1 How to make Tor play well with the rest of the Internet. Roger Dingledine The Tor Project
2 Tor: Big Picture ● Freely available (Open Source), unencumbered. ● Comes with a spec and full documentation: Dresden, Aachen, Yale groups implemented compatible Java Tor clients; researchers use it to study anonymity. ● 1500 active relays, active users, >1Gbit/s. ● Official US 501(c)(3) nonprofit. Seven funded developers, dozens more dedicated volunteers. ● Funding from US DoD, Electronic Frontier Foundation, Voice of America, Internews, Google,...you?
3 Outline ● Crash course on Tor ● Blocking traffic to and from Tor ● Application-level privacy ● Policy / law ● Improving the Tor network
4 Threat model: what can the attacker do? Alice Anonymity network Bob watch (or be!) Bob! watch Alice! Control part of the network!
5 Anonymity isn't cryptography: Cryptography just protects contents. Alice Bob “Hi, Bob!” attacker
6 Anonymity isn't just wishful thinking... “You can't prove it was me!” “Promise you won't look!” “Promise you won't remember!” “Promise you won't tell!” “I didn't write my name on it!” “Isn't the Internet already anonymous?”
7 Anonymity serves different interests for different user groups. Anonymity Private citizens “It's privacy!”
8 Anonymity serves different interests for different user groups. Anonymity Private citizens Businesses “It's network security!” “It's privacy!”
9 Anonymity serves different interests for different user groups. Anonymity Private citizens Governments Businesses “It's traffic-analysis resistance!” “It's network security!” “It's privacy!”
10 Anonymity serves different interests for different user groups. Anonymity Private citizens Governments Businesses “It's traffic-analysis resistance!” “It's network security!” “It's privacy!” Blocked users “It's reachability!
11 Regular citizens don't want to be watched and tracked. (the network can track too) Hostile Bob Incompetent Bob Indifferent Bob “Oops, I lost the logs.” “I sell the logs.” “Hey, they aren't my secrets.” Name, address, age, friends, interests (medical, financial, etc), unpopular opinions, illegal opinions.... Blogger Alice 8-year-old Alice Sick Alice Consumer Alice Oppressed Alice....
12 Businesses need to keep trade secrets. AliceCorp Competitor Compromised network “Oh, your employees are reading our patents/jobs page/product sheets?” “Hey, it's Alice! Give her the 'Alice' version!” “Wanna buy a list of Alice's suppliers? What about her customers? What about her engineering department's favorite search terms?”
13 Law enforcement needs anonymity to get the job done. Officer Alice Investigated suspect Sting target Anonymous tips “Why is alice.localpolice.gov reading my website?” “Why no, alice.localpolice.gov! I would never sell counterfeits on ebay!” Witness/informer Alice “Is my family safe if I go after these guys?” Organized Crime “Are they really going to ensure my anonymity?”
14 Governments need anonymity for their security Coalition member Alice Shared network Defense in Depth Untrusted ISP “Do I really want to reveal my internal network topology?” “What about insiders?” Agent Alice “What does the CIA Google for?” Compromised service “What will you bid for a list of Baghdad IP addresses that get from.gov?” “Somebody in that hotel room just checked his Navy.mil mail!”
15 You can't get anonymity on your own: private solutions are ineffective... Officer Alice Investigated suspect... AliceCorp Competitor Citizen Alice AliceCorp anonymity net Municipal anonymity net Alice's small anonymity net “Looks like a cop.” “It's somebody at AliceCorp!” “One of the 25 users on AliceNet.”
16... so, anonymity loves company! Officer Alice Investigated suspect... AliceCorp Competitor Citizen Alice Shared anonymity net “???”
17 Yes, bad people need anonymity too. But they are already doing well. Evil Criminal Alice Stolen mobile phones Compromised botnet Open wireless nets.....
18 Current situation: Bad people on the Internet are doing fine Trojans Viruses Exploits Phishing Spam Botnets Zombies Espionage DDoS Extortion
19 The simplest designs use a single relay to hide connections. Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Relay E(Bob3,“X”) E(Bob1, “Y”) E(Bob2, “Z”) “Y” “Z” “X” (example: some commercial proxy providers)
20 But a single relay (or eavesdropper!) is a single point of failure. Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Evil Relay E(Bob3,“X”) E(Bob1, “Y”) E(Bob2, “Z”) “Y” “Z” “X”
21 So, add multiple relays so that no single one can betray Alice. Bob Alice R1 R2 R3 R4 R5
22 A corrupt first hop can tell that Alice is talking, but not to whom. Bob Alice R1 R2 R3 R4 R5
23 A corrupt final hop can tell that somebody is talking to Bob, but not who. Bob Alice R1 R2 R3 R4 R5
24 Alice makes a session key with R1...And then tunnels to R2...and to R3 Bob Alice R1 R2 R3 R4 R5 Bob2
25 The basic Tor design uses a simple centralized directory protocol. S2 S1 Alice Trusted directory S3 cache Servers publish self-signed descriptors. Authorities publish a consensus list of all descriptors Alice downloads consensus and descriptors from anywhere
26 Outline ● Crash course on Tor ● Blocking traffic to and from Tor ● Application-level privacy ● Policy / law ● Improving the Tor network
27 Problem: Abusive users get the whole network blocked. Jerk Alice Nice Alice Tor network slashdot wikipedia Some IRC networks X X X Google?
28 Internet services: blocking (1) ● Many admins think Tor has 6 users. If they see 1 jerk, they conclude that Tor is stupid. ● Right now Wikipedia blocks many many thousands of IP addresses. And they still have problems: AOL, open proxies, Tor,...
29 Internet services: blocking (2) ● Wikipedia doesn't want to introduce barriers to contributors. But they could add speedbumps only for IPs they currently block! ● Accounts need to prove that they're worthwhile: manually verify the first few edits, and whitelist after that. ● Should send the abusers back to their open proxies, AOL, neighbor's wireless, etc
30 Internet services: blocking (3) ● Other options that don't require as many changes to Wikipedia ● Nym (Jason Holt) and Nymble (Dartmouth) make users demonstrate a scarce resource (e.g. an IP address). Then they let websites block further edits from that user without needing to learn his IP address.
31 Internet services: blocking (4) ● Tor's “DNS exit list” gives an RBL- style interface for looking up whether a given connection is from a Tor exit relay. We want to make it as easy as possible for websites to block accurately; then help them handle Tor.
32 Governments and other firewalls can just block the whole Tor network. Alice S S S S X X
33 Tor vulnerabilities to filtering ● By blocking the directory authorities ● By blocking all the relay IP addresses in the directory ● By filtering based on Tor's network fingerprint ● By preventing users from finding the Tor software
34 R4 R2 R1 R3 Bob Alice Blocked User Blocked User Blocked User Blocked User Blocked User Alice
35 “Bridge” relays ● E ncrypted directory requests (over the same port as other Tor traffic) ● Make Tor's TLS handshake look more like Firefox+Apache ● Integration into Vidalia (Tor's GUI) ● or request by unique gmail address
36 Using Tor in oppressed areas ● Common assumption: risk from using Tor increases as firewall gets more restrictive. ● But as firewall gets more restrictive, more ordinary people use Tor too, for more mainstream activities. ● So the “median” use becomes more acceptable?
37 Corporate Tor use ● My first Black Hat talk ● Smartfilter, Websense, Cisco, etc etc ● Tor as a proxy at the firewall? ● Note that blocking connections from the Tor network and blocking connections to the Tor network are different.
38 Outline ● Crash course on Tor ● Blocking traffic to and from Tor ● Application-level privacy ● Policy / law ● Improving the Tor network
39 Snooping on Exit Relays (1) ● Lots of press last year about people watching traffic coming out of Tor. (Ask your lawyer first...) ● Tor hides your location; it doesn't magically encrypt all traffic on the Internet. ● Though Tor does protect from your local network.
40 Snooping on Exit Relays (2) ● https as a “premium” feature ● Should Tor refuse to handle requests to port 23, 109, 110, 143, etc by default? ● Torflow and setting plaintext pop/imap “traps” ● Need to educate users? ● Some research on exit traffic properties is legitimate and useful. How to balance?
41 Who runs the relays? (1) ● At the beginning, you needed to know me to have your relay considered “verified”. ● We've automated much of the “is it broken?” checking. ● Still a tension between having lots of relays and knowing all the relay operators
42 Who runs the relays? (2) ● What if your exit relay is in China and you're trying to read BBC? ● What if your exit relay is in China and its ISP is doing an SSL MitM attack on it? ● What if your exit relay is running Windows and uses the latest anti-virus gadget on all the streams it sees?
43 Improved Torbutton ● The old Torbutton just toggled your proxy settings on and off. ● The new version turns off cache, cookies, plugins, doesn't leak your time zone, and blocks many other attacks
44 Packaging ● Tor browser bundle: Tor, Vidalia, Firefox, Torbutton, Polipo for USB stick ● JanusVM, Xerobank virtual machine ● Incognito LiveCD ● Wireless router images? ● Firefox plugin?
45 Outline ● Crash course on Tor ● Blocking traffic to and from Tor ● Application-level privacy ● Policy / law ● Improving the Tor network
46 Data retention ● Remember our threat model: even one hop in Germany (Europe? US?) may be too many ● How many layers of logging are there? If your ISP logs, and its ISP logs,... ● How safe are these logs? Who can access them? ● Nothing is really enforced in Germany until 2009, so no need to change technical designs immediately. But that means we need to act!
47 Law enforcement ● Some Tor-induced raids in Germany over the past year(s) ● We really need to teach law enforcement officers more about Tor -- and about Internet security in general. ● Please introduce me to your favorite law enforcement officers/groups!
48 File-sharing traffic ● Theory: Tor is slow because a handful of people are running file-sharing apps on it ● We could traffic shape high-volume flows. But: BitTorrent is designed to resist this. ● We could run protocol analysis tools on the exit relays, and snipe bad protocols ● But: liability, neutrality
49 Outline ● Crash course on Tor ● Blocking traffic to and from Tor ● Application-level privacy ● Policy / law ● Improving the Tor network
50 It's now easier for users to be relays ● Rate limit relayed traffic separately from your own traffic ● Automatic IP address detection, bandwidth estimates ● Write limiting as well as read limiting; traffic priorities to make the best use of available bandwidth ● Vidalia can talk UPnP to your Linksys
51 Next: Relay by default ● Should auto rate limit so we don't overfill the user's pipe? ● How to scale the network? (Dir info size grows with # of relays; so does # of sockets) ● Windows networking is... unique. ● Anonymity vulnerabilities from letting the attacker relay traffic through you?
52 Next: Incentives to relay ● Give people better performance if they relay? ● Need to be careful – many ways to screw up anonymity ● Let directory authorities do audits and assign gold stars to well-behaving relays in the directory consensus. Circuits from those relays get priority. ● If it adds enough relays, everybody benefits.
53 Next: Better load balancing ● NDSS 2008 paper by Nikita Borisov and Robin Snader on more accurate (and less gameable) bandwidth estimations. ● Steven Murdoch's PETS 2008 paper refuting Nikita's paper ● Mike Perry's measurements from TorFlow ● 3 hops vs 2 hops
54 Next: UDP Transport ● Tor's use of TCP means relays use many many sockets. It also means hop- by-hop congestion recovery. And we can only transport TCP. ● DTLS now exists. ● More research / hacking remains.
55 Things we need help with ● More relays. More bridges. More funding. More developers. ● Best practices docs for using Tor with various applications, and in various contexts ● More Tor advocates; people to work on Nymble, people to work with Wikipedia ● More solutions to all these design and anonymity questions. – Do you know the perfect Tor exec dir?