Silk Road forums
Discussion => Security => Topic started by: astor on September 05, 2013, 10:51 pm
-
The hits just keep on coming. And by "hits" I mean data showing how weak the Tor network is.
http://cryptome.org/2013/09/tor-analysis-hidden-services.pdf
ABSTRACT
Tor hidden services allow running Internet services while
protecting the location of the servers. Their main purpose
is to enable freedom of speech even in situations in which
powerful adversaries try to suppress it. However, providing
location privacy and client anonymity also makes Tor hid-
den services an attractive platform for every kind of imagin-
able shady service. The ease with which Tor hidden services
can be set up has spurred a huge growth of anonymously
provided Internet services of both types. In this paper we
analyse the landscape of Tor hidden services. We have stud-
ied Tor hidden services after collecting 39824 hidden service
descriptors on 4th of Feb 2013 by exploiting protocol and im-
plementation flaws in Tor: we scanned them for open ports;
in the case of HTTP services, we analysed and classified
their content. We also estimated the popularity of hidden
services by looking at the request rate for hidden service de-
scriptors by clients. We found that while the content of Tor
hidden services is rather varied, the most popular hidden
services are related to botnets.
They turned the Trawling for Hidden Services attack on the users, as we predicted could be done.
5. TRACKING CLIENTS
In [6], the authors used a specific traffic signature for op-
portunistic deanonymisation of hidden services. The tech-
nique they used can be easily modified for opportunistic
deanonymisation of Tor clients.
Assume that an attacker controls a responsible HS direc-
tory5 of a hidden service. Whenever it receives a descriptor
request for that hidden service, it sends it back encapsulated
in a specific traffic signature which will be then forwarded
to the client via its Guard node. With some probability, the
client’s Guard node is in the set of Guards controlled by the
attacker. Whenever an attacker’s Guard receives the traffic
signature, it can immediately reveal the IP address of the
client.
This attack has several important implications. Suppose
that we can categorize users on Silk Road into buyers and
sellers. Buyers visit Silk Road occasionally while sellers visit
it periodically to update their product pages and check on
orders. Thus, a seller tends to have a specific pattern which
allows his identification. Catching even a small number of
Silk Road sellers can seriously spoil Silk Road’s reputation
among other sellers.
As another application, one can collect IP addresses of
clients of a popular hidden service and compute a map rep-
resenting their geographical location. We have computed
such a map for one of the Goldnet hidden services – in Fig-
ure 3.
An informative commentary on the mailing list:
[T]he paper has relevance beyond Tor network flaws:
- It exposes an estimate on how manny hidden services existed at the time of the study.
- It gives a breakdown of what services/some of the services those hidden services offered.
- It categories HTTP(S) services by content type, which is interesting.
- It describes what resources they required to perform the attack, which sound relatively modest.
- It highlights the botnet and botnet command and control activity on Tor.
- It describes server configuration issues that allowed easily correlating the shared hosting of many services
- It describes server configuration issues that allowed easily deanonymizing the true IP Address of some hidden services.
-
I get the feeling that Tor is fast reaching it's life expectancy. I hope it isn't but it's certainly getting a lot of unwanted attention recently. I really hope a more secure protocol will be released asap.
-
Whenever an attacker’s Guard receives the traffic
signature, it can immediately reveal the IP address of the
client.
So basically if you have a few trusted entry guards in your EntryNodes (or bridges) option in Tor it will never reveal your IP address when connecting to hidden services.
Or is it enough to analyze the traffic between you and the entry guard?
-
The silver lining is that different parties in the government itself make important use of Tor, for legitimate purposes. So this is going to hurt the government as well, though we probably won't hear much about those aspects. Some parties in government have an interest in collecting and identifying everything, other parties have an interest in protecting the service that Tor supposes.
-
I get the feeling that Tor is fast reaching it's life expectancy. I hope it isn't but it's certainly getting a lot of unwanted attention recently. I really hope a more secure protocol will be released asap.
I had that feeling about a year or two ago. Today I feel like it is on life support in the hospice.
-
Yeah, I had those thoughts when I checked SR a few months after it opened to see that it was still there. Once tor came of age and got all that attention, it was a matter of time before it had to either adapt or be replaced. Tor can survive, but not in its present form. It certainly feels that way as of 2013...
-
Thanks Astor I really need to watch my ass now, might change some thing's around.
-
So basically if you have a few trusted entry guards in your EntryNodes (or bridges) option in Tor it will never reveal your IP address when connecting to hidden services.
Or is it enough to analyze the traffic between you and the entry guard?
Getting persistent entry guards is one of the best things you can do. kmf and I have been saying that for months, at least since the Trawling for Hidden Services paper came out, and as recently as a few days ago:
http://dkn255hz262ypmii.onion/index.php?topic=209514.msg1512060#msg1512060
That being said, if the adversary controls an AS or IXP between you and your entry guard / bridge, you can still be screwed (see the link above).
-
I'd start building a list of working bridges, specifically those located outside the US. We all know the NSA can set up their own bridges wherever they want and that so much data crosses the US that the point is moot, but let's not make this easy for them.
-
sub'd
-
I'd start building a list of working bridges, specifically those located outside the US. We all know the NSA can set up their own bridges wherever they want and that so much data crosses the US that the point is moot, but let's not make this easy for them.
I don't think normal bridges give you any advantage over public entry guards when the NSA is involved. Normal bridges only help against ISP's which block Tor. In China bridges get blocked easily, and they don't even have to collect a list for that. They just do some deep packet inspection and block the bridges automatically the first time a Chinese user connects to it.
China can't block obfs3 bridges easily however. So if you use bridges, use obfs3 bridges. China probably spends a lot more money against Tor than the NSA.
Instead of using obfs3 bridges you could use a VPN in a "safe" country where the internet cables,and the internet cables of the surrounding countries, are out of reach of the NSA/GCHQ. Connect Tor through the VPN, and maybe connect Bittorrent through the VPN too (but not through Tor), to create cover traffic, making traffic analysis harder. It would mostly look like you are hiding from the copyright mafia. Don't use PPTP VPN's, as they may be easily decryptable by NSA.
-
Instead of using obfs3 bridges you could use a VPN in a "safe" country where the internet cables,and the internet cables of the surrounding countries, are out of reach of the NSA/GCHQ.
Unfortunately for US, UK, Swedish, Chinese and Iranian citizens, and probably many others, there is no way to reach the wider internet without getting tapped. Only thing I can think of is to build an alternate, community-controlled network infrastructure. Something like a global meshnet that actually works.
-
@astor
Yes, but they can hide that they are using Tor and make traffic analysis harder. For that they could connect to a VPN where the cables inside the VPN country are not getting sniffed by the NSA. There should be other nearby countries with Tor relays, where the cables are not compromised by the NSA either. By that they can hide that they are using Tor.
To make traffic analysis even harder they can download copyrighted torents over the clearnet through the VPN at the same time. Or even better, keep down and uploading copyrighted/porn torrents at low speed all day long through the VPN, or at least some time before you start using Tor and after you stopped using Tor through the VPN.
I also don't consider Sweden a safe country for Tor through swedish VPN. Wouldn't surprise me if they automatically submit all Tor user data coming out of a VPN to the USA. And of course lots of Sweden's traffic goes through the UK, the #1 NSA outpost in Europe. The safest country for a VPN would probably be China, too bad they block all Tor traffic.
-
@astor
Yes, but they can hide that they are using Tor and make traffic analysis harder. For that they could connect to a VPN where the cables inside the VPN country are not getting sniffed by the NSA.
But the connection between the user and the VPN server could still be sniffed. Let's say I live in Boulder, CO, and there's an IXP in Denver. Due to the hierarchical nature of the internet topology, my ISP's upstream link goes through that IXP. Every connection from every subscriber of my ISP goes through that IXP. So it doesn't matter if I'm using a bridge that the NSA doesn't recognize as a Tor entry point, or the obfs3 protocol which they can't DPI, or a VPN server in Argentina. If they control SR's HSDir and the IXP, then when I fetch the SR descriptor, they can include a traffic signature that is detected by the IXP, which sees the IP address that the packets are headed to, which is me. It doesn't matter how many layers of encryption I add, or how many VPNs or proxy hops I add, as long as the IXP is between me and the first hop. Theoretically the NSA could inject a traffic signature that is detectable by the IXP through all those hops and layers of encryption.
To make traffic analysis even harder they can download copyrighted torents over the clearnet through the VPN at the same time. Or even better, keep down and uploading copyrighted/porn torrents at low speed all day long through the VPN, or at least some time before you start using Tor and after you stopped using Tor through the VPN.
Yes, I think this could help. When the Chaos Computer Club published their results of Tor circuit fingerprinting, I read that it could be trivially defeated by loading pages in another tab.
-
what this is shouting out is that we all have to hang out in coffee houses or anywhere else handing out wifi
-
@astor
Right. So simply using a VPN without additional measures doesn't really prevent traffic analysis.
However there is probably a lot more people using VPN than people using Tor, and using a VPN may be less suspicious. So to do traffic analysis they have to compare +2 million(?) VPN connections with the 100k(?) Tor connections they see. Using a VPN without torrent cover traffic would add at least a little bit more anonymity while using Tor, theoretically. Then again they are probably able to decrypt PPTP VPN's easily, because there's a NSA flaw in the encryption used by PPTP. And most VPN's may use PPTP? So they may know exactly what someone is doing when using a PPTP based VPN, and can concentrate on traffic analysis of the 1 million users who use other types of VPN's.
Also, if you do use Tor through VPN, and the NSA understands that you are using Tor through VPN, then that of course makes you even more suspicious. So if you use Tor through VPN, make sure you do it right (cover traffic). And preferably stay away from clearnet sites while doing so.
-
sub
-
To make traffic analysis even harder they can download copyrighted torents over the clearnet through the VPN at the same time. Or even better, keep down and uploading copyrighted/porn torrents at low speed all day long through the VPN, or at least some time before you start using Tor and after you stopped using Tor through the VPN.
I always wondered about traffic padding and tor. I'm not talking about hiding tor use over a VPN; running a slow download of a large file while browsing tor should at least somewhat protect you from timing correlation attacks and anything similar, even if you are directly connected to tor.
-
so the way you put it, the best cover would be a system is connecting all over the place on the clearnet.. perhaps setting up a game server for whatever old school game still around that allows that and is still popular enough to grab traffic from all over the place
which means you have to ditch the main ISPs and get some kind of line that allows you to do what you want.. which probably puts you on the 'person of interest' list.. damned if you do...
-
How would the US government hide their secretive and shady online activities if TOR was gone?