Service Provider Blocks Tor to Silent Circle Claiming Security Threat
January 21 2015
"Tor exist nodes are routinely used as methods by Threat Actors to exfiltrate data from compromised endpoints. As an example, the Financial Sector has seen significant issues from them.“ FireHost
• Bad guys use it; let’s treat everybody as bad guys
• Breaking functionality without considering overall picture
• Alternatives: Filter outgoing connections?
• Incident handling best practices
In December 2014, members of our network security team (including the two authors), learned that those attempting to access the website of a secure communications provider (Silent Circle) over Tor were no longer able to do so.
Up to that time we had been recommending use of Tor and Silent Circle's phone and texting services to biomedical research whistleblowers, fraud investigators, and attorneys with whom we attempt to work in a confidential manner. (However, we do not work for or represent Silent Circle, nor is Silent Circle the focus of this post.)
Instead, we were concerned by the loss of Tor access to Silent Circle because the rejection of Tor by web service providers was not unique in our experience. (For example, see comments about SwissMail, below.)
Here, we pursue what happened in the particular case of blockage of Tor access by Silent Circle's web service provider, FireHost.
Silent Circle was contacted by us in December 2014 to inform them of this development. They confirmed our observations, and told us that their web service provider, FireHost, no longer allowed access to their servers via Tor. Silent Circle's technical support also told us with respect to their views of Tor, "Definitely, it is important".
It was noted to Silent Circle that as a provider of a product that in part may help provide more confidentiality, and not merely end-to-end encryption, a requirement that users' IP addresses could be used to identify those logging in to the Silent Circle site could be seen as a step back from what the product had originally offered.
Silent Circle itself know the identity of the primary account holder from his or her payment information. Silent Circle could also know the phone identity information for any user, including those who were given Ronin codes. Such codes can be purchased and provided to another person in order for an account to be setup without entering any personal information (other than any information provided by the Ronin code user's phone).
Therefore, as is usual with such network security products, a user must have some faith in the integrity of the provider. To make themselves less susceptible to pressure for user information, Silent Circle, like many similar companies today, retains very limited logs of calls and texts.
Unfortunately, with the loss of Tor access to their site, users now must trust not only Silent Circle, which has made representations regarding its integrity, but also Silent Circle's service provider and their logs, which have not done so.
In other words, if the service provider can independently provide identifying information about Silent Circle users, then Silent Circle's representations to protect such information could be circumvented.
Silent Circle agreed to inquire with their provider, FireHost of Dallas, Phoenix, and London, as to why Firehost was now blocking Tor. The following response from FireHost was provided to us by Silent Circle on January 21, 2015:
"Tor exit nodes are routinely used as methods by Threat Actors to exfiltrate data from compromised endpoints. As an example, the Financial Sector has seen significant issues from them.
Overall, permitting their connectivity is seen as a High Severity Security Risk to an organization much like enabling Peer to Peer applications within a corporate environment.
For these reasons we have taken the stance to block TOR exit nodes across our cloud.
Hope this helps, if there are no further questions, I'll go ahead and set this ticket to resolved. If you'd like to have a more detailed conversation, I can line up the CSO to jump on a call with us to discuss TOR Exit Node issues in more depth. -Wayne"