It's All About Entry and Exit Nodes
Preface
I want to leave the politics of using and breaking encryption to politicians and those who make laws, and only outline the technical nature of the usage of encryption, and the feasibility of restricting its access. Overall I worry that we can fall into large traps in terms of what decision makers think they can do on modifying the operation of the Internet and its associated protocols - typically it involves breaking the existing trust models for the Internet. An article related to Kazakhstan's plans is here, and in this article I'll outline the technical feasibility of blocking Tor and free public wi-fi (as planned in France).
Entry and exit nodes
So the Internet has thrived for over 40 years, without interference from governments of the world. It has typically done this not be going through standards agencies, such as the IET and ISO, but through RFCs (Request for Comment) documents. The true genius of the developed protocols was the Ethernet, IP and TCP, could support a whole lot of associated protocols. The IP protocol could support a whole lot upper level protocols such as UDP, RIP, and so on, and TCP could support many application layer protocols, such as HTTP, FTP and TELNET.
Now, though, governments of the world are starting to rain back this development, and look to put in place barriers. With so many different ways to secure data, governments are now trying to find ways to restrict access. In Kazakhstan there are plans for creating a security certificate for every tunnel created [here], and now in France, the government is planning to ban Tor and forbidding free and shared wi-fi connections (as law enforcement often struggle to trak individuals who are using public wi-fi networks).
For Tor, the only real way to ban the communications is to examine the gateway node, so that a connection could be made from inside France, but where there would be a list of Tor gateway nodes, which would be banned. While the concept of banning Tor traffic, it is technically difficult to block, as network packets will only show the next hop in the chain, and these would be difficult to block. The exit node is only see at the last hop.
At present China block the entry nodes, which are publicly listed, but it is also possible to use non-public entry nodes, known as “bridges". It would seem that a model that France could use is the one used in China. Overall it is not possible for an ISP to see the destination site within the traffic, and could only determine if Tor was used if there is a known entry node used for the traffic.
Here is an outline of Tor:
Tor
The Web traces a wide range of information, including user details from cookies, IP addresses, and even user behaviour (with user fingerprints). This information be used to target marketing to users, and also is a rich seem of information for the detection and investigation of crime. The Tor network has long been a target of defence and law enforcement agencies, as it protects user identity and their source location, and is typically known as the dark web, as it is not accessible to key search engines such as Google. Obviously Tor could be used to bind to a server, so that the server will only talk to a client which has been routed through the Tor network, which would mean than search engines will not be able to find the content on them. This is the closed model in creating a Web which cannot be accessed by users on the Internet, and only by those using Tor. If then users trade within the dark web servers with Bitcoins, there will be little traces of their transactions.
With the Tor network, the routing is done using computers of volunteers around the world to route the traffic around the Internet, and with ever hop the chances to tracing the original source becomes reduces. In fact, it is rather like a pass-the-parcel game, where game players randomly pass to others, but where eventually the destination receiver will eventually receive the parcel. As no-one has marked the parcel on its route, it’s almost impossible to find out the route that the parcel took.
The trace of users access Web servers is thus confused with non-traceable accesses. This has caused a range of defence agencies, including the NCA and GCHQ, to invest methods of compromising the infrastructure, especially to uncover the dark web. A strange feature in the history of Tor is that it was originally sponsored by the U.S. Naval Research Laboratory (which had been involved in onion routing), and its first version appeared in 2002, and was presented to the work by Roger Dingledine, Nick Mathewson, and Paul Syverson, who have since been named, in 2012, as one of Top 100 Global Thinkers. It since received funding from Electronic Frontier Foundation, and is now developed by The Tor Project, which is a non-profit making organisation.
Thus, as with the Rights to remain private, there are some fundamental questions that remain, and it a target for many government around the World. In 2011, it was awarded the Free Software Foundation’s 2010 Award for Projects of Social Benefit for:
Figure 1 shows a Web browser application setup for Tor. It uses onion routing and also the HTTPS protocol to secure the accesses. With Tor, too, the path between the two communicating hosts is also encrypted, which creates a tunnel between them. To focuses more on the security of the communication over the Internet, and less on the preserving the anonymity of the user. It is, though, often used for proxy accesses to systems, where a user wants to hide their access.
Figure 1: Tor Web browser
Conclusions
Any nation which wishes to constrain the Internet will prompt many questions about free-of-speech and in holding back economic development. As a purely technical person, I am really struggling to see how many countries would properly implement a system which could block (or restrict) the usage of secure tunnels. These tunnels are there for a reason - they protect users from malicious sources, such as fraudsters and cyber criminals - and we must be careful about breaking the Internet, as it is fragile enough without breaking it further. Nations of the world need to understand that their physical borders have virtually no presence on the Internet, and that much of the control of the Internet resides within the Cloud Service Provider, such as Facebook, Google, Amazon, Twitter, and Microsoft, and it is these companies who drive the Internet.
One must wonder the use of banning Tor, if a person can just use a secure tunnel to their Cloud Service provider, or where they setup a secure tunnel to a VPN server? Every time HTTPS is used, there is no way that the communications can be examined. And what's to stop someone encrypting the data at source, and then sending a Base-64 version in the email message?