Mozilla puts old hardware to new use, runs Tor relays

The organization opted for running middle relays, although exit relays would have probably helped the anonymity network more

Mozilla has dusted off some decommissioned servers and networking gear and used them to set up high-speed relays on the Tor anonymity network.

The plan to run Tor relays was revealed in November, when the software developer announced its Polaris Privacy Initiative, a collaboration with other non-profit organizations to enhance privacy on the Web.

One of those organizations was the Tor Project, which develops the client and server software for the Tor anonymity network. As part of the partnership, Mozilla said that it will make some changes in Firefox to ease the work of Tor Project developers who maintain the Tor Browser, a modified version of Firefox that allows users to access the Web through the Tor network.

The organization also said at the time that it will host its own "high-capacity Tor middle relays to make Tor's network more responsive and allow Tor to serve more users."

On Wednesday, Mozilla announced that its prototype Tor relays are up and running on three HP ProLiant SL170z G6 servers connected to a pair of Juniper EX4200 switches that benefit from two 10Gbps uplinks through one of the organization's transit providers.

"The current design is fully redundant," Mozilla network engineer Arzhel Younsi said in a blog post that contains more details about the project. "This allows us to complete maintenance or have node failure without impacting 100% of traffic. The worst case scenario is a 50% loss of capacity."

The relays currently run outside of Mozilla's production infrastructure, but the organization's security team helped lock them down with strict firewall filtering, operating system hardening, automatic updates, network device management and more.

"We've also implemented a periodic security check to be run on these systems," Younsi said. "All of them are scanned from inside for security updates and outside for opened ports."

The Tor network has three main types of relays, or nodes: middle relays, exit relays and bridges. Internet traffic routed through the Tor network will randomly pass through at least three Tor relays before it exits back onto the Internet to reach its final destination.

Middle relays are responsible for passing data within the Tor network. Over time, middle relays can automatically become entry guard nodes as they build trust according to a network consensus algorithm -- in fact one of Mozilla's middle relays has already become an entry guard. Entry guards serve as the first links between users and the Tor network.

At the other end are exit relays, which act as the last hops in the network and whose purpose is to send the traffic back on the Internet. A site that receives a request from a Tor user will see the request originating from the Internet Protocol (IP) address of a Tor exit relay, not the real IP address of the user.

Exit relays are very valuable for the Tor network, but they're also small in number because people running them expose themselves to abuse complaints and legal risks. It's their IP address that shows up in other people's logs in case of malicious activity routed through Tor.

Tor is a great privacy tool and is very useful to users in countries that censor the Internet or where political and human rights activism can land people in jail. However, it's also used by criminals to hide their location and evade law enforcement.

U.S. Assistant Attorney General Leslie Caldwell reportedly said at a conference this week that 80 percent of Tor traffic is related to child pornography, citing a University of Portsmouth study. That estimation is wrong, Wired reported, because the study was about traffic to Tor hidden services, websites that are only accessible within the Tor network, not all traffic routed through Tor.

Most people use Tor to hide their IP address when visiting regular Internet sites, not to access Tor hidden services. According to the Tor Project, the traffic to Tor hidden services accounts for around 1.5 percent of the overall traffic that goes through Tor.

Like Caldwell, many law enforcement leaders complain that widespread adoption of encryption technologies by Internet companies and device manufacturers makes it much harder for their agencies to do their jobs. They call this the Going Dark problem.

But, there's no denying that some Tor traffic is malicious. There are documented botnets and ransomware programs that use Tor to hide the real location of their command-and-control servers.

By running middle and not exit relays, Mozilla is avoiding potential illegal activities by Tor users tracing back to its IP addresses and the legal issues that might arise from that. But the Tor network most likely needs additional exit nodes more than middle ones.

Mozilla did not immediately respond to a request for comment.

Increasing middle capacity will improve the traffic flow inside the Tor network -- including to those illegal sites that operate as Tor hidden services -- but also has other benefits. By having trusted, high-capacity middle relays the network can better defend itself against traffic confirmation and other types of attacks aimed at deanonymizing users.

"Depending on the results of the POC [proof-of-concept], we may move the nodes to a managed part of our infrastructure," Younsi said. "As long as their private keys stay the same, their reputation will follow them wherever they go, no more ramp up period."

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetysecurityTOR Projectencryptionprivacymozilla

More about HPJuniperMozillaPolaris

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts