946
Security / Re: Tor's weaknesses and Internet Survelliance (looking for technical details)
« on: June 21, 2013, 05:12 pm »Ok so like many of you I've been glued to every shred of legit info on PRISM. I have been looking for serious debate as to just how Tor could be compromised/improved.
From what I read there really isn't all that much that can be done to Tor. Except for these three scenarios:
Your activity on Tor could be seen at an exit node. Meaning that if I connect to an unencrypted clear net site like Amazon.com or what have you. I think your activity could be tracked from that point forward but not where you were previous to that exit node?
Your activity can also be monitored leading up to the entrance node. I take it this means that an ISP could easily see that yes you are connecting to Tor but they will not know what you are doing past that point?
A third way is that LEO could gain insight into Tor would be to use the "bad apple" method. Whereby LEO/Gov sets up a Tor server and they can monitor all the information coming in and going out.
I was reading about these three on Tor's Wikipedia page. I want to know if my understanding is correct?
Is there anything we can do to beef up our anonymity at these weak points (nodes)??
Tor users are generally safer than hidden services. Since clients can initiate connections to hidden services, and because of the complex nature of the protocol to establish those connections, there are a variety of attacks on them.
As you mentioned, the attacks on Tor users involve either the entry guard or exit node, or both. The main problem with exit nodes is that they can read unencrypted traffic. So if you send identifying info, they can correlate your identity with your activity. The defense against this is to use SSL to the destination server, or don't send identifying info. That is is the case for clearnet sites. Connections to hidden services are encrypted end to end.
Some attacks can be performed when the adversary controls your entry guard, however he also has to control one other relay. He could control an exit node, and thus correlate your identity (at least your IP address) with your activity at the other end of the network. He could control a hidden service's entry guard, or its HS directory, or one of its entry points, and determine that you are accessing that hidden service.
The theory behind defending yourself from attacks based on an entry guard being compromised is that you should keep your entry guards for as long as possible. If you cycled them every 10 minutes like other relays, and an attacker operated some percentage of relays in the network, you would select one of his relays in a relatively short amount of time and get pwned. That's why Tor clients keep entry guards for a month at a time, so the attack takes 8600 times as long to perform. You could change the Tor source code to keep entry guards longer, for 6 months or even a year, but then you would stand out more, reducing your anonymity in a different way. If you are worried about attacks involving entry guards, it's better to use bridges as permanent entry guards.
You can also reduce your anonymity by making your circuit behavior on the network more noticeable. Some people feel the need to exclude nodes in whole countries. For example, someone living in the United States may not want to connect to relays in the United States. If an attacker operates one of his entry guards, he might notice that this person never connects to relays in his own country, meaning he's trying to get extra protection, making him a subject on interest. If the attacker were LE, he might start investigating that Tor user.
Similarly, by changing TorBrowser's defaults, for example by installing add-ons that change web pages in unique ways (such as ad blockers), a Tor user could be fingerprinted across web sites.
Some attacks are specific to SR users. I've mentioned in other threads that vendors are weak to an attack where LE orders a product from them, obtains their city, then performs a type of intersection attack, correlating their message / post times to when users in that city are connected to the Tor network.
There are theoretical non-technical attacks on SR users that involved Tor. For example, a lot of vendors check buyer addresses on Google Maps and similar sites to see if they are valid (to avoid issues with products not arriving and having to go into resolution). They make these searches over Tor. If LE wanted to go on a fishing expedition, they could ask Google for all searches over Tor and hand those addresses to local LE for increased surveillance and inspection of incoming packages.
Long story short, there are a variety of ways that Tor users, and especially SR users, can be attacked.
There's really not much that you can do to "beef up" your anonymity beyond what Tor provides, except to use bridges, both to hide your Tor user from a local observer, and to maintain permanent entry guards. Most other things that you would try to do would make you stick out more and actually decrease your anonymity. There are many bad behaviors that can decrease your anonymity, so mostly what you can do is avoid the bad behaviors.