Cover photo

Picture yourself peeling an onion while sending an email

Understanding onion routing and diving into the early days of Tor network

gm creators!

I hope everyone is having a great day 😎

Yesterday, I made a list of potential rabbitholes I can go through to learn more about the history of cryptography. I asked folks in the Farcaster history channel for any recs and got a decent amount of ideas! Some example topics include Shannon & information theory, crypto export laws, generations of NSA influence, etc.

You can check the post out here.

If you're new to The Bigger Picture, welcome! I'm learning & writing about cryptography from first principles.

Subscribe below so you don't miss any future TBP posts 🥂

Today at a Glance 👓

Today, I'm covering a product in the cryptography & privacy space that I've meaning to look into forever: Tor network.

Simply put, Tor, aka "the onion router", allows users to browse the web privately. Without tracking, surveillance, or censorship.

I'll be honest, I drank the mainstream media kool-aid on Tor a bit too much. Up until recently, I always assumed that any topic related to Tor came down to how it was a site used to sell drugs/weapons and conduct terrorist activity.

However, after doing some research and learning about the history, I'm realizing that there's a lot more involved and it's not solely this dark tool people commonly think of when they hear about the product.

In fact, since 2012, 80% of the Tor project's annual $2m funding comes from the US state department and the National Science Foundation.

Today's key takeaway is that although communication can be private, it's not necessarily anonymous. Those two words are not interchangeable.

Sections below:

  1. Traffic Analysis Stalkers

  2. Navy Officers Peel Onions

  3. The launch of Tor

Let's dive in 🚀

Traffic Analysis Stalkers

Until the mid-90s, the majority of discussion and development in cryptography was centered around encryption, the art of obscuring a message. This involves thinking of unique, unbreakable ciphers that others can't interact with unless they have a key.

However, this only solves one half of the equation. Though the message is encrypted, a bad actor can still track the address of the sender and recipient. In the image above, it's clear to any third party that the message is going from Alice to Bob.

The communication itself is private, but the communication channel is still up for grabs.

This security practice of breaking down channels is known as traffic analysis.

Traffic analysis doesn't focus on the content of messages, but rather on the surrounding details - the metadata. This includes details such as sender and recipient addresses, timestamps, frequency of communication, and packet sizes. Over time, with enough data points, these guesses can paint an alarmingly accurate picture of organizational structures, hierarchies, and intentions.

For example, let's say that the president was planning on executing a military operation in Texas. If enemies tracked communication to and from DC and the Fort Worth military base, it would be clear to enemies that something is brewing in north Texas. That would give them enough time to make preparations and move resources.

Traffic analysis is the same as not knowing the password to your friends phone but being able to see the notifications and making educated guesses about what's going on based on the name of the sender, time, and frequency of texts.

If you catch your boyfriend getting a notification from Alice every night at 11 pm, then there's probably a good enough reason to approach him about it even if you don't know what the message is.

That's traffic analysis in a nutshell.

  • Who is searching x database?

  • Which companies are collaborating?

  • Why are these two individuals e-mailing each other?

  • When did you shop at this store?

This pattern matching can serve as a major security flaw for not only the government, but also corporations and people. Encryption by itself only provides half the security.

Navy Officers Peel Onions

Finally, in 1995, with the funding of the US Naval Research Laboratory (NRL), computer scientists Paul Syverson, Michael Reed, and David Goldschlag got to work on solving this problem. After testing countless ideas, the three brilliant minds were able to come up with onion routing.

Research Paper

One of The Bigger Picture subscribers mentioned he enjoyed the mailbox analogy for asymmetric encryption, so I'll try providing a similar example here.

Picture yourself as a 5th grader

Imagine you're in primary school and want send a note to your crush, Alice.

You put the note in an envelope and need to get it to her without letting anyone know that you are trying to ask Alice to the school dance.

So you decide to make a chain of people in your class to get the note to her: You --> Jim --> Emily --> Cameron --> Dan --> Alice. For each hand off in the chain, you put the envelope in a larger envelope. Each person will unseal their envelope and will only see the name of the person they need to hand the letter off too.

They have no idea how many others are involved in this message chain nor do they know the names of everyone involved.

Eventually Alice gets the original envelope after all layers of the onion have been stripped away and reads your note. Even if Alice wanted to send a note back to you through the chain, she wouldn't be able to.

This layering and peeling process is known as onion routing. The diagram below is from the original 1996 briefing given to the naval research office.

1996 Briefing

In the following years, the team continued to iterate on their ideas. After seeing some initial success, DARPA (defense advanced research project agency) provided additional funding as well.

And by 1998, the gen 0/1 network was continuing to grow. They had 13 active nodes participating, one of which was in the Canadian ministry of defense.

An average of over 50,000 hits per day occurred during the final months, or more than 1 million connections per month. Peak reported load of 84,022 connections occurred on 12/31/98.

Timeline of Onion Routing

However, this magical anonymity tool was still within government intelligence circles.

The launch of Tor

By the early 2000s, the development of onion routing had been pretty successful - more and more people outside the naval research labs were starting to take notice.

DARPA decided to fund Roger Dingledine, Nick Mathewson, and Paul Syverson (who helped create onion routing) to build TOR, or "The onion router". These guys essentially brought the ability to communicate anonymously to the public.

Here is Tor's mission statement on their website:

To advance human rights and freedoms by creating and deploying free and open source anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.

Over time, the project started to receive support from various organizations involved in protecting digital rights such as the Electronic Frontier Foundation (EFF). This helped the team launch extended features such as the Tor browser, hidden services, bridges, etc.

In 2006, the Tor Project became a 501(c)(3) non-profit to ensure Tor's development wasn't tied to government funding and could also receive donations from individuals, NGOs, etc.

In the past 20 years, Tor has been an essential tool for journalists, law enforcement officers, whistleblowers, bloggers, and militaries. Unlike common belief, a lot of Tor's activity comes from seemingly normal people trying to just browse the web securely.

For many of us in developed, western countries, it's important to remember that there are still innocent people around the world who are censored on the daily from oppressive regimes and have to be careful with every step of their digital footprint. It's literally a matter of life and death.

Tor Website

Of course, with any powerful tool, there are always two sides to the story. Though Tor has helped countless individuals stay protected in the name of good, there are a few bad actors who have used Tor's privacy to conduct illicit activities. This is where the idea of the dark web comes from. By using the combo of Tor & Bitcoin, people can anonymously communicate and transact.

However, it's worth noting that even Tor isn't fully secure-proof. In fact, there are countless examples of the US government using traffic analysis and malware to bring down illegal markets. In 2013, Ross Ulbricht, the founder of the silk road was arrested after agents noticed an initial security flaw he made in his site. And in 2017, AlphaBay and Hansa, two of the largest dark web marketplaces were seized and shut down.

I thought this comment from a user on r/Tor was well said

Yes. Because some bad people do in fact use Tor. The evidence so far seems to be that they cannot perform full de-anonymization attacks against everyone at all times (or that they are unwilling to spend all that money on storage of that massive amount of data). Instead it seems they prefer much more targeted attacks against specific people or groups of people. Further, it seems that very bad exploits in popular Tor software such as Tor Browser are rare and expensive. Thus these adversaries are not willing to use them widely for fear of it being discovered and fixed before they can catch good targets, and instead they prefer to save their hard-to-obtain exploits for very juicy targets. The average American is not a juicy target.

Tor is an active, ongoing project. There are still concerns in it's architecture regarding "exit nodes", potential for countries blocking tor activity, and de-anonymization attacks.

Furthermore, the biggest blocker Tor most likely faces is its public perception. Even people within the tech and privacy community think of using Tor as a complicated and daunting task. The spectrum of perception is centralized on either end: a government surveillance tool or a terrorist communication website. Finding that middle ground will be crucial to tor's future.

As the cryptocurrency market post-bitcoin evolves in the next few decades, it will only get more interesting to see how anonymous communication & transacting trends continue to grow. The pseudonymous economy will also inevitably rise as people realize that they are able to work, spend, and earn completely anonymously online.

That's all for today's post - if you enjoyed, I'd love for you to share with your friends in crypto :)

Remember, all posts are collectible as well! Just connect your wallet and mint away.

Also, if you haven't already, please join The Bigger Picture community by hitting the subscribe button below. You can connect your wallet or add your email!

Collect this post to permanently own it.
The Bigger Picture by Yash Bora logo
Subscribe to The Bigger Picture by Yash Bora and never miss a post.
  • Loading comments...