Hitachi Group Global Network




Middle East and Africa



Risks Associated to Using Tor inside a Business Network
You are here: Home \ Cryptography \ Risks Associated to Using Tor inside a Business Network
Posted on Thursday, April 7th, 2016 by

Is it Safe to Use a Tor Network in Your Business?

The Internet was not designed with anonymity in mind; in fact, one of the original design goals was accountability [1]. However, anonymity has become a necessary and legitimate aim in many applications (browsing the internet, chatting, sending instant messages etc.). In these applications, encryption alone cannot maintain the anonymity required by users. The main reason for this is the fact that in this case only the communication is encrypted; it is still possible to know the source and destination of the communication. Thus, it is possible to identify who is initiating the communication, and for whom this communication is intended.  This alone defeats the sole purpose of anonymity on the Internet.

Therefore, many tools providing anonymity emerged and were made available for the general public. Tor is one of them. In a short amount of time, usage of this tool became increasingly widespread amongst business networks and it is now considered one of the largest and most famous anonymity networks available. On the other hand, it becomes very important for organizations to understand the risks associated with the use of this software in their business network. This article highlights some major risks of using Tor in a business network, and provides some recommendations to prevent and/or detect it.


What is Tor and why is it so popular?

Tor is a software that allows users to browse the Web anonymously. Tor stands for “The Onion Router” and it is called so because it is using the Onion routing protocol to conceal information about user activity, location and usage from anyone conducting network surveillance or traffic analysis. People use Tor to keep their privacy, security and anonymity on the internet. It is steadily used by journalists, political dissidents and criminals to keep their communications and locations private.

Originally, the development of the onion routing protocol was sponsored by the U.S. Naval Research Laboratory in the 1990s, and Tor itself was developed by the Navy and independent researchers in 2002. The protocol is still being worked on and supported under the Tor Project, a nonprofit organization.


How does Tor work?

Now that we know a bit about Tor, let’s talk about how it works. At a high level, when you connect to Tor, your computer becomes a node and can be used by any other Tor users to relay their traffic. The Tor network hides your identity by moving your traffic (that was encrypted) across different computers, or nodes, located all across the world. Instead of taking a direct route from source to destination, the data packet sent on the Tor network takes a random pathway through several servers that cover your tracks. No individual will ever know the complete path that a data packet has taken (no one at any single point can tell where the data originally came from and where the final destination is), and anyone who tries would see traffic coming from random nodes on the Tor network, rather than your computer. For greater security, all Tor traffic passes through at least three relays (Entry node, Middle Node and Exit node) before it reaches its destination. Each of these has a specific role to play:

  • Entry Node: the first relay that Tor traffic passes through. It receives traffic and passes it along to the second node.
  • Middle Node: receive traffic and passes it along to another relay.
  • Exit Node: is the final relay where the Tor traffic passes through before it reaches its destination.


Below an excellent set of diagrams (extracted from [2]) which helps to understand how Tor works at a high level. An important aspect is that when a user wants to connect to the Tor network, he needs to first obtain the list of all the nodes, which is available in the directory authorities’ server. He then selects a node from the list that meets certain characteristics (mainly bandwidth, uptime …) and chooses it as its first node. It’s also important to mention that the final exit node has zero knowledge about the entry node. It is this architecture which allows the anonymization of the communication (source and destination IP addresses, data …).

How Tor Works 1

How Tor Works 2

How Tor Works 3


How do you get Tor?

To access the Tor Network, you just need to download the Tor Browser and to install it. It is free to use and doesn’t need any specific configuration or setup from the user. It can be used as a web browser and everything done goes through the Tor network automatically.


Is there any risk from using Tor inside a Business Network?

Risk management plays a critical role in protecting an organization’s information assets. Every organization should evaluate the risk and the impact that the use of any new technology in its corporate network can have on its business. Tor is one of these tools that organizations should understand, to be aware of its associated risks and its benefits as well. While it is true that Tor can be used with the legitimate goal of anonymity on the internet, it can represent a gigantic problem for an organization: bypassing network security, connecting to criminal sites on the ‘darknet’ or ‘dark web’ (websites only accessible from within an anonymized network), involving the organization in criminal activities, exposing the corporate network to malware infections, etc. In this section, we will try to identify the main risks a company is exposed to when allowing Tor inside its network. The end goal from this analysis is to sensitize and to help companies in making appropriate decisions on whether to allow or not allow the use of Tor in their network.


Risk 1: Exposing the organization to malware and botnet attacks

People operating one of the “exit nodes” can use the device to add malware. So, any user downloading through Tor exposes the organization network to malware infection. In addition to that, it’s important to know that criminals are starting to use Tor as a communication channel for malware (C&C).


Risk 2: Exposing the organization to DDoS attacks

Having one or more computers operating as Tor nodes exposes the company to the risk of DDoS (Distributed Denial of Service: saturation of the network bandwidth, preventing others from using it). The fact that one or more corporate servers are relaying Tor network traffic can result in a high consummation of the corporate network bandwidth which makes the organization permanently exposed to a DDoS attack


Risk 3: Enabling employees to bypass security controls

The fact that Tor encrypts all the traffic over the network makes the monitoring of the network activities between the Tor node and the Internet very hard. This way, people can bypass the security policies and controls of the organization very easily. They can connect to illegal websites, reach the darknet and purchase illegal goods and services, and steal sensitive data without anyone’s knowledge.


Risk 4: Being the victim of information theft

Traffic can be sniffed at the exit node. People operating the exit node can monitor the traffic transiting through his device and then capture any non-encrypted (HTTP, FTP, SMTP without TLS …) sensitive information such as, but not limited to, login/password. That being said, employees using Tor are exposed to the risk of seeing their data and the information belonging to their organization stolen, which can have a major impact on their business. This attack is also known as MiTM (Man in The Middle) attack.


Risk 5: Negative impact on the organization’s reputation

Organizations operating Tor nodes can be held responsible for others’ (illegal) activities. Thus they can face the possibility of serious criminal penalties if one of the nodes they are operating is discovered transporting illegal material (child porn) or performing illegal activities (hacking, DDoS attacks, spying, etc). This usually happens when you are operating an exit node because it is the exit node’s IP that appears when the authorities start investigating the digital fingerprints of the crime.


Risk 6: Blacklisting

Setting up a Tor node inside a network runs a risk of an organization’s IP being added to an Internet blacklist, notably if the node is involved in illegal activities.


How to prevent/block Tor inside your Business Network

How can we know if an employee is using Tor on a corporate resource? How can we detect/block Tor inside a network? The truth is that detecting/blocking Tor is never an easy thing. The solution to this problem cannot purely rely on technology, but the combination of training and awareness, security policies, security best practices, and technologies could be the best solution. Here are some of our recommendations:


Preventing Actions

  • Stop user from installing Tor: Implementing security controls that limit user access rights to a computer will contribute to prevent the installation of unauthorized software or device. Controls on the USB ports should be applied to prevent running Tor pre-installed on a USB stick.
  • Clear Policy on Tor Usage: Make sure that the corporate security policies speak clearly about the use of the Tor bundle on corporate resources. At the same time, it’s important to communicate to the entire staff of the organization that using Tor over the corporate network is strictly prohibited and is considered as a major and punishable violation of security policy.
  • Awareness and training: All the employees should be trained and aware of the risk related to the usage of the Tor in their corporate network.


Detecting Actions

  • Develop a blacklist of Tor nodes: The idea here is to stop all the outbound traffic related to Tor at the border firewalls level by creating an explicit outbound deny rule based on the blacklisted IPs. In addition to that, this solution makes it possible to build a log of all hosts attempting to connect with the Tor nodes. The challenge with this solution is to get and to maintain the blacklist to remain relevant.
  • Block all traffic using self-signed digital certificates: Tor is known as using self-generated SSL certificates (certificates not delivered by a recognized certificate authority) to encrypt traffic between nodes and servers. Blocking all the outbound SSL traffic that uses self-signed SSL certificates across your network, which is part of the security best practices, can contribute to preventing the use of Tor. Web proxy services and WAF (Web Application Firewall) can be used for this purpose as they can stop all traffic using self-signed digital certificates. They can inspect traffic deeper and, regardless of the port, block traffic based on packet content.



Tor is an important tool. It has its benefits and it might sound like the perfect way for everyday people to cover their tracks, but it’s not anywhere near perfect. Using this tool in a corporate network can open up organizations to security risks, liability and potential litigation. In fact, organizations need to pay attention to the risk of having Tor in their corporate networks.

Detecting/blocking Tor in a corporate network is never an easy thing. Organizations should consider the deployment of more than one solution, as cited above, to enhance the chance of preventing the use of Tor in their corporate network.

People should understand that Tor is not the only anonymity network designed with ultra-security in mind. I2P (Invisible Internet Project) is another example of a tool that should be considered seriously, at the same level as Tor.

Finally, proxies such as Ultrasurf, Hide my IP, Hide My Ass, ExpressVPN, etc. should also be monitored and evaluated as they can be used by employees for bypassing the security policies of their companies and performing malicious activities, although these are much easier to spot and block.



1- D. Clark. Design Philosophy of the DARPA Internet Protocols. In Proceedings of the ACM Special Interest Group

on Data Communications, pages 106–114, August 1988.



Learn more about Hitachi Systems Security’s Managed Security Services by downloading our Free Case Study below:

Managed Security Services for the Banking Industry

Hassane Oumsalem
About author:
Hassane is Director of Information Security Services at Hitachi Systems Security, in charge of the Montreal, Switzerland and Mexico SOCs’ teams. He has accumulated over 12 years of experience in the IT Industry, including the past 8 years in IT security. Throughout his career, Hassane held several positions such as R&D Engineer, IT System Engineer, Information Security Advisor, Principal Information Security Advisor etc. Hassane graduated in Computer Engineering from École nationale Supérieure d'Informatique (ESI ex: INI) in Algeria, then post-graduated in Computer Science from University de Versailles in France and in Computer Engineering from École Polytechnique Montreal in Canada. Specialties include Managed Security Service, Incident Handling, Penetration testing, Vulnerability management, Log Management, Threat Management, IDS/IPS, Computer and Network Security Forensics, Network Design and Hardening, Security configuration review, Information Security Governance, Social Engineering, …

Latest Webinars | Watch Now


The Next Generation of Managed Security, in collaboration with PCM.

Watch Now

Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance, in collaboration with Nymity.

Watch Now


Recent Videos

What is Penetration Testing?

What is a Vulnerability Assessment?

What is a Control Assessment?