I have just read here of the alleged persecution of a US relay operator. This troubling account includes the following sentence:
Conrad’s ordeal began when he refused to help the FBI decrypt traffic from his exit nodes.
I have the following question:
What exactly can the feds - or anyone else for that matter - learn from a “decrypt” of exit node traffic? My understanding is that https guarantees that traffic exiting Tor remains encrypted until it reaches the nameserver resolved by DNS - i.e. the site’s host, or a 3rd party nameserver like Cloudflare - if the site owner uses such MiTM services. If a Tor user has visited an http site, no “decrypt” of exit traffic will be needed in any case. Traffic to onion services (.onion addresses) is also end to end encrypted, so what exactly is there to decrypt in a relay operator’s exit node traffic?
Maybe the node(s) were in a country where the FBI has no jurisdiction. If a US exit node then they could force the data center to give them a feed of what comes out. They could have broken into his node (maybe) but then the info gathered would not be admissible in court but only to further their investigation.
My idea is that when the packets go from the exit node (or VPN) to the target server they would look the same as coming out of your router except for the source IP which would be that if the exit node.
So what would the FBI get? They get the target IP and they get the starting packets for a new server connection. You know: the SYN, SYN-ACK, ACK handshake then all that stuff for encryption between the server and client using the server certificate.
I was curious yesterday about why VPNs make all their claims about privacy. I don’t believe their claims about malware and viruses. Like Tor, these could come to you encrypted by the server. I had not done any Wireshark stuff for a long time so I did a bit of digging. Using a splitter I captured a packet stream from a test machine to CNN. When doing their certificate thing I actually saw, in clear-text, the words cnn. com. WTF? This is what a VPN can hide from your ISP and thus claim to be more private. Of course, a US VPN or ISP would have to disclose this.
Is there anyone who can validate what I saw in my capture?
I had one private exchange with the author of that thread in which I asked:
“Why this node, his node?” What was so special about this one. Traffic can exit from anywhere in the world. There is no guarantee this one has or will have any interesting traffic worthy of decrypting. I could speculate but would be out in left field. I can understand not wanting to help decrypt traffic because Tor is about privacy… but again why this exit node.
She told me her husband ran multiple, high-bandwidth exit nodes and they believed his nodes were being used by individuals or groups they had a high interest in monitoring. They tried to recruit him to be an asset and his refusal triggered their action she speaks of in her post.
I assumed it was impossible to determine exit nodes. I guess big, bad, fast exit nodes have a higher probability of carrying traffic from these people of interest. Sounds like a flaw to me. If that is all it takes then why not just build a series of the biggest, baddest, fastest exit nodes and spread they across the world. Then no need to involve a third party. They have unlimited money and resources.
Another thing the exit node has is the IP of the middle node. Can this be useful?
This node also has the encryption key of the first Onion Ring to encapsulate the encrypted return traffic from the server. I assume https. This is also the last Onion Ring to be decrypted by the browser before putting the server response onto the screen. Could the exit node insert something into its Onion Ring which could cause the user to be identified? Maybe I watch too many espionage programs.
What you saw is a SNI ( Server Name Indication - Wikipedia ) an unencrypted part of TLS connection to web server which indicates which exact site you want to access on that server.
In short, even if HTTP connection uses TLS you still leak full domain (with subdomain) of site you are accessing to anyone on the way from you to that site (like your ISP and so on) and this is why ESNI/ECH have been standardized but not many have implemented it so at this moment Tor or even 1-hop VPN can help with this as they add another layer of encryption for your connections so that SNI part is invisible to potential traffic observers except Exit node or within your LAN if you use some central point VPN/Tor scenario (like on the router rather then on individual machines).