Silk Road forums
Discussion => Security => Topic started by: raynardine on February 05, 2013, 03:18 am
-
Some features that are being considered among Tor developers are greatly expanding the concept of bridges, which are used to hide the fact that you are using tor to hostile networks you may be forced to use (for lack of better options).
Currently, bridge relays do not do much. Bridges are still published to a centralized "Bridge Authority" controlled by the core developers, who are known to fraternize with various national governments, especially the USA, and are semi-cautiously published with a captcha used to make it slightly more difficult to innumerate all of the bridge relays.
In response to overwhelming criticism over the centralized nature and vulnerability of the bridge authority server and possible (read: pretty much 100% certain) exploitation by national governments, especially the USA, of this centralized infrastructure.
The new concept of a Bridge Community changes all of that.
You run your own bridge authority, and possibly a pool of bridge relays, then publish the IP:port pairs to that bridge authority. Your community members can then use a few IP:port pairs you give them directly to connect to the bridge community. These bridges then relay all traffic for that community into the wider public relay pool.
This is a lot more stealthy than the current system, and a lot harder to block or even detect, with things like protocol obfuscation.
This is a steganographic technique which embeds tor protocol within a cover protocol, which is designed to look normal and routine.
This is used with bridge relays which have the feature enabled.
To keep up with the inevitable arms race that will ensue when obfusproxy becomes more common among normal tor users, obfusproxy version 3 uses "pluggable transports" where you can easily design a new module for exploiting unintended features in underlying cover protocols.
So, as a tor bridge community administrator, you can give your users a couple of IP:port addresses and a few very recent pluggable transport modules in order to hide the fact that they are even using tor in the first place, much less allowing adversaries to observe your traffic and discern whom is communicating with whom.
This is the future of tor, if the core tor developers have any brains.
-
In response to overwhelming criticism over the centralized nature and vulnerability of the bridge authority server and possible (read: pretty much 100% certain) exploitation by national governments, especially the USA, of this centralized infrastructure.
The USA doesn't block bridges, so how are they exploiting it? If you want to thwart traffic analysis by your government, use bridges/relays outside of your country to maximize jurisdictional barriers. Actually, the probability of all 3 of the relays in a circuit residing inside your jurisdiction is very small already. Tor relays are spread across 75 countries, so there's little the US or Chinese governments can do to correlate traffic, unless they get really lucky (yes, there are some sophisticated fingerprinting attacks but none have been discovered in the wild).
Bridge enumeration is mainly a problem in China and other places that actively block connections to the Tor network.
The new concept of a Bridge Community changes all of that.
You run your own bridge authority, and possibly a pool of bridge relays, then publish the IP:port pairs to that bridge authority. Your community members can then use a few IP:port pairs you give them directly to connect to the bridge community. These bridges then relay all traffic for that community into the wider public relay pool.
The is an interesting idea, and I'd like to see how it works in practice.
However, it seems to introduce a new problem: the bridge authority operator is linked to the users. I mean, how do they find out about the bridge authority besides some kind of prior knowledge of the operator? On the other hand, if anyone can find out about a bridge pool, what is to stop censorship regimes from finding out about it?
It's similar to the problem that plagues exit guards, which haven't been implemented.
To keep up with the inevitable arms race that will ensue when obfusproxy becomes more common among normal tor users, obfusproxy version 3 uses "pluggable transports" where you can easily design a new module for exploiting unintended features in underlying cover protocols.
Yeah, I can't wait for this to be standard.
-
sub
-
The USA doesn't block bridges, so how are they exploiting it? If you want to thwart traffic analysis by your government, use bridges/relays outside of your country to maximize jurisdictional barriers. Actually, the probability of all 3 of the relays in a circuit residing inside your jurisdiction is very small already. Tor relays are spread across 75 countries, so there's little the US or Chinese governments can do to correlate traffic, unless they get really lucky (yes, there are some sophisticated fingerprinting attacks but none have been discovered in the wild).
I agree that the US is not much interested in bridges. Also although Tor project developers very frequently meet up with law enforcement and such, they are to the best of my ability to tell not in cooperation with law enforcement at all. Mostly they just tell them the basics of how Tor works, shit that all of us already know. Also Tor project very frequently gives the same information to a wide range of people, if I recall correctly they helped Wikileaks with their hidden service configuration as well. So they are pretty impartial about who they will talk about Tor with, but they are quite dedicated to Tor itself and keeping it as anonymous as they can for all who use it, and I do not think for one second that they will compromise Tor for anyone unless they are absolutely forced to (and even still there isn't much they can do , although they could be forced to give up bridge IP addresses perhaps. EFF lawyers back them up for free, so they have access to a pretty powerful group of lawyers to help defend them from legal attacks).
I would also like to point out that although from an active internal perspective, the distribution of Tor nodes makes it unlikely for such an attacker to correlate traffic, but from a passive external point of view it is quite likely that the US government can correlate large amounts of Tor traffic. NSA has access to multiple Narus Insight super computers with direct access to major IX's in the USA, so it is very likely that they can externally monitor a lot of Tor traffic passing through nodes they don't own. Thankfully NSA is prohibited by law from using this intelligence against Americans who are not in contact with terrorist or foreign intelligence agencies, and I think they are actually restricted to only targeting terrorists and foreign intelligence agencies in the first place. Of course they do whatever the fuck they want, but they don't want to fuck with us.
Bridge enumeration is mainly a problem in China and other places that actively block connections to the Tor network.
Mostly, although it can also be a problem for people trying to find bridge users to do other attacks, particularly known rough geolocation + Tor client enumeration & geolocation to narrow in on shippers.
However, it seems to introduce a new problem: the bridge authority operator is linked to the users. I mean, how do they find out about the bridge authority besides some kind of prior knowledge of the operator? On the other hand, if anyone can find out about a bridge pool, what is to stop censorship regimes from finding out about it?
Even more concerning is who runs these bridge pools? What stops an attacker from purporting to run such a pool, but only providing compromised nodes that they control? At least when we use the official Tor bridge pools, we know that anyone is free to publish a legitimate bridge, and that there is a chance we will get their legitimate bridge when we request bridge addresses.
It's similar to the problem that plagues exit guards, which haven't been implemented.
The biggest problem with exit guards is that they do massive damage to Tor's ability to prevent traffic linkability. The Tor devs will never implement exit guards, historically preventing exit traffic linkability has been their primary focus.
-
Also although Tor project developers very frequently meet up with law enforcement and such, they are to the best of my ability to tell not in cooperation with law enforcement at all.
Honestly, I think they do that to keep Tor technology from getting banned. :)
Even more concerning is who runs these bridge pools? What stops an attacker from purporting to run such a pool, but only providing compromised nodes that they control? At least when we use the official Tor bridge pools, we know that anyone is free to publish a legitimate bridge, and that there is a chance we will get their legitimate bridge when we request bridge addresses.
Very good point.
-
Honestly, I think they do that to keep Tor technology from getting banned. :)
It also helps relay operators when LE knows what Tor is and doesn't go on useless raids.
-
My problem with bridges is that it's still possible to prove that I was connected to the Tor network at a given time, even if I used bridges, because my ISP has the list of IPs I was connected to, and LEA can check the IP's by trying to use them as a bridge in Tor.
So if LEA knows that someone was blogging some shit through Tor, and somehow they find me, then they check the the IP addresses I was connected to when those blog posts were made. Then they try to use those IPs as a bridge in Tor, if it works then they know I was using Tor at every single time when those posts were made, this is more than enough to put me in jail here where I live.
Maybe if the bridge IPs would be distributed along with a password, and without the password the bridge would not reveal itself as a bridge would solve this problem.
-
ISPs don't generally log the sites you visit unless LE specifically requests it. If LE is watching your internet connection, you're probably fucked anyway. The purpose of Tor is to prevent them from identifying you.
You're thinking about this from your perspective, "I'm using Tor and somebody can see that." You have to think about it from their perspective, "Somebody is blogging, where the fuck are they?" If you use Tor correctly and don't reveal info about yourself, they will never be in a position to watch your internet connection, because they won't know where to look.
-
ISPs don't generally log the sites you visit unless LE specifically requests it. If LE is watching your internet connection, you're probably fucked anyway. The purpose of Tor is to prevent them from identifying you.
You're thinking about this from your perspective, "I'm using Tor and somebody can see that." You have to think about it from their perspective, "Somebody is blogging, where the fuck are they?" If you use Tor correctly and don't reveal info about yourself, they will never be in a position to watch your internet connection, because they won't know where to look.
But what about shippers? LEA could correlate some shipments and search people using TOR in some specific area, maybe a small town. Can you protect yourself by using bridges, so LEA can't contact ISPs and ask them for users using TOR? If so, how? I can't find easy-to-follow info on TOR website.
-
That's true, it's different for shippers. They should be taking added security measures. It is easy to get a list of the public relays, and there are only about 800 entry guards, so LE could contact the main ISPs of that city and ask for all users who connect to those IP addresses. The density of Tor users is fairly low, so it would be a short list. Getting all the bridges is a lot harder, but not impossible. Bridges could still be useful by making LE's job harder. A VPN also might help in that situation, but you would want to get one outside of your country.
A private, unpublished bridge with obfuscation would be the safest. Rent some VPSes in Iceland or Malaysia and set up bridges, LE won't know to look at those. I mean, connections to those IPs will be lost in the tens of thousands of other IP addresses that users in that city connect to on a daily basis.
-
For clearnet I use a quite good VPN service. It's located in countries that respect privacy, freedom and don't keep logs and it's an IP shared with thousand of clients. Can I use it as a bridge for TOR?
-
No, but you could use it to connect to a bridge.
I don't see the point of that, though. If you are confident that your VPN doesn't keep logs, you might as well connect to public relays through it.
-
Here where I live ISP logs the visited websites IP address.
But I just realized how stupid was the idea to ask for a password, because LEA can still try to use the IP as a bridge, and say : hey it's asking for a password so it must be a bridge.
But there must be a solution for this.
-
ISPs don't generally log the sites you visit unless LE specifically requests it. If LE is watching your internet connection, you're probably fucked anyway. The purpose of Tor is to prevent them from identifying you.
You're thinking about this from your perspective, "I'm using Tor and somebody can see that." You have to think about it from their perspective, "Somebody is blogging, where the fuck are they?" If you use Tor correctly and don't reveal info about yourself, they will never be in a position to watch your internet connection, because they won't know where to look.
Quite a few countries log all visited websites for months to years.
Here where I live ISP logs the visited websites IP address.
But I just realized how stupid was the idea to ask for a password, because LEA can still try to use the IP as a bridge, and say : hey it's asking for a password so it must be a bridge.
But there must be a solution for this.
Tor devs have been aware of the problem you brought up for quite a while, and have proposed implementing authentication systems to protect from this. No idea the status of this though.
-
ISPs don't generally log the sites you visit unless LE specifically requests it. If LE is watching your internet connection, you're probably fucked anyway. The purpose of Tor is to prevent them from identifying you.
You're thinking about this from your perspective, "I'm using Tor and somebody can see that." You have to think about it from their perspective, "Somebody is blogging, where the fuck are they?" If you use Tor correctly and don't reveal info about yourself, they will never be in a position to watch your internet connection, because they won't know where to look.
But what about shippers? LEA could correlate some shipments and search people using TOR in some specific area, maybe a small town. Can you protect yourself by using bridges, so LEA can't contact ISPs and ask them for users using TOR? If so, how? I can't find easy-to-follow info on TOR website.
That's true, it's different for shippers. They should be taking added security measures. It is easy to get a list of the public relays, and there are only about 800 entry guards, so LE could contact the main ISPs of that city and ask for all users who connect to those IP addresses. The density of Tor users is fairly low, so it would be a short list. Getting all the bridges is a lot harder, but not impossible. Bridges could still be useful by making LE's job harder. A VPN also might help in that situation, but you would want to get one outside of your country.
A private, unpublished bridge with obfuscation would be the safest. Rent some VPSes in Iceland or Malaysia and set up bridges, LE won't know to look at those. I mean, connections to those IPs will be lost in the tens of thousands of other IP addresses that users in that city connect to on a daily basis.
Thank you midas and thank you astor. I have been needing this information for some time but unable to phrase the question so, very many thanks!