I blogged a few months back about TOR – The Onion Router – an anonymizing technology that encrypts and reroutes packets between several computers to add a high degree of anonymity to web surfing. One of my complaints at the time was that TOR was a somewhat tricky install – much easier than most anonymizing technologies, but still non-trivial for a technical user. (The folks behind TOR realize this and are running a contest to create a highly usable graphical user interface for the tool.) And unlikely that most users accessing the Internet via cybercafes would be able to install TOR on the computers they were using.
The folks behind TorPark (whoever they are) have done a nice job of addressing this problem. Combining an alpha version of the new Firefox Deer Park browser with TOR and an installer (hence the name TOR + park), they’ve produced a 20MB package designed to fit on a USB key. Insert the USB key into the port of a cybercafe machine which runs Windows 2000 or XP, run torpark.exe, and an anonymized browser window will open, allowing you to surf the web leaving (for practical purposes) no traces behind.
I’ve been meaning to test the tool for some time now, and have been thwarted by the fact that I left my USB key in Amman. (It’s like leaving your wallet in El Segundo, just less funky.) Armed with a new USB key and a recent version of Torpark, I set myself loose on the few remaining Berkman Center PCs (we’re slowly moving Macwards here…) and tried it out.
It works. Really well. One click starts a script, opens a DOS window and a browser, which is then surfing through TOR. I’ve checked, using tools like noreply.org and the IP address is obscured. Ejecting the USB key removed obvious traces from the system (I haven’t gone and looked at the registry, for instance, to see if there are traces, for instance.) And the browsing experience is basically the slow, but satisfactory, experience I’ve had browsing with TOR. (Because TOR is routing your packets through multiple machines around the world, it tends to turn the experience of surfing on university broadband into the experience of a dial-up modem.) Yes, there are some problems – stylesheet heavy pages tend to look bad as some graphics and files fail to load. Some images break. But for the most part, you can surf the web effectively, without breaking most services.
I’m looking forward to trying it out from Tunisia in a few weeks and will be asking colleagues to try it in a few other heavily firewalled nations. I’m guessing there are three hard to solve difficulties that will prevent some users from adopting this as their preferred method of surfing the net:
– Not everyone’s got a USB key. Despite the fact that you can get a crappy, low-end 32MB key for $10 in the US, that doesn’t mean the same key will be available at that price in Ghana, for instance. If someone wants to finance a few thousand USB keys, I’m happy to coordinate a program that loads them with TorPark, the RSF guide for bloggers, and GPG and then hands them out to deserving activists – let me know if you’ve got a spare $50k.
– Not all cybercafes are particularly cooperative about letting you attach a USB key to their machines. I do this all the time, and I’ve gotten pretty stealthy about it, but I have, on more than one occasion, caused someone to yell at me in interesting languages not to modify their computers. I’ve usually been able to find a machine with an accesible USB, but I wonder whether this will continue to be the case in countries like Italy, where you now need an ID to use a cybercafe.
– TOR uses a small, published list of servers that transfer and obscure packets. In a country like Saudi Arabia, which maintains a strict firewall, it seems dead obvious that firewall administrators would simply block any traffic from the 345 servers currently listed… and add any new servers to the blacklist as they came online. I fully expect TOR to be completely blocked from within Tunisia, and look forward to checking and seeing if this is true when I visit in a few weeks – if you’re able to experiment from Saudi or China and let me know what you find out, I’d be grateful for the information.
And for the rest of you – if you’ve got a cybercafe, a USB key and some healthy paranoia, Torpark has some interesting technology for you. Now available for download in Chinese, French, Slovenian, Russian, Korean, Hebrew, Polish and Turkish.
(What! No Arabic!? No Farsi? C’mon, let’s get some volunteer translators working on this…)
I’m pretty sure that in any nation paranoid enough to run a keystroke logger in cybercafes (do we know of any that do that?) this would still get you in trouble- the keyboard is still a weak point.
[And mozilla uses non-standard i18n tech, so it doesn’t have nearly as many translations as the average free software project. They’re trying to fix that, though.]
So the next trick would be to ramp up from 345 Tor servers to tens of thousands, including lots of popular destinations. I don’t know if that’s possible, but if google.com, yahoo.com, etc. were also a Tor servers then it would be little better.
Luis, kestroke logging is a great observation – it’s almost impossible to work around. I wouldn’t put it past countries like Myanmar to use keystroke monitoring. Would be very much worthwhile to figure out if this is happening before encouraging widespread use of TorPark.
Jim, I think you’re on the right track – but I’m not sure there’s an efficient way to create tens of thousands of TOR routers that are sufficiently blurred with “unblockable” sites like Google. For instance, if you use the same IP as a Google machine, wouldn’t you need to use a port other than 80 for TOR. And wouldn’t the Chinese firewall just block that IP/port pair?
Ethan: a random tech group I’m on discussed the keyboard problem a bit a few months ago; the best solution that was discussed there (IMHO) was use of accessibility tools (like onscreen keyboards) that use the mouse. Still not totally secure, but at least harder to peer in on in an automated fashion than the keyboard.
I’m glad you enjoy my program. Thanks to your post, I’ve had to create mirrors (by bandwidth usage jumped 6000% overnite.) Arabic and Farsi, eh? I’m sure I can swing that if Firefox supports it.
Let me know if you want to see anything else. I will release a messenger client routed through the TOR network soon.
Regarding what Jim Forster said, yes we would definitely like to see more TOR servers. Infact, I have made an easy to use FAQ that allows average joe user’s machine to quickly become a TOR server and client for windows operating systems. Check it out right here: http://wiki.noreply.org/noreply/TheOnionRouter/Tor4Windows
However, there are many services out there that are anti-privacy and anti-tor. A few universities in the US I have talked to refuse to run a single server, citing it against their usage policy. Wikipedia permanently blacklists anyone who has ever run a TOR server, however we are working with Jimmy Wales (wikipedia founder) to implement a solution we have designed. Another problem is the Tor network is abused by P2P filesharing networks, which certainly slows down Tor circuits, although we are working on a solution for this (turn file sharing programs like azureus into tor servers, not just clients.)
My hope in developing Torpark is to keep just one Chinese journalist out of prison, so I’ll do my best to keep developing Torpark when I find time outside of my finance classes.
Best Regards,
ST
Hey, I found your site when looking for information on TorPark. I’m in Beijing, and I’ve been using Privoxy/Tor for several months now. It’s been extremely useful for reading blogs, Wikipedia, etc. A *lot* of sites are blocked here. So as long as Tor stays under the censors’ radar, I’ll be able to use it.
My regular Internet connection is *really* poor here, so when I compound that with bouncing my packets all over the world with Tor, I pretty much have to go make a sandwhich every time I load a new page. ;) But I’m happy Tor exists.
TOR is amazing, however I just afraid that it, in future will be sued by especially goverment or company which causing serious problem with internet controlling in their country (help hacker to escape because TOR leaves no tracking). But it, in contrary will help us to be more mature to see the whole information in the world.
Glad you are enjoying it. I have developed a new method for TOR directory serving, which should effectively keep it from being blocked, if in the future, it is indeed attempted to be blocked by hostile governments.
Let me know what improvements you would like to see. More languages coming.
ST
Does torpark strip out whatever information the tor folks are using privoxy to remove?
Comments are closed.