29 February 2012
On the Topic of Tor's Weaknesses
From: Chris Wheeler <grintor[at]gmail.com>
Date: Sat, 25 Feb 2012 12:06:23 -0500
To: tor-talk[at]lists.torproject.org
Subject: [tor-talk] on the topic of tor's weaknesses
I have been reading a lot about end-to-end correlation attacks on tor. I
am writing a paper on the subject and have a question which I can't seem
to find an answer to. I understand these attacks rely on the attacker being
able to view the traffic of the first relay a client is connecting to and
the exit server. At this point they could make a correlation of what exit
traffic is specific to that client based on statistical analysis. My question
is: since bridges are just entry-point relays, If one could be certain that
they were connecting to a bridge that is not compromised (for instance, if
they themselves controlled the bridge), would they then be protected from
such an attack?
Thank you for your help
_______________________________________________
tor-talk mailing
list
tor-talk[at]lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
About 18 responses omitted:
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Date: Wed, 29 Feb 2012 09:48:15 -0500
From: Paul Syverson <syverson[at]itd.nrl.navy.mil>
To: tor-talk[at]lists.torproject.org
Subject: Re: [tor-talk] on the topic of tor's weaknesses
On Wed, Feb 29, 2012 at 05:17:34AM -0500, grarpamp wrote:
> > The main problem, besides the overhead, is that padding doesn't
work
> > if an adversary can do something as trivial as very briefly
delaying
> > It is too easy for an adversary to put a traffic signature on a
> > circuit in one place, and look for it elsewhere. If he owns, e.g.,
the
> > first node and any of the last node, the link to the destination,
or
> > the destination it won't matter what kind of padding is done.
There's
> > lots of published work showing this in various ways. Some already
> > alluded to in this thread. If nothing else the adversary can just
kill
> > the connection at the first node and see which connection exiting
the
> > network dies.
>
> Doesn't this mean bad news for users of hidden services,
Maybe. The important thing is to understand what security is provided and
what is not. Then you can make an informed decision about whether or not
it's bad news.
> and to a lesser extent clearnet services (since they're not as 'illegal'
and thus
> maybe lesser hot targets for snagging users). IE:
>
> Sting runs a HS and an entry. Thus Sting has full packets, timing,
> cleartext and logs of anyone that builds: clientA <> entry
<---> HS
>
> There may even be these additional structures to the left of clientA's
> entry, for which the role of entry may switch to relay or exit, but
for
> which entry may be still able to discriminate among on its left...
> clientB
> clientC <> relay
> clientD [...] <> relay <> relay [...]
>
> It may take a while for a clientA to use said entry but when they do
it seems
> it would be quite easy to time/count correlate or munge the HS traffic
of
> clientA. And only require two nodes (hs, entry) and no GPA taps to do
so.
>
> Can such an entry know when it's being used as an entry by
> whatever appears to it's left? I think that is what I describe
> relies on.
The short but incomplete answer is yes. Generally, what you are describing
we experimentally verified on the live Tor network back in 2005. See
"Locating Hidden Servers" by Lasse Overlier and myself. Available at
http://freehaven.net/anonbib/
or
http://www.onion-router.net/Publications.html
These sorts of attacks are what motivated us to introduce guard nodes, also
described in that paper. We all knew, and had seen analyzed in earlier
work by Wright et al., that onion routing circuits were subject to predecessor
attacks, and that what Wright et al. had called helper nodes would, well
help. What Lasse and I showed was that the public Tor network as of
2005 was subject to such attacks working very quickly (minutes) using very
limited resources. You could generally find a hidden server within minutes
using just a single hostile Tor relay (no cooperation from evil web server
required). We wanted to show what you could do with a single relay, which
limited us to hidden server circuits. If you owned at least two relays, you
could attack arbitrary Tor circuits. This was confirmed in simulation on
PlanetLab shortly after by Bauer et al. ("Low-Resource Routing Attacks
Against Tor", also available at anonbib).
Entry guards don't change the asymptotic threat of such attacks, they just
move it around. Since you could be screwed so quickly and easily by building
random circuits, Tor was changed so that you pick just a few relays as your
entry guards. If one of them is evil, it will see the entry side of (a large
fraction of) your circuits and will be able to associate you with your
destination whenever you go to a hostile destination or use a hostile exit.
What Lasse and I showed was that you weren't really much worse off from this
than when choosing circuits with random entry relays. And if none of your
guards is evil, an adversary can never de-anonymize you in this way. (Never
say "never". ;>) Cf. the experiments and discussion of layered guards
in "Locating Hidden Servers", and our subsequent research on building trust
into path selection.)
aloha,
Paul
_______________________________________________
tor-talk mailing list
tor-talk[at]lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
|