/ 27 October 2014

Anonymity does not equal security

Cyber security.
Cyber security.

Nobody likes to feel like they’re being watched. Societies will tolerate a lot from their governments but few things cause more outrage than the kind of mass surveillance practiced by the NSA and its cronies. But true to form the internet has spontaneously generated a solution: The Onion Router or Tor for short.

Normally when you connect to the internet, any site you visit will record your computer’s IP address – a unique number that identifies your computer and also broadcasts (roughly) where you are and how you’re connecting. 

Instead of connecting directly, Tor first bounces that connection through a network of anonymous nodes, taking a different random path each time. These nodes act like a filter, hiding your IP address from anyone snooping around the web (yes, NSA, we mean you). Anyone listening in will only see the IP address of one of the nodes, and won’t be able to trace any activity back to you.

The anonymity Tor offers is so reliable that everyone from political dissidents and activists to hackers to terrorists use the system to browse and communicate without fear of being traced. But the bulk of its users remain ordinary people tired of being spied on by their governments.

Unfortunately, any technology can be turned against itself. Last week a security expert discovered a node in the Tor network that was modifying the contents of every file that passed through it, essentially injecting viruses into each one. Since each node in the Tor network is, by design, independent and decentralised this kind of anti-social behaviour will happen from time to time. 

Injecting viruses into files is not particularly noteworthy – hackers have been doing so for decades. What makes this scheme brilliant is that it exploits people’s trust in Tor. The radical anonymity that Tor offers tends to lull even quite sophisticated users into a false sense of security. 

A large part of the problem comes from our tendency to conflate anonymity with security. Sending your credit card number to someone via Tor just makes it impossible to trace where that message came from. It doesn’t stop a hacker from intercepting the message and cleaning out your account.

Luckily there are plenty of ways to use Tor without your computer being attacked or your personal details stolen. The most effective method is known by the catchy acronym TLS/SSL. This is the technology used by banks and online stores to encrypt (scramble) all communications between your computer and their systems.

What many people don’t realise is that ordinary users, with a bit of elbow grease, can also use this technology to securely send and receive everything from email to movies. What used to be a difficult and confusing process is quickly being streamlined into something a mere mortal can use in his or her daily life.

When you combine encryption with Tor you have an incredibly powerful tool for protecting yourself against both criminals and overreaching governments. Let’s all try to use that power for good.