Tuesday, January 26, 2010

TOR: Peeling the onion

One way you can enhance your privacy protection on the internet is to use TOR (The Onion Router). TOR is the second generation implementation of onion routing. Onion routing is done by encrypting the data in several layers, like an onion. You run a TOR client on your computer and it encrypts your queries then sends your internet traffic to the nearest TOR proxy, which then routes it through at least 2 more TOR proxies. To the computer you are sending data to, whether it is a web site, ftp server, or whatever, it looks like your data is coming from the TOR server your data exited the network from.

Just as with any security system, there are things you need to be aware of, and the TOR download page lists some. One other gotcha that is mentioned somewhere on the website, but I can't find it at the moment, is the bandwidth and processing overhead required. Your web queries are being encrypted on the fly by your computer, and every query you send has have one level of encryption removed by each TOR server it goes through. That takes a little time, which means your queries take a little longer to reach the server you're sending them to. I'm using an older 1.33 GHz Powerbook, and TOR is useable, but the processor hit is noticeable. The bigger problem for me is the loss of javascript and Flash. You don't know how many sites you go to use those until you try to do without them.

But despite the imperfections, if your main goal is to obsure the origin of your web traffic, TOR is a useful tool. If you plan to just use it for browsing the web the default install bundles work great with Firefox. There are bundles for Windows, Mac and Linux, and they are preconfigured with additional software to make using TOR as easy as possible, even for people who aren't that technically inclined.

You can download a TOR bundle that pretty much sets you up for browsing with Firefox here (you have to install Firefox).

Check these pages on Wikipedia for more information on TOR and Onion Routing.

[Updated at 7:25 am for clarity by Bert]

[Updated at 11:45 am for clarity and spelling (Linux doesn't have an 's') by Bert]