Cs leek and onion soup image 03 small 02

Leak and Onion Soup


Using Tor to investigate sensitive leaks

Upon glimpsing a mysterious light at the far end of a dark alley, say, or hearing one's name whispered from around a corner, one could be forgiven for trying to sneak a peek before charging ahead. Unless you are are a grizzled investigative journalist with a well-known publication, a fearless editor, a stable of lawyers, a well litigated shield law, a stack of Pulitzers and a fresh backup of your hard drive, you can probably imagine a lead to which you might respond with similar caution. Citizen investigators looking to remain near the middle of the cat spectrum — somewhere between scaredy and killed-by-curiosity — must occasionally dip a toe in before taking the plunge.

Highly sensitive leaks sometimes fall into this category. Leaked data could contain malware. Or they could have been obtained illegally. Or the lead itself could be a spear phishing attack. Or it could be bait. And the act of possessing those data could be illegal until you are able to demonstrate their relevance to the public interest. Or it it could remain illegal regardless. Or you might be the wrong audience. And even if you know someone who could accomplish more with the information, you might be less comfortable sharing a leak than you are receiving one. At least publicly.

This all depends on context, of course. But it also depends on the data themselves. Which you haven't seen yet. At this point, the leak is still down the alley and around the corner.

This guide is about Tor ("the onion router"). Tor is a piece of software that can help you hide your interest in something until and unless you decide to make that interest — or that something — public. To be clear, there is no purely technical solution to these challenges. There is very little that software can do to help address social, political and ethical issues related to the investigation, verification, analysis and publication of sensitive leaks.

So, yes. Experience, legal advice and trusted relationships are almost certainly more important than anonymity when it comes to shielding your sources, protecting yourself and bolstering your investigation. But using Tor is something you can do right now. And unless Tor is criminalised where you work, it is unlikely to hurt, likely to help, and easier than you might think.

The structure of this guide

This guide contains two main sections. First, we will discuss how Tor can be used — through the Tor Browser or Tails — to avoid leaving a trail from your own Internet address to those of the websites you visit.

In the second section, we will look at onion services (also known as Tor hidden services), which can only be accessed through Tor. Onion services are designed to hide their own physical locations and to ensure that all visitor traffic is more fully encrypted and more reliably anonymised. They are widely used by whistle blowing platforms like SecureDrop to protect the identity of anonymous sources, but this section will focus on OnionShare, which allows individuals to exchange files without exposing the connection between them.

Tor and Tails

The Tor Browser — an up-to-date, free and open-source, privacy optimised version of Mozilla Firefox — is the most reliable way to use Tor. And Tails is the safest way to use the Tor Browser. Tails is a Linux operating system (OS) that can be run from a USB stick without affecting the OS or the data that normally live on whatever computer you happen to be using. It relies on the Tor Browser for web traffic, but it routes other Internet traffic through the Tor network as well. It also ensures that anything you save to disk is encrypted.

Everything in this guide applies both to the Tor Browser and to Tails.

The Tor network is made up of several thousand servers that are scattered all over the world and run by volunteers. Every time the Tor Browser makes a new connection, it selects three of these Tor relays and connects to the internet through them. It encrypts each leg of this journey in such a way that the relays themselves do not know the full path through which it sends and receives data.

When you request a website using the Tor Browser, your request will appear to come from a different IP address, often in a different country. As a result, the Tor Browser hides your network location from the websites you visit while also hiding the websites you visit from others who might be monitoring your traffic. It also ensures that no single Tor relay can figure out both your location on the internet and the websites you visit (though some of them will know one or the other).

Because Tor hides the connection between you and the websites you visit, it allows you to browse the Web anonymously and avoid online tracking. It can also help you circumvent online filters in order to access content from — or publish content to — a website that would otherwise be blocked by your ISP, your employer, your government or some other wouldbe censor.

A basic Tor connection

The steps below illustrate a request from Alice, who is using the Tor Browser, for a website running on Bob's server. You might also want to have a look at this YouTube video about Tor, which was created by the Centre for Investigative Journalism to explain how the anonymity network operates.

Step 1 Obtaining a list of Tor relays

Alice's Tor Browser requests a list of Tor relays ([1]) from the Tor directory server (Dave).

Step 2: Choosing a path

Alice's Tor Browser picks a mostly random path through Tor network. All connections inside Tor network are encrypted (green [3]). In this example, the last connection is not-encrypted (red [2]). It would be encrypted if Alice were visiting an https website.

Step 3: Subsequent requests

If Alice later visits a website on another server (Jane), her Tor Browser will select a different random path. (In practice, that first hop will typically stay the same for a while. These entry guards help prevent a malicious relay operator from "getting lucky" and gaining control over your first and last relays at the same time.)

As you might imagine from looking at these diagrams, there is a trade-off between anonymity and speed. Tor provides anonymity by bouncing your traffic through volunteer servers in various parts of the world. It will almost always be slower than a direct connection to the Internet.

Additional concerns

There are three things you should keep in mind when using Tor:

  1. HTTPS encryption still matters,
  2. Using Tor does not hide the fact that you are using Tor, and
  3. Where possible, use the Tor Browser rather than configuring other software to use Tor.

1. HTTPS still matters:

As mentioned above, Tor encrypts traffic into and throughout its network, but this protection does not extend all the way to the website itself unless you are using https encryption. The Electronic Frontier Foundation (EFF) has created an interactive diagram that helps illustrate this. Toggle the Tor and [HTTPS] buttons to see who can learn what at various points along the way.

2. Using Tor does not hide the fact that you are using Tor:

The list of regular Tor relays is public information. This is why your access to the Tor network can be blocked, but it also means that anyone who is monitoring your Internet connection can probably tell that you are using Tor. You will have to determine the significance of this risk based on your own particular circumstances.

If this is a real concern for you, but you still need to access websites through Tor, you might consider using a Tor Bridge, which is an "unlisted" relay that tries to resemble something else. Even Bridges are not guaranteed to disguise the fact that you are using Tor, however. And, while they are quite easy to use with the Tor Browser, configuring Tails to connect through a Bridge requires that you keep track of something awful like the following and type it in each time you restart Tails:

obfs4 27.8.147.18:54697 Ae391F63BBF490978992E2A89DC7B2AB35598904 
cert=zR96h0xiR4F902kf2qkfjfunczfpl1H423yuPM1wdB74IUarBC63+80hpYzm3M8j6p9gcb 
iat-mode=0 

The alternative, then, would be to give up on Tor, find a trusted Virtual Private Network (VPN) provider and make do with that. Just remember that even if you find a VPN that you trust — and that is genuinely less "conspicuous" than Tor — it will not allow you to access onion services or use OnionShare, as discussed below.

3. Where possible, use the Tor Browser:

The description above is from the perspective of someone who wants to browse content on a regular website while remaining anonymous. You can use Tor to access other publicly accessible online services, as well. This includes email providers, instant messaging servers and WHOIS registries, among other examples.

When used in this way, Tor works pretty much the same as it does for websites, with one caveat. The Tor Browser does more than just route your traffic through Tor. It goes to great length to hide your identity in other ways, and you should be cautious about trusting other applications to do the same. In general, the most reliable way to use other software through Tor is to do so from within Tails.

If Tails is not an option, you may have to do some research. Look for trusted "add-ons," such as Torbirdy for the Thunderbird email client, or alternative software like the Tor Messenger chat application.

Finally, thanks in large part to the Guardian Project, there are number of Android applications that can be configured to use OrBot, the Android version of Tor. Examples include:

Security-in-a-Box includes more detailed guides on how to use the Tor Browser with Windows and Linux. These guides cover:

  • Installing the Tor Browser,
  • Using Tor Bridges when your access to the Tor network is blocked, and
  • Using obfuscated pluggable transports when your access to the Tor network is really blocked.

Tor compatibility

There are a great many websites that offer useful services for investigators. If you need to visit one of them through the Tor Browser, or while working in Tails, you might want to test it out first. Some of these websites will require that you solve a CAPTCHA (or many CAPTCHAS) each time Tor chooses a new exit relay. And some of them simply refuse to work at all when accessed through Tor.

Online investigative resources and Tor compatibility

The table below summarises the level of Tor compatibility (and HTTPS support) for a few examples. As described in more detail below, the VPN over Tor guide suggests one possible way around this sort of blocking.

Archive Description HTTPS Tor
DuckDuckGo Privacy aware search engine yes yes
Tin Eye Reverse image search (Blocks Tor users) yes no
AI's YouTube data viewer Reverse image search for video frames. (Broken HTTPS) yes yes
Picodash Time- and location-based Instagram search. ($8/mo) yes yes
Jeffrey's metadata viewer Displays embedded metadata in images and other documents no cap
Foto Forensics "Lab" Find evidence of tampering in image files ($5/10 images) yes no
WHOIS lookup Domain name ownership database yes cap
Opencorporates Public information on companies. (Blocks Tor users) yes no
Opencorporates viz Network visualisation of various financial companies yes yes
FlightRadar24 Live aircraft tracking. (Sattelite view only through Tor) yes cap
Google Search engine. (CAPTCHAs are often unsolvable Tor) yes cap
Google Translate Machine translation of text yes cap
Google Image Search Find images by uploading a similar image (or URL) yes cap
YouTube Post or search for videos on YouTube yes yes

 

 

Example leak repositories

Unlike investigative "cloud services," such as those listed above, repositories of leaked data almost never block access through through Tor. The table below includes a few examples.

Archive Date range Type Platform Size Tor
Swiss HSBC leaks to 2007 Excerpts ICIJ website Based on 60k docs yes
Offshore Leaks to 2007 Searchable archive ICIJ website 500k company profiles yes
Offshore Leaks DB to 2007 csv,neo4j ICIJ website 500k company profiles yes
Cablegate to 2010 Searchable archive Wikileaks 250k cables yes
Stratfor leaks to Dec 2011 Searchable archive Wikileaks 5M emails yes
Clinton emails to Aug 2014 Searchable archive Wikileaks 30k emails yes
Vault 7 projects to 2015 Exceprts Wikileaks 50 documents yes
Panama Papers to 2015 Excerpts DocumentCloud 150 of 11.5M docs yes
HackingTeam leaks to Jul 2015 Searchable archive Wikileaks 1 million emails yes
Vault 7 to Feb 2016 Archive Wikileaks 8k pages, 1k docs yes
DNC leaks to May 2016 Searchable archive Wikileaks 44k emails, 17k docs yes

 

Note: Exposing the Invisible makes no claim as to the validity or usefulness of these archives. At the very least, however, they include lots of content that you can use to practice analysing leaked emails, documents and data sets. Just remember, if you're not comfortable walking around with illegally disclosed files sitting in plain sight on your laptop, consider the following:

  1. Make sure you have a handle on the level of risk associated with using Tor wherever you are,
  2. Use Tails when searching or downloading leaked content,
  3. Choose a strong passphrase when you configure Persistence on your Tails USB stick, and
  4. Think twice before crossing a border with that USB stick.

Routing a VPN over Tor

As shown in the first table above, there are some useful web services that reject Tor users as a matter of policy. If you need anonymous access to these sites — or if you need to access them at all while using Tails — your requests will need come from somewhere that is not a known Tor exit relay. One way to achieve this, while still enjoying most (but not all) of the anonymity provided by Tor, is to add a VPN "hop" after the exit relay at the end of your Tor circuit.

This method is often called "VPN over Tor" to distinguish it from "Tor over VPN" configurations, which work in the opposite direction. (Routing Tor over a VPN adds a VPN hop before your Tor entry relay and is sometimes used to reach the Tor network from locations where it is blocked. We will not be discussing this technique in detail because Tor bridge relays are generally considered a better way to access Tor under such conditions.)

For a technical guide on how and why (and when not) to configure a VPN-over-Tor connection on Tails, have a look at the VPN-over-Tor guide.

Onion services

Tor can also be used by those who want to offer an online service anonymously. They can do so by setting up an onion service. Once again, we will focus primarily on websites here, but it is possible to configure lots of server software in this way. For example, Riseup makes its email and instant messaging servers available as onion services.

Onion sites are probably the most widely known example of what some people insist on calling "dark web" content. There are two clear signs that you are visiting an onion site. First, it won't work unless you are using Tor. Second, the Web address will include a lot of gibberish followed by .onion. Below are a few examples:

  • http://expyuzz4wqqyqhjn.onion/download/download-easy.html.en#warning is a Tor Project help page
  • http://dcdoialeklnkb6fg.onion is a SecureDrop run by International Consortium of Investigative Journalists
  • https://3g2upl4pq6kufc4m.onion/ is the DuckDuckGo privacy aware search engine

All traffic to and from an onion service — even a non-https site like the first two listed above — will be fully encrypted. This is because your connection never leaves the Tor network. In fact, from a visitor's perspective, this is one of the most important virtues of an onion site. There is no exit relay, so the only link in the chain capable of observing your traffic is the website itself (which was going to have that ability regardless).

That said, you should keep in mind that anyone can mirror anyone else's website through an onion service. If you are accessing a public website through an alternative onion address, make sure it is the real alternative. If in doubt, search around until you find an https website, hosted at the proper domain, that lists the official .onion alternatives.

By way of example, below are:

On the other side of things, those who operate onion services enjoy certain benefits as well.

  • They do not have to register (and pay for) a domain name, which is challenging to do anonymously
  • They do not have to configure an SSL certificate
  • They can make their website available from inside a home or office firewall
  • It is more difficult for someone to correlate their website with their physical location

In most cases, communication with an onion site will be even slower than a normal Tor connection. This is because the path to an onion service requires six relays rather than three. It also takes some work to establish that path. For a brief but somewhat dizzying explanation of how this works, take a look at the Tor Project's breakdown of the Hidden Services protocol. Or continue reading. Or, if you are not interested in the protocol itself, feel free to skip down to the section on whistle blowing platforms below.

Any device with an Internet connection, a properly configured Tor installation and a non-public website can make that website available as an onion service. Doing so involves two steps:

  1. It randomly selects a few Tor relays to serve as introduction points. It connects to them anonymously and gives them the information required (a public key) to send it encrypted messages in the future.
  2. It then randomly generates an onion address like the ones listed above. (16characterslong.onion, say.) It then publishes this address along with a descriptor that includes its public key (the same one given to the introduction points) and a list of those introduction points. This descriptor is available to anyone who knows the onion address and is capable of connecting to the Tor network.
Onion services 1 Onion services 2

That part is pretty straightforward. But to visit an onion service, a device with an Internet connection, a working installation of Tor and the correct onion address must take four additional steps:

  1. It downloads the descriptor by referencing the onion address. (Thanks to some very cool math, Tor relays can return information about any running onion service without being able to produce a list of those addresses.) Then the visitor's device randomly selects a Tor relay to serve as a rendezvous point, connects to that relay anonymously and gives it a randomly generated secret code.
  2. It then connects anonymously to one of the introduction points (which it learned about from the descriptor obtained above) and hands off a message that is encrypted so that only the device running the onion service can read it. This message contains the location of the rendezvous point and the secret code.
  3. The introduction point connects anonymously to the onion service and hands off that encrypted message, at which point the onion service decrypts it, connects anonymously to the rendezvous point and presents the secret code.
  4. Finally, the rendezvous point verifies the secret code, connects anonymously to the visitor's device and confirms that everything worked properly. At this point, the visitor' device can request web content from the onion service, without knowing its internet address, by relaying messages through the rendezvous point that only the onion service can read. But doing so requires three hops to reach the rendeavous, then another four to reach the actual webserver.
Onion services 3 Onion services 4 Onion services 5 Onion services 6

Whistle blowing platforms based on onion services

There are at least two widely deployed whistle-blowing platforms that use onion services to protect the anonymity of sources:

Setting them up and maintaining them properly requires significant technical effort, however. And flooding someone else's database of leaks with "Testing testing..." spam is a bit rude, so we will discuss them in detail another time. Fortunately, there is a much simpler piece of software called OnionShare that also demonstrates the usefulness of onion services.

Exchanging files with OnionShare

For most of us, the level of technical knowledge required to setup a whistle blowing platform like SecureDrop or GlobalLeaks is a bit out of reach. As is the amount of work required to maintain one properly. Unless you are confident that your system administration skills are sufficient to protect those whose safety might depend on them, you should probably avoid taking on the responsibility.

Fortunately, if you just need to exchange documents with a particular source or colleague, while hiding the fact that this exchange took place, there is an easier way. OnionShare is a free and open-source, cross-platform tool that greatly simplifies the process of creating ad hoc onion services for the specific purpose of sharing files. It allows you to:

  • Make files available, from within your own network firewall, to any Tor user who knows the correct onion address;
  • Make sure those transfers are encrypted, end-to-end, and carried out entirely within the Tor network; and
  • Use a simple, graphical user interface to activate the onion services (and the webserver) that make all this possible.

OnionShare was not designed as a whistle blowing platform. It lacks most of the security features that are built into a proper a SecureDrop deployment, so it might not be appropriate for extremely sensitive data or if either participant is directly targeted by a well resourced adversary. More generally, it does not allow other people to send you files. In order to receive a leak through OnionShare, your source must not only know that it exists, she must have a way to get you the correct onion address without exposing the connection between you.

OnionShare comes pre-installed on Tails. To use it on any other platform, you will have to install it. You will also have to install (and launch) the Tor Browser. Once Tor and OnionShare are up and running, you can follow the steps below to exchange a file anonymously. These screenshots were taken on Tails, but OnionShare is nearly identical on other Linux distributions (and very similar on Windows and Mac OS X).

Step 1: The sender tells OnionShare what to share

Launch OnionShare and select the content you want to make available:

  1. Click [Add files] or [Add folder]
  2. Navigate to the file or folder you want to share and click it once
  3. Click [Open]
  4. Repeat the previous three steps to add additional files or folders

In the example below, we will add a file called exchanging_the_inscrutible.pdf and a folder called data, both of which are currently in a directory at /home/amnesia/Persistent/tmp

Click Add files or Add folder Finding a file File added Folder added

Step 2: The sender creates an onion service

In this step, all selected files and folders will be compressed into a single .zip file and made available through a new onion service:

  1. Decide if you want OnionShare to stop sharing after the first time this content is downloaded. If so, leave the Stop sharing automatically box checked. If not, uncheck it.
  2. Click [Start Sharing]
  3. Your onion service is ready when the large dot in the lower, left-hand corner turns green
  4. You can see your onion address toward the lower, left-hand corner. You can copy it to your clipboard by clicking [Copy URL]
  5. Safely give this onion address to the person with whom you would like to share the selected data
Configuring the auto-stop setting Start sharing Starting up the onion service Sharing Copying the onion address

Remember, one of the main reasons to use OnionShare, or any other onion service, is to prevent those who might be monitoring your online activity from seeing a connection between you and the recipient. If either of you are concerned about this, you might have to get creative rather than just sending an email. The safest way to do so will depend heavily on your particular circumstances. Memorising onion addresses turns out to be exactly as difficult as it looks. But writing them down and exchanging them in person might be perfectly reasonable.

Step 3: The recipient downloads the shared content

Once the recipient has the onion address, he just has to browse to it using the Tor Browser. The recipient does not have to install OnionShare unless he intends to share content of his own.

  1. Visit the onion address using the Tor Browser
  2. Click [onionshare_gibrsh.zip] to begin the anonymous transfer
  3. Click [Save File]
  4. If you are using Tails, the Tor Browser will only let you save files into one of two folders. It does this to help protect you from malware. These folders are called Tor Browser, which is the default, and Tor Browser (persistent). Everything in the Tor Browser folder will disappear when you shutdown or restart your Tails system. In this example, we select the Tor Browser (persistent) folder instead. If you choose not to (or if you did not enable Persistence at all), you will probably want to copy the data somewhere else before you shutdown.
  5. Select the appropriate folder and click [Save].
  6. That folder should now contain a .zip archive. The files and folders that were shared are inside this archive.
Visiting the onion site The onion site Downloading data Choosing download folder Download folder chosen Archive file

 

The recipient can now extract the contents of the .zip archive.

Step 4: The sender's OnionShare may disable this share after the transfer is complete

In the example above, our "sender" left the Stop sharing automatically box checked, so the onion service will be disabled as soon as the recipient has downloaded the content:

Download in process Download complete

Step 5: The recipient extracts the contents of the .zip archive

Right-click the .zip archive you downloaded and select Extract Here. The extracted folder should contain whatever files and folders were shared with you.

Extract contents of archive Contents extracted Inside the extracted folder

Unless you know and trust the person who gave you that onion address, you should be careful with these files. The fact that you received them securely and anonymously does not, of course, mean they are safe. If they were sent to you by a stranger, but you have to inspect them anyway, consider taking the following steps first:

  1. Create an encrypted USB stick with a strong passphrase
  2. Copy the files onto that USB stick
  3. Restart your Tails system
  4. Do not enable Persistence and disable all network access
  5. Plug in your encrypted USB stick and enter your passphrase
  6. Launch the appropriate application (such as LibreOffice Writer, LibreOffice Calc or Document Viewer)
  7. Open the files using that application's File > Open menu

None of this rules out the possibility of malware, but it gives you a chance to notice if the files are garbage — or if your system behaves strangely after you open them — without giving them the ability to modify your files or connect to the Internet.

Conclusion

The tools and techniques described in this guide are meant to give you more control over what you reveal about your investigation and when you reveal it. The Tor Browser is quite easy to install and even easier to use. The same is true of OnionShare, which allows you to exchange files with sources and colleagues without creating evidence of that interaction. Undetstanding how these tools work and knowing how to use them will help you determine for yourself when it might be appropriate to take advantage of the anonymity they provide.

 

Header image: Still Life with Leeks by Jan Serr - Creative Commons Attribution (CC-BY-3.0)