TLS Certificates of the Tor Network and Their Distinctive Features

TLS Certificates of the Tor Network and Their Distinctive Features

Vitaly V. Lapshichyov (Institute of Computing Technology and Information Security, South Federal University, Rostov-on-Don, Russian Federation)
DOI: 10.4018/IJSSSP.2019070102


This article presents the results of an experimental study of the properties of SSL/TLS certificates of an anonymous Tor network, based on which it is concluded that there are several features that differ from other SSL/TLS certificates. At present, in the scientific literature and in the documentation of U.S. National Security Agency, and the U.K. Government Communications Headquarters devoted to the identification of Tor network traffic, two signs of SSL/TLS certificates are indicated - the name of the certificate subject, as well as the port of the certificate transmission and network connection. The results of an experimental study allow the authors to state with a high degree of probability that Tor network certificates can be identified in the data stream between the client and server of the specified network by their size, which is between 400 and 600 bytes. The list of features of the Tor network certificates is intended to develop software or add-ons to existing ones, which is used to block access of Internet users to Darknet resources or to limit the use of the Tor anonymous network service. Based on data on the distinguishing features of Tor network certificates, an algorithm is proposed for blocking access to the Internet for users of the Tor Bundle.
Article Preview


The Tor Anonymous Network was originally planned as a military project and was funded by the U.S. Naval Research Laboratory. Then the project was continued by the Electronic Frontier Foundation. The anonymity of using the Tor network is achieved by using the Tor Bundle as nodes of various types. To implement the principle of onion routing by the network, Tor uses input nodes, relay nodes, and output nodes. The principle of Onion routing is provided by three “layers” of encryption of the transmitted information. At each node, one of the encryption layers is removed and thus an unencrypted data stream is transmitted between the output node and the Internet. This feature is used by both attackers and law enforcement agencies to conduct various kinds of attacks and analysis. Due to the fact that the data is encrypted, an SSL/TLS handshake occurs during the establishment of an encrypted connection. One of the steps in this handshake is the transfer by the Tor server to the user of the X.509 TLS certificate. The simplified scheme of the Tor network operation is presented in Figure 1.

However, when the project began to be used to protect citizens and their privacy, the Thor project was used by various criminals, including terrorists, extremists, pedophiles, drug and weapon dealers, and cyber fraudsters.

According to the RIA Novosti news portal (2019), citing a representative of the Main Directorate for Combating Extremism of the Russian Ministry of Internal Affairs, terrorist recruiters and radicals have shifted their activities to the so-called “Darknet” in connection with measures taken by law enforcement agencies to reduce extremist content in the public segment of the Internet.

Figure 1.

The Tor network operation


This project attracted the attention of law enforcement agencies in many countries, as it was used to commit a large number of various crimes. These were both cybercrimes and crimes that used data transmission channels and software.

In connection with the increase in the use of the Tor Bundle for realizing the anonymity of Internet users (Burtsev, 2017), as well as with the increasing role of this complex in the process of committing crimes in the field of information technology, law enforcement and security bodies attach great importance to the early suppression of such activities and the identification of persons involved in the commission of such crimes. The tasks facing law enforcement agencies also determine the research interest in this problem, the solution of which contributes to ensuring information security.

At the same time, there are two main tasks that the research activity was aimed at: establishing the identity of the user of the Tor network, deanonymizing it, and also blocking user access to the Tor network.

The main motivation for the proposed study is the increasing role of anonymizers and, in particular, the Tor software complex, in committing crimes using the Internet, as well as applications that allows to hide the identity of the user (for example, the IP address from which the network is accessed).

Also, an important reason for conducting research on this topic is its attitude to one of the main areas of scientific research in the field of information security, the list of which was approved on August 31, 2017 by Secretary of the Security Council of the Russian Federation N.P. Patrushev. The study is conducted in the framework of solving scientific and technical problems of using information technologies in operational-search activities, namely, solving problems of identifying and combating crimes committed using information technology.

Anonymous networks are used by terrorists, extremists, sellers of weapons, drugs, and child pornography. Therefore, the suppression of crimes in the form of restricting access to the Tor network is related to the above problem.

In our study, we chose as our task the clarification of the list of signs and features of the certificates of the Tor network, which could become the basis for the application of legal blocking of access to an anonymous network.

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 11: 2 Issues (2020): 1 Released, 1 Forthcoming
Volume 10: 2 Issues (2019)
Volume 9: 4 Issues (2018)
View Complete Journal Contents Listing