node. Then using route injection/insertion they were able to both map out the Freenet network topology and actually trace back queries through the system. Another test allowed them to predict Freenet routing paths using a route prediction model based on the Freenet routing mechanism. I will admit that Freenet was looking like it had a lot of potential to move up in the anonymous world, but after being urged to dig deeper I found that attacks and vulnerabilities are not only plentiful, but not all that difficult. These are just two of many attacks orchestrated in a test environment (not to attack Freenet), but to educate and actually test its Threat Model. The true verdict on Freenet: they have some real work to do before one can even feel safe using it. Because of this, it cannot be considered a serious heir to the TOR Legacy.
So then what about I2P? Second to TOR, it seems to be one of the most popular anonymity options out there. Computer World reported that in 2014 a Zero Day Exploit was executed against the I2P network portion included in Tails and made it possible to de-anonymous users by directing them to a booby-trapped honeypot website. If that’s not enough, I was horrified to find out that I2P is actually written/based on Java, which is probably one of the worst platforms for vulnerabilities, exploits and instability. An alternative C++-based version was released called I2pd, but if this thing was initially based on Java it makes you wonder what else could go wrong with it.
It’s not enough to simply anonymize one application in this day and age as more and more attackers and LEA are exploited application vulnerabilities when they cannot easily identify people using anonymous networks. Using a good strong VPN with reliable Anonymity networks you can feel pretty safe, but if you feel the need to take it a step further (and you should) you can look to one of the many anonymity themed Operating Systems out there today. Tails and Whonix are probably two that come to mind for many. Tails is a live Linux OS that includes TOR and I2P software and runs on a live CD or USB drive. If you want pure anonymity and no tracks then use the live CD where nothing is saved or stored. For those who want some level of continuity they can enable Persistence Mode and actually save settings and even files (all with the option of being password-protect and encrypted of course). The idea behind these live TOR distros like Tails is that they leave no sign of even using TOR in your memory or hard drive.
Whonix on the other hand is generally run as a virtual machine or rather multiple virtual machines to actually break up the network from other systems. Again, Whonix is included with TOR and the beauty of running in a VM is that your network traffic will be linked at the data layer to a virtual MAC address (although real MAC addresses can be easily changed/spoofed with the correct software). Running a VM is better than running TOR on your host operating system, because we now need to worry about things like real IPs being leaked from applications running in the background or vulnerabilities through applications like Java or even changing your browser window size (note that TOR now comes with warnings about changing the window size). A VM is nice because you have some kind of saved state to work with, which can easily be wiped out, but it is still an OS installed on your machine at some level. Running a VM is somewhere in the middle. Running TOR on your host OS is the least secure option and running a live distro is the best option.
Another interesting VM that takes compartmentalization very seriously is Qubes OS. It seems to me that Qubes OS is like Whonix on steroids as its philosophy is simply isolation. Qubes runs one VM known as the “Admin Domain” which is the only portion which has direct access to your machine’s hardware. Another VM is known the “Network Domain” and it simply runs network services which have no privileges at all and is not knowingly connected to the admin domain. This means that if someone infiltrates this Network Domain they won’t be able to do or tell much by this; whereas on a regular OS this could potentially give an intruder control and/or information about you.
There is then a separate “Storage Domain” whose sole function is to handle the file system, disk mgmt., and software mgmt. This domain is of course completely encrypted to prevent any sort of intrusion. The final VM type is the “App Domain” or AppVM, which handles the Session and Application Layers like browsers, chat, email, etc. If I understand correctly, multiple AppVMs can be used to run different applications or groups of applications (see Figure C). The beauty of Qubes is that it keeps all of the things separated which are normally a threat when associated with one another. Exploiting one layer of a machine means that an attacker can potentially infiltrate other sections of the machine to find out information about the user. Qubes has done a great job thinking about which layers and systems to separate and isolate. Even if someone could collect your application data or network data independent of the rest, there would be no link to the other VMs and thus not enough information to arrive at any kind of conclusion or accusation.
Going back to our question: is there a viable TOR alternative out there? Well, the answer is yes AND no. It really depends on what you use TOR for and what you expect to find. For those more interested in evading an oppressive government or simply just downloading pirated data; or even engaging in risky political discourse: I2P or Freenet could be a much better option for you – if only they would deal with their security vulnerabilities before people are identified. Some could say the same for TOR, but like TOR you would be much more secure using a VPN and even proxies in unison with these systems. But if you are like the thousands out there happy to get their fix without crossing the tracks to the bad part of town, being ripped off, or having a gun pointed in your face: stick to TOR for right now, because it’s the best the world has to offer (yes even better than sketchy Craigslist ads). The fact is that I2P and Freenet show some potential for markets but it’s just not happening yet; and maybe it never will. First, they have some serious exploits and vulnerabilities, not unlike TOR. The question is why trade is one vulnerable platform for another? Their lack of markets could have something to do with the lack of control on the data distribution and centralization – this might make people nervous, despite encrypted data like Freenet. Or maybe these other systems or just too hard to use; but the likely reasons are that TOR Hidden Services software combined with the popular market platforms just seem to work. I think what we need is a whole new concept; something that goes beyond just tunnelling within or build additional layers on the widespread TCP/IP protocol, because after all, the TCP/IP model was never built to be anonymous – it’s inherently identifiable.
In the meantime it looks like we have to make the most of TOR, so if you’re not already using a VPN with it you need to stop and do that right away. I would suggest that any TOR users at least be running the application off of an encrypted USB stick or media card, but ideally you should be running a live CD like Tails or isolated VMs like Whonix or Qubes. TOR is EXTREMELY popular and will only continue to grow until something gives. The more people that use TOR the more secure it becomes, but I suspect one of two things will happen. Either developers will make some major breakthroughs and take TOR anonymity to the next level; or else LEA hackers will continue to poke holes in the infrastructure until they slowly take down every market and their admins until the whole dream has finally fizzled out. Even if that happens it will be replaced quickly, because once you start a revolution like this you can’t stop it. It’s already causing massive cracks in the levy and at some point the entire thing is going to blow wide open and drown the bastards. No one will remember what it was like copping dimebags on the street – in fact it will seem like a ludicrous idea.