Episode 47: The Problem with the Tor Network and Commercial VPNs

Ben Wilde | Security First, Podcast

When the US House of Representatives passed a controversial law about Internet privacy earlier this year, several news outlets published security advice suggesting that you should use the Tor network or a commercial virtual private network (VPN) to protect yourself. Both of those suggestions turned out to bad ideas. In this episode, Ben Wilde talks with Dan Guido, the founder of a New York-based security consultancy called Trail of Bits, about the trouble with the Tor network and commercial VPNs.

Subscribe: iTunes | Google PlaySoundCloud | StitcherRSS


Dan Guido:  I strongly advise against Tor, unless you have a very specific reason that you need it. If you’re browsing the Internet through the Tor browser, it is easier for people to write exploits that break into your computer, when you use that, as compared to using the latest version of Chrome or the latest version of Internet Explorer.

Jon Prial:  That’s Dan Guido saying what he really thinks about the Tor network. Back in March of this year, the United States House of Representatives repealed a law that had been passed by the Federal Communications Commission under the Barack Obama administration.

Soon after that story broke, several news outlets, including CNN, started publishing security advice that suggested people should consider using Tor to protect themselves or pay to use a commercial consumer VPN provider. Both of those are bad ideas, as you’ll hear today from our guest, Dan Guido in his conversation with our own Ben Wilde.

Dan is the founder of Trail of Bits, a New York based security consultancy that focuses on helping clients solve hard security problems. They’re very hands on. They go deep and have a reputation of being some of the best in the business.

They’re also the team between the new Algo VPN Project, which is seeking to make a free, high quality, self-hosted VPN available to all and one that really protects you. I’m Jon Prial and welcome to the Impact podcast.


Ben Wilde:  Thanks for taking the time to be on the show today, Dan, really appreciate you joining us. Let’s kick things off with a bit of background about yourself and how you came to be where you are today.

Dan:  I’ve always known that I wanted to be in the security industry. Back when I was in high school, I was pulling pranks on my computer teachers. Once I got to college, I ended up running the Security Lab at what was then Polytechnic University, what is now NYU Tandon.

I’m part of the first class of engineers that has formal training in this field. Anybody a year younger than me is going to have it. Anybody a year older than me danced around the industry. I worked in a startup. I worked in the Federal Reserve Banks to do instant response.

I worked in an application security consultancy and I realized there was a problem that everybody was delivering these PDF reports and all the consulting that people provided was very arm’s length away and not actually approaching solving problems for their clients.

I founded Trail of Bits with the idea that there is more that we can do and we know where most of the bugs are. Why not take a shot at fixing them?

Ben:  Talk to me a bit more about Trail of Bits and how you see it differing from your more typical security consultancy. In particular, I think it sounds like the team likes to go deep, but how deep really? What sort of projects do you typically get involved with?

Dan:  Trail of Bits is a software security research and development firm located in New York. We have about 26 employees. We help companies write secure software and we help them test it. We will come in and audit your software if you needed to refocus on low-level attacks, C, C++ software, distributed systems.

High‑trust stuff is what gets us out of the bed in the morning. Like to work on the hard problems. We also excel at coming in and writing in a security library, a static analysis library, a custom fuzzer, tools that fill gaps in your projects, where you know there are problems. You don’t need someone to tell you about them. We can help you fix that.

Ben:  The Algo Virtual Private Network, that’s one of your more recent projects and we’ve actually started using it ourselves as part of our own push to improve security at Georgian Partners. For those who might not be familiar with it and VPNs in general, can you walk us through where the idea for that open‑source project came from?

Why you think it matters? Maybe a little bit more about what’s wrong with other approaches.

Dan:  Just like any good projects, this came from a personal itch that I needed to scratch. I spent a large amount of time last year in Berlin because my girlfriend got a contract out there and moved there for a year. While I was there, I really wanted to protect my Internet traffic. I didn’t want all of the European ISPs to gain a peek at what I was looking at and the websites that I went to on the Internet.

This grew out of a personal need. I started off by deploying some other open‑source software, a tool called Streisand, but I immediately got dismayed once I realized how much software is installed by that tool.

As a security expert, when I’m given a server that has about 40 different services running and it has a Tor relay node and it has crypto keys that I can’t even manage, and software that I know now I need to update. I need to maintain. When I looked at that and said, “I can’t do this. There’s no way I could maintain the server now.”

I didn’t think anyone else is capable of doing it either. I realized there was a problem here. I wrote a script that just did exactly what I needed and nothing more. That snowballed into Algo over the period of a few months.

Ben:  It started off as a personal thing. It’s somewhat snowballed. Can you talk a bit more about how you’re using it internally yourselves at Trail of Bits and what’s been happening to transform it from this personal project into something much larger?

Dan:  We use it for corporate travel. My employees use it when we go to conferences, that kind of thing. Some people use it at home. Once this flashpoint of the FCC restrictions around ISP commercialization rules hit the public, interest in this project just exploded.

Ben:  Let’s get into the whole FCC privacy dynamic a little more. What was it that happened back in March with the repeal of the Privacy Rule that the FCC had put through under the previous administration that kicked off this interest in Algo and VPNs in general?

Dan:  My understanding of the FCC rules are that a lot of ISPs would like to compete with Google. They see advertising companies packaging up data and finding a way to benefit from it. Many people do it in many different ways.

I actually feel like Google is probably the best of the bunch here. They’re very transparent with what they collect and they’re not really selling it to anybody. They have these great programs, where all the ads they serve now are HTTPS, including on the back ends.

That’s cool, but there’s other companies out there that are really abusing this data for personal profit. The ISPs that are selling you your home Internet connection saw an opportunity here, like, “Oh, we could do that too. We have access to more data than Google does.”

With any advertising provider, you have to go to a website where one of their ads is located. Then, that company gets your data. With an ISP it’s every website you go to. There’s no way to turn it off really, unless you call off your ISP and stay turned off.

They felt this could be a new revenue stream, especially with rules around network neutrality. They’re not allowed to charge content providers for their traffic they use. They just give them a big dumb pipe. They lobbied Congress to roll back this rule that prevented them from this opportunity to monetize your data.

Ben:  What is it the answer to the problem then? Our read of the advice that came out at the time was a lot of it seemed pretty half-baked, didn’t seem like particularly good advice. What are some of the things that folks need to be doing or perhaps need not to be doing to keep the data private and themselves safe online?

Dan:  A lot of people rush to “Well, what is the best technical solution to this problem because I don’t trust politicians to solve it very quickly?” What they landed on was, “Well, you should encrypt your network traffic with a VPN.” Instead of allowing your last mile ISP, and by that, the person you get your cable modem from or your DSL modem from.

A VPN will hide your activity from that last mile ISP, so that that first leg of the connection is private. There’s a lot of VPN services that are out there. There’re hosting providers, people that centralize and aggregate a lot of data from a lot of people. You take a monthly fee.

With Algo, we took the opposite approach. We want people to control their own data. We don’t want you to get aggregated with other people. We don’t want you to share the same network pipe with anybody that’s doing something criminal. We offer a set of scripts that are free, that allow you to set up your own self-hosted personal VPN server.

It works across all the devices you’ve got. We wanted to ensure you don’t have to install additional software. It uses the most secure defaults available. It uses all the best crypto, all the best settings, so that the services that we deploy with you are safe. That’s what we did and that’s why people are interested in it.

Ben:  Can you talk a little bit more about the risks surrounding commercial VPNs? They’re pretty widely used and it seems that they’re not very well understood. Why are they so bad?

Dan:  Yeah. We generally consider commercial VPNs to be like a hide pot. They paint an enormous target on the back of whoever is operating that VPN because now a hacker or a government or a VPN company’s employee, they know that they have all this data going through a single point. They know that if they sniff that, if they manipulate it, they’ll get access to hundreds of thousands of people’s data at one time.

These services, they attract that. A hacker knows that I can go to 100 people’s data if I break into a VPN provider. Law enforcement knows that while there’s of tons of people using these services for criminal reasons, we need to see a company running this VPN and start tapping that traffic.

You are potentially putting yourself at higher risk by using one of these services because now you are collocated with everyone else, where you might unintentionally get swept up in some monitoring or backdoor or other opportunities to spy on you.

A lot of the response to the FCC rule change has been counterproductive for many people because they’ve ended up using these VPNs that put them at greater risk. There’s other problems with them too. A lot of them are using extraordinarily weak cryptography and weak protocols because they want to support the most devices.

With Algo, we only support the latest devices. It’s my opinion that if you have a five-year-old phone and you’re trying to use a VPN, you’ve got bigger problems. There are ways that your phone could be compromised or be leaking data or get hacks that are going to be a greater problem than your communication security. You should probably fix that problem first.

We only support the latest devices. That allows us to also only support the best crypto. Other commercial VPN services need customers and they want you to pay for it, so they have to support everything. They end up supporting weak crypto and they have static keys. They have old protocols that we don’t like.

There’s ways this stuff fails in practice. There’re plenty of good attacks on systems like that.

Ben:  Is this mostly just an SMB issue, small to medium business, or is it really also an issue with enterprise VPN solutions as well?

Dan:  This problem is particularly acute in the SMB market. We find that there are many small companies that have some consultant come in and set up a VPN server and they’re running a network appliance that hasn’t been patched in five years. It’s running IKEv1 with an aggressive mode setting, with a weak key.

It just leads to a situation where, again, they’re relying on something that’s supposed to make them more secure, a VPN, but in fact it just aggregates all the traffic to your company down a single pipe. The protection that pipe offers is actually weaker than if you just let while getting without it.

I haven’t had a lot of hands on experience with a lot of these enterprise commercial devices prior to this. I’ve been floored at how poor the default configurations of them are and how insecure the management panels for them are. The only way that I’ll trust any of these devices is if I build it myself on open-source software with my own scripts.

We’re actually looking at some ways that we can bundle up a box that does something similar to what we do with Algo, add things like code signing to it, which I haven’t seen any network appliance vendor do. You really should interrogate your vendors before you buy these pizza boxes for your company.

Ben:  The Tor network was one of the solutions that was put forward in the media when the FCC rule change was announced. Can you talk to us a little bit more about Tor and why you think it’s such a bad idea? After all, isn’t it supposed to be a network that helps you stay anonymous online?

Dan:  Yeah. Tor has many issues that are not adequately described by the organizations that push it. The chances are that you probably don’t need Tor. Chances are you probably don’t understand the risks you take by using it. The chances are that you’re probably better off with your own personal VPN for whatever it is you need done.

There’re very few people for which Tor offers benefits that those people need Tor.

Ben:  What are some of the specific issues with Tor?

Dan:  There’s a couple of issues. First off, the network itself can’t be trusted. It’s very easy for random people to set up what are called exit nodes. Those exit nodes are the routers in the Tor network that actually a lot of network traffic passes through.

It’s an opportunity for somebody to sniff that traffic, to modify that traffic. In the past, there’s been many documented cases where this has happened. Almost every time you go looking, it’s easy for researchers to find what are called malicious exit nodes or basically a person that’s monitoring traffic through the Tor network and manipulating it.

It’s span the gamut from state-sponsored attackers, like there’s been a Russia based APT group that was adding malware into people’s downloads. There have been individual hackers that have been sifting through data to find passwords that were going through it and unencrypted network communication.

Even WikiLeaks, when it first started, the original document set that WikiLeaks put on the Internet were documents they collected by running a Tor exit node. The network itself, no matter how you access it, is hostile. You should assume that when you’re sending traffic in the Tor network, that there’s somebody that’s looking at it.

That’s different because I can sit down and I can run a Tor exit node. I can offer to the Tor Foundation, like, “Hey, I have, you know, a box of co-lo and I’d be happy to let you pump like 10 megabits per second of traffic through it. Here’s what you need to hook me up. Go ahead and send some traffic.”

I can do that and I can get access to tens of thousands of people’s network traffic that way. What I can’t do is I can’t call up Verizon and say, “Hey, can you route customer x, y, z’s Web browsing through my machine now?” I would have to break into Verizon to do that.

You actually put yourself at more risk and a greater likelihood that you’re being surveilled by going through Tor than if you just stick on your regular home ISP. That’s the case for most people that are using Tor.

Then there is a problem of accessing the Tor network. The software that most people use to access the Tor network is the worst, most insecure set of browser components available. I’m talking about the Tor browser bundle. It is an out-of-date version of Firefox that lacks proper exploit mitigation like sandboxing, that has a unique network signature that a network owner can detect.

It makes you stick out like a sore thumb. It’s also because it’s out-of-date and because it’s easy to exploit, people do exploit it. If you’re browsing the Internet through the Tor browser, it is easier for people to write exploits that break into your computer when you use that, as compared to using the latest version of Chrome or the latest version of Internet Explorer.

Not only that, but it also creates a model culture. Everybody uses the same copy of the Tor browser bundle, means that I only need to write one exploit, instead of writing maybe 10 or more than that. I know that all the sketchy people on the Internet are using the Tor browser bundle, so I just need one exploit to get them all.

That’s easier from an attacker’s point of view than it is if you’re running an up-to-date version of Chrome that updates on its own every two weeks, where there’s four different channels of it and they’re changing features all the time. I strongly advise against Tor, unless you have a very specific reason that you need it.

Ben:  Let’s switch gears for a moment. Getting good security advice is hard because it’s often difficult to know if the person that you’re talking to really knows what they’re talking about or not. You’re in this industry, obviously, but how do you solve that problem?

How do you get good advice for the parts of the field that you’re not yourself an expert in? How do you find that advice that you can trust? How would you recommend that our listeners, most of whom are not security pros, can go about getting good advice for themselves?

Dan:  In order to solve this problem for myself, what I did is I created a meet up group here in New York. It’s called Empire Hacking. I have people from Trail of Bits demonstrate their expertise and share our knowledge at this group. I also invite and personally curate talks from other companies that I think our members would be interested in.

It’s very much based on personal connections and trust. It’s unfortunate reality in our industry that it’s very easy for any random person to pretend that they know everything that’s going on. It’s very easy to fool people.

Having that network to fall back on, where if you’re in Empire Hacking, it’s very easy for you to get a recommendation of who’s the right person to speak with. That’s I think been the most beneficial activity I’ve seen firms do is go out and meet people. Meet people in your city, that are in your tech industry, that focus on security industry and talk to them.

It comes down to a people problem. Unless you hire somebody that knows what’s going on, it’s difficult for you as a non-security expert to even judge if what you’re doing is right or not, or who you’re speaking to is knowledgeable or not. Either you’re an expert or you’re not in this industry. If you’re not, it can be very difficult to get to a good place.

That first hire you make for security is critical because they’re going to be your gateway into the rest of this area of knowledge and the rest of the community that’s present.

Ben:  What’s next for the Algo project? What are you focusing on now to get it even more successful and even more adoption?

Dan:  The problem that I have to solve is I have to make Algo as easy to use as possible. Once I reduce all that friction, it’s harder for you, where you is some other company looking to set up a VPN, it’s harder for you to make a mistake because you’re choosing the easiest option. In this case, the easiest option is the right one.

I care a lot about the user experience of Algo and we’re very aggressively eliminating steps that take place during the install and finding ways to automate aspects of that. Where right now, you have to open a command line, but I bet in about a month you won’t have to.

A lot of the other scripts that you might find that set up VPNs for you, again, they’re going to use out-of-date crypto. They’re going to just do insecure stuff that they shouldn’t. You had to think to use Algo maybe, but you didn’t have to think to use this other thing. That’s the same reason why people get in trouble with products.

“Oh, if I just throw some money at this, problem goes away.” That’s an easy choice for you to make. I want to make Algo the easiest choice and I want the easiest choice to be the right choice.

Ben:  Any other steps that you take at Trail of Bits to keep your sales more secure? Are there any tools that you recommend?

Dan:  Inside Trail of Bits, we do require everybody uses HTTPS everywhere because whether or not you use a VPN, you always want to have an end-to-end encrypted connection to the website that you browse. In a lot of ways, that’s a really good companion to a VPN.

That protects not just the first leg of your connection, but also the last leg of your connection because it covers the entire conversation. We ensure that all of our engineers, all of our employees, when they travel, when they go to conferences, when they go to clients sites are using VPNs.

Inside our office, we’re not. Maybe that’ll change, but for the moment we feel pretty OK with just an up-to-date version of Chrome, an HTTPS Everywhere plug-in, and some two-factor off tokens and keys. That works for us.

Ben:  Thanks, Dan. I really appreciate your time. Look, just before we go, you did mention something there called HTTPS Everywhere. Could you talk a little bit more about that and what it does?

Dan:  Yeah, sure. HTTPS Everywhere is a nice little plug-in that automatically upgrades connections to websites where HTTPS is available but not a default. There’re many websites that have turned on TLS on their websites, but they don’t redirect or force you to connect to it unless you do it manually, unless you type in HTTPS or unless you get a link to HTTPS, that version of their website.

This little plug-in just watches as you browse, and if you go into a website where that is a feature that’s available, it bumps you up to the more secure version. This is something that’s occurring in parallel as now people are very interested in VPNs. Over the last year, a lot of people have been very interested in deploying TLS.

Trail of Bits has been a corporate sponsor of Let’s Encrypt. We’re all encouraged by the rapid adoption of not just TLS, but also better standards for TLS and better cipher suites for TLS and the upcoming TLS 1.3 change. All these things are good companion pieces to a VPN.

If the entire Internet were encrypted, if it was not possible to use HTTP without TLS, then you wouldn’t need a VPN really, but that’s not going to happen. [laughs] There’s still reasons why you want a VPN, but it’s better overall for everyone if more of the Internet uses HTTPS.