Ricochet May Be Behind Mysterious Bump in Hidden Tor Addresses
Looking at the rise of Ricochet and its effect on new "dark web" services being generated very quickly.
Join the DZone community and get the full member experience.Join For Free
Recently, Professor Alan Woodward, a technology and security expert, based in the United Kingdom, noted a significant uptick in the number of .onion sites on the Tor network.
The professor theorized several possible reasons for the creation of more than 25,000 "dark web" services in just a few days, however, settled on a likely reason being the publication of a third-party security audit by the NCC Group on Feb. 15 conferring a reasonably positive verdict on the instant messaging platform Ricochet.
Professor Woodward believes a relatively innocuous explanation for the exponential creation of .onion sites may be new Ricochet clients being created by users, though a corresponding rise in traffic has not occurred. In fact, a dip can be seen.
Woodward theorizes the reasons for this may be: instant messaging does not create as much traffic as a fixed website in constant use, test accounts are being created at a rapid pace or users are creating the addresses for future use.
Days later the professor noted a decline in Tor address creation, so for now, the true cause of the spike may remain a mystery. But Ricochet got my attention because it was created to protect journalists, like myself.
What is Ricochet?
Ricochet is a decentralized open-source, instant messaging software project created by a middle school dropout named John Brooks, in his spare time. The application offers a user-friendly way to chat “meta-data free.” There is no fixed server, no user registration and the service is operated exclusively on Tor.
Ricochet uses Tor, or The Onion Router, to create a chain of connections through volunteer operated servers that make it more difficult for the source of the communication to be tracked. If the Internet were a physical place, Tor in essence, lets a user go through the bramble. For example, instead of taking the most direct route to the store, a driver would take several turns and maybe stop for lunch, then take several more turns before arriving at their final destination.
In more technical terms, a user's Tor client obtains a list of Tor nodes from a directory server. The user is then directed through at least three randomly encrypted servers. Each server the user is directed through is a relay and sees only the one hop in the circuit.
Therefore, each relay is only aware of its step not the complete path and each step has a set of encryption keys. Sounds more and more like following The White Rabbit ... he had keys, I think. Ask Alice, right? Furthermore, each time a user connects a different random pathway is chosen. This is still a gross oversimplification.
Down the Rabbit Hole
For users to meet or view websites, one cannot just stumble upon the information through a Google search. The information is part of the deep dark web. The "dark web" and the "deep web" are sometimes confused and the terms are used interchangeably .
The dark web is part of the deep web, however, the deep web is much larger, but both are inaccessible to Web crawlers, and will not be indexed by search engines like Google.
The deep web in the purist sense contains information, a search engine cannot find. Some say search boxes within a website, such as a government database or travel website are part of the deep web and others say it is content such as your email or bank account information.
Either way, the dark web is intentionally hidden, and cannot be accessed without special applications such as Tor. Both Tor and Ricochet intend to be as user-friendly as possible for reasons highlighted later. But, both offer users a circuitous way to hide their tracks.
Ricochet starts on Tor locally on a person’s computer and can only communicate with another Ricochet user who is also running their own Ricochet-created Tor hidden service thus the communication never leaves the Tor network. Just like any Tor connection, the Ricochet user on each end will travel through at least three random volunteer servers.
A Ricochet user-ID would appear as "ricochet" followed by a colon then the address of the Tor hidden service (Ex: ricochet:abcd123455abcd). The exact communication protocol is outlined on their GitHub page. At some point, at least one user would have to reveal this information for a two people to communicate.
The Open Technology Fund financed the security audit. Interestingly, OTF is financed by U.S. congressional appropriations. NCC undertook the effort in Nov. 2015; completing it late this month.
While the firm found several areas of improvement, including one high-risk vulnerability – in which HTML included in contact requests could deanonymize users – Brooks maintains he was already aware of the flaw, and stated it would be patched with the latest update.
Other areas of improvement suggested by the audit, include sandboxing the Tor application, “specifically the control port which, if exploited, offers adversaries the opportunity to completely compromise the anonymity of the Ricochet user.”
One area of positive note made by the consultants was the way that Brooks dealt with the inherent memory corruption problems and unsafe constructs of C++. Brooks is noted by a cohort to be a strong coder, and the report seems to bear this out.
Another positive is the application is portable and can be run from a USB drive, however, it is vunerable to less passive attacks, such as key-logging malware, so using it on an unknown machine is not a great idea.
A Noble Cause
Ricochet offers what other instant messaging programs have thus far lacked. While some have encrypted information from end-to-end. The pathway, that is who is sending the message, and to whom, or the metadata is still known. Journalists, rocked by searches at border crossings have too many tales to adequately enumerate, and even a U.S. Senator of the Senate Intelligence Committee chairman claimed her computers were searched by the CIA in 2014.
Tor, as previously mentioned, allows users to browse the dark web in relatively user-friendly fashion. It has its share of bad press as being a den of inequity, through high profile takedowns of sites such as the Silk Road, which in reality has turned into a long game of whack-a-mole, the backers of Ricochet envision a more noble purpose.
The backers, Invisible.im, a group formed by Australian journalist Patrick Gray, state their ultimate goal is to protect journalists' sources* and those seeking a safe space to communicate inside repressive regimes. Considering a law passed in late 2015 in Australia, requiring telecommunications companies to retain metadata for two years, Gray and his associates have a proverbial dog in the fight.
Gray said in a “Wired” article that they did not want to stop security agencies from tracking threats and … “if the NSA is already targeting you, you’re screwed … this is about stopping the wholesale violation of privacy and making it harder for people who shouldn’t have access to this information from having access to it.”
Those that maintain the Tor site, too, state a similar aim. They rightly know that exposing one's location may not get the average person thrown in jail or fired, however, it can hurt your pocketbook.
For example, data mining may cost a person in an unlucky location more in health or car insurance. Thus, shielding a computer and chat history is not just for the tin foil hats wearers amongst us. Nevertheless, the data one leaves on the Internet could likely passively be reconstructed to build a fairly accurate portrait to track your movements. Perhaps, venturing into tinfoil futures might be a good idea.
* A brief note about protecting journalist sources. A news outlet will publish a story, but not reveal a source if they have the following information: if they have verifiable third-party documentation of claims or a preponderance of other sources willing to corroborate a story independently. They will not reveal a source only if it will lead to loss of life or a severe life-changing event. The reason being is, while journalists are scolded for trading in rumor; they trade in facts. News outlets want to name names, sources included, additionally, if they are found to be wanting in the facts department, they lose their only currency, which is credibility. No journalist would purposely scuttle their reputation for a story, unless they are mentally unbalanced, despite what you may have seen in dramatizations. Furthermore, journalists generally, though not always, trade in truth to help people, hence not wanting their sources to suffer horribly.
Published at DZone with permission of Alison Marchman. See the original article here.
Opinions expressed by DZone contributors are their own.