Tor is an overlay network for anonymizing connection data. It is used for TCP connections and can be used, for example, on the Internet for browsing, instant messaging, IRC, SSH, e-mail or P2P. Tor protects its users from traffic analysis. It is based on the idea of onion routing.
Tor does not provide anonymity against any attacker. For example, by monitoring a sufficiently large number of Tor nodes or large parts of the Internet, it is possible to trace almost all communications made via Tor. Such a scenario is quite conceivable, for example, in the case of operators of Internet exchanges or important backbones – especially through cooperation: If it is possible to monitor the first and last nodes of the connection, the origin of the connection can be deduced with the help of a statistical evaluation.
If necessary, this can also be done through state influence or intelligence activities. It is favored both by the structure of the Internet, which relies heavily on individual operators, and by the very unequal distribution of Tor servers worldwide, which are strongly concentrated in a few countries. As a result, the cooperation of a few instances would be sufficient to significantly weaken the effect of Tor.
---
Pros and Cons of the Anonymization Model
Tor is based on a distributed anonymization network with dynamic route selection. This alone distinguishes Tor from many other anonymization services that are based on the approach of static routes in the form of mixed cascades. The basic assumption for Tor’s security is that it is impossible for anyone to monitor large parts of the internet. This basic assumption provokes criticism. On the one hand, it is questionable whether it is realistic, and on the other hand, the model of the mix cascade provides a possibility of anonymization with total surveillance of the underlying network – at least in theory. The theoretically stronger model of the mixing cascade has to make a lot of compromises in its practical implementation on the Internet in order to remain usable: For example, only certain of the required mixing functions can actually be implemented. This compensates for the advantages of the mix-cascade model over Tor’s approach, and the cascading-based anonymization services can also only provide very limited anonymity.
However, there are also some practical reasons that explicitly speak in favor of the concept chosen by Tor. In particular, the resource problem that arises when operating an anonymization service (a lot of bandwidth and a certain amount of computing power is required for cryptography) can be solved very easily by providing the resources collaboratively. In this case, almost every owner of a broadband connection can contribute something to the anonymization service by operating a Tor node. In the mix cascade model, on the other hand, the required bandwidth has to be provided by a few instances (mix operators) alone in order to keep the anonymity groups large. Since this causes corresponding costs for the mix operators, the question of financing always automatically arises there. On the other hand, the low threshold for participation in Tor always poses a danger: it is not possible to adequately check the parties involved. For example, it is conceivable that a person under different identities operates a large number of Tor nodes. Connections that run exclusively through the nodes it controls can be revealed. With the mix-cascade model, there is a much smaller need for anonymity providers – so they can be checked much better for their identity and intentions. Even in the case of coercive measures taken by the state, they can legally defend both themselves and their users (as happened with JAP, for example). At Tor, such mutual support is only beginning to exist. Legal risks may arise, especially for the operators of exit nodes. As the operator of the node, they have to fear the seizure of the computers by investigating authorities in the event of any misuse. They will be treated as witnesses in the proceedings in question. However, it may also happen that proceedings are conducted against the operator himself.
Tor’s highly distributed approach provides better protection against coercive government measures to detect links compared to the mix-cascade approach, as the state agencies do not have a small group of responsible persons with whom they can carry out the surveillance measures directly, as is the case with the cascade approach. In this case, they would have to take the much more complex and internationally hardly enforceable detour via the network operators. It also makes criminal prosecution much more difficult.
