Skip to main content

Enterprise IT Security tends to lose its shit when their endpoint protection finds #Tor browser on employees' devices.

Unless you do deep packet inspection / middlebox all traffic, I don't see a meaningful risk increase. (If you do, then it seems comparable to e.g., Apple Private Relay + browsers' DoH use.)

Does anybody have a good summary (not written by a VPN vendor) on the actual risk to the enterprise from its use by average users (not attacks on Tor itself, nor running a Tor node)?

#tor
in reply to Jan Schaumann

Paul_IPv6
Paul_IPv6

just off hand:

- exfiltration of company IP would be harder to catch
- tunnel/VPNs are two way, so you're putting a tor node and whoever is on it on your internal network behind the firewall

in reply to Paul_IPv6

Jan Schaumann
Jan Schaumann

@paul_ipv6 detection of exfiltration would require deep packet inspection; if you don't do that, then exfil without Tor using any other encryption mechanism is trivial (although you can see that traffic goes to e.g., an AWS endpoint?).

I also don't follow the second point; to the best of my knowledge, Tor circuits are not bidirectional, meaning a tor node cannot initiate traffic to my client any less than a website out there can initiate a connection to my non-tor browser. ?

@Paul_IPv6
in reply to Jan Schaumann

Paul_IPv6
Paul_IPv6

you can't use tor without client initiation but if the client device is infected?

i hate the whole "IT owns your phone and everything on it" but i do sympathize with IT folks that don't want devices they don't own on their internal network.

so, perhaps it's better to say the risk isn't tor but allowing non-IT controlled devices on your internal network in general.

in reply to Paul_IPv6

Jan Schaumann
Jan Schaumann
@paul_ipv6 Not allowing devices you don't control is fair. But I'm asking about the risk to (not-yet-compromised) IT controlled devices using TorBrowser.
@Paul_IPv6
in reply to Jan Schaumann

Paul_IPv6
Paul_IPv6
depends on what they're doing. if what they are doing isn't consistent with the IT policy for that network, technically that's a "risk" (assuming the policy is somewhat sane).
in reply to Paul_IPv6

Jan Schaumann
Jan Schaumann
@paul_ipv6 Right. But presumably you already have a policy saying something like "don't access illegal content" regardless of by what method. And (again) unless you do DPI on all traffic, you already are largely blind to what users are doing, so no meaningful increase in risk.
@Paul_IPv6
in reply to Jan Schaumann

Paul_IPv6
Paul_IPv6

sure. tor is no worse than any form of encrypted traffic, even HTTPS.

so, i'm back to that the risk is uncontrolled/unmonitored end devices on your network. so if your argument is that tor is no worse than any other encrypted data stream, sure.

in reply to Paul_IPv6

Wes George
Wes George
@paul_ipv6 a lot of corporate IT installs their own CA/certificates which in cooperation with proxy/fw allows them to basically MITM all HTTPS traffic, whether to monitor it for security/exfil or enforce content filtering. Tor circumvents that.
I am not advocating for this model but the general rule of thumb is don't do anything personal on company devices, because because in addition to being issued solely for you to do your job, you don't really have a right to privacy on them.
@Paul_IPv6
in reply to Jan Schaumann

Nathan Arthur
Nathan Arthur

I think of tor as something people use when they feel like they need to hide something. Like actively explicitly have something to hide. So finding it on a corporate device would be concerning. At least it suggests high risk behavior.

I know that’s not always why people use it. And people do all sorts of stupid things without tor. But taking the time to set it up suggests a motivation to hide something. On a corporate device, that’s worrying.

in reply to Nathan Arthur

Jan Schaumann
Jan Schaumann

@narthur Strongly disagree. Valuing privacy is not "having something to hide". (That argument didn't fly when Google's Eric Schmidt tried to bring it back in 2009.)

Would you likewise assume that anybody wanting to use TLS or SSH to encrypt traffic in transit "has something to hide"?

@Nathan Arthur
in reply to Jan Schaumann

Nathan Arthur
Nathan Arthur

yeah but you don’t really need tor until your threat model is “a government” (ie the law). Otherwise there are already other - easier - ways to protect your privacy. Its use suggests a goal beyond simple privacy.

Yes, tor is just a tool and some people will use it for good reasons, or just to be totally sure of privacy. I don’t think it’s automatically a sign of wrongdoing. But I understand the worry.

in reply to Nathan Arthur

Jan Schaumann
Jan Schaumann
@narthur Disagreeing again. :-) Tor provides useful privacy against e.g., ISP and common internet sites tracking you, against geographical restrictions, or against ecommerce classifying you against your interest, not just against government actors or law enforcement. Not sure what other, easier ways there are that provide the same level of privacy.
@Nathan Arthur
in reply to Jan Schaumann

Nathan Arthur
Nathan Arthur

it’s been a long time since I used tor - isn’t it generally slower and regularly causes problems with sites? If not, then yeah, maybe the cost/benefit of tor is more balanced than I realized.

For me, Brave browser and a vpn would cover all those things, to my comfort level. And I expect most non-technical users have had vpns shoved down their throats in ads, but have never heard of tor.

So if your user is in IT, maybe it’s more normal. If they’re in marketing, maybe less.

in reply to Jan Schaumann

Nathan Arthur
Nathan Arthur
I still agree with your original point, though - unless you are really trying to force all traffic to be visible to enterprise spyware, tor doesn’t present additional risk, as a technology. (As far as I understand it.)
in reply to Jan Schaumann

Tim WIcinski
Tim WIcinski

Not Enterprise IT Security, but they have all turned into checking compliance boxes for their insurance coverage than actual security.

Also, no company wants to get outed as having employees with highly illegal contents on their computers.

in reply to Tim WIcinski

Jan Schaumann
Jan Schaumann
@BillJelavich I agree on the checkboxing, but really don't think we should equate using Tor with having "highly illegal contents". That's the perception I'm explicitly trying to work against.
@Tim WIcinski
in reply to Jan Schaumann

Chris Siebenmann
Chris Siebenmann
These days I side-eye any enterprise with any normal user devices on its network that claims to understand all its outgoing traffic, even with DPI and middlebox and etc. Really, you understand what those Android, Windows, macOS, etc etc devices, programs, and apps are all calling home about and what information they're handing over? Can you tell the rest of us, we're really curious.
in reply to Jan Schaumann

silverwizard
silverwizard
@Jan Schaumann lots of malware talks over Tor, meaning that Tor is one of those "something is wrong" signals. If you're an IT team, signals are all you have. And ideally users should trust your routes for work stuff
@Jan Schaumann
in reply to Jan Schaumann

S.P.Zeidler
S.P.Zeidler
kind of pathetic answer: because a good portion of users will be complaining about not being able to access any company internal sites next. (That also goes for DOH and not using the internal DNS, something that some software very persistently tries to sell to its users).