Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Tor and circumvention: Lessons learned Roger Dingledine The Tor Project https://torproject.org/

Published bySamantha White Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Tor and circumvention: Lessons learned Roger Dingledine The Tor Project https://torproject.org/"— Presentation transcript:

1 1 Tor and circumvention: Lessons learned Roger Dingledine The Tor Project https://torproject.org/

2 2 What is Tor? ● Online anonymity 1) software, 2) network, 3) protocol ● Open source, freely available ● Community of researchers, developers, users, and relay operators ● Funding from US DoD, Electronic Frontier Foundation, Voice of America, Google, NLnet, Human Rights Watch,...

3 3 ● 501(c)(3) non-profit organization dedicated to the research and development of tools for online anonymity and privacy The Tor Project, Inc.

4 4 Estimated 300,000 daily Tor users

5 5 Threat model: what can the attacker do? Alice Anonymity network Bob watch (or be!) Bob! watch Alice! Control part of the network!

6 6 Anonymity isn't cryptography: Cryptography just protects contents. Alice Bob “Hi, Bob!” attacker

7 7 Anonymity isn't just wishful thinking... “You can't prove it was me!” “Promise you won't look!” “Promise you won't remember!” “Promise you won't tell!” “I didn't write my name on it!” “Isn't the Internet already anonymous?”

8 8 Anonymity serves different interests for different user groups. Anonymity Private citizens “It's privacy!”

9 9 Anonymity serves different interests for different user groups. Anonymity Private citizens Businesses “It's network security!” “It's privacy!”

10 10 Anonymity serves different interests for different user groups. Anonymity Private citizens Governments Businesses “It's traffic-analysis resistance!” “It's network security!” “It's privacy!”

11 11 Anonymity serves different interests for different user groups. Anonymity Private citizens Governments Businesses “It's traffic-analysis resistance!” “It's network security!” “It's privacy!” Human rights activists “It's reachability!”

12 12 The simplest designs use a single relay to hide connections. Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Relay E(Bob3,“X”) E(Bob1, “Y”) E(Bob2, “Z”) “Y” “Z” “X” (example: some commercial proxy providers)

13 13 But a single relay (or eavesdropper!) is a single point of failure. Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Evil Relay E(Bob3,“X”) E(Bob1, “Y”) E(Bob2, “Z”) “Y” “Z” “X”

14 14... or a single point of bypass. Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Irrelevant Relay E(Bob3,“X”) E(Bob1, “Y”) E(Bob2, “Z”) “Y” “Z” “X” Timing analysis bridges all connections through relay ⇒ An attractive fat target

15 15 So, add multiple relays so that no single one can betray Alice. Bob Alice R1 R2 R3 R4 R5

16 16 A corrupt first hop can tell that Alice is talking, but not to whom. Bob Alice R1 R2 R3 R4 R5

17 17 A corrupt final hop can tell that somebody is talking to Bob, but not who. Bob Alice R1 R2 R3 R4 R5

18 18 Alice makes a session key with R1...And then tunnels to R2...and to R3 Bob Alice R1 R2 R3 R4 R5 Bob2

19 19 Relay versus Discovery ● There are two pieces to all these “proxying” schemes: ● a relay component: building circuits, sending traffic over them, getting the crypto right ● a discovery component: learning what relays are available

20 20 The basic Tor design uses a simple centralized directory protocol. S2 S1 Alice Trusted directory S3 cache Servers publish self-signed descriptors. Authorities publish a consensus list of all descriptors Alice downloads consensus and descriptors from anywhere

21 21 Attackers can block users from connecting to the Tor network ● By blocking the directory authorities ● By blocking all the relay IP addresses in the directory ● By filtering based on Tor's network fingerprint ● By preventing users from finding the Tor software

22 22 R4 R2 R1 R3 Bob Alice Blocked User Blocked User Blocked User Blocked User Blocked User Alice

23 23 “Bridge” relays ● Hundreds of thousands of Tor users, already self-selected for caring about privacy. ● Rather than signing up as a normal relay, you can sign up as a special “bridge” relay that isn't listed in any directory. ● No need to be an “exit” (so no abuse worries), and you can rate limit if needed ● Integrated into Vidalia (our GUI) so it's easy to offer a bridge or to use a bridge

24 24

25 25

26 26

27 27

28 28

29 29 How do you find a bridge? ● If you can, go to https://bridges.torproject.org/ and it will tell you a few based on time and your IP address ● Mail bridges@torproject.org from a gmail/yahoo address, and we'll send you a few ● From your friends and neighbors, like before

30 30 Bridge directory authorities ● Specialized dir authorities that aggregate and track bridges, but don't provide a public list: – You can keep up-to-date about a bridge once you know its key, but can't just grab list of all bridges. ● Identity key and address for default bridge authorities ship with Tor. ● Bridges publish via Tor, in case somebody is monitoring the authority's network.

31 31 One working bridge is enough ● Connect via that bridge to the bridge authority. ●...and to the main Tor network. ● Remember, all of this happens in the background. ● “How to circumvent for all transactions (and trust the pages you get)” is now reduced to “How to learn about a working bridge”.

32 32 Hiding Tor's network fingerprint ● We got rid of plaintext HTTP (used by directories). Now clients tunnel their directory requests over the same TLS connection as their other Tor traffic. ● We've made Tor's TLS handshake look more like Firefox+Apache. ● When Iran kicked out Smartfilter in early 2009, Tor's old v2 dir design worked again!

33 33 Attacker's goals (1) ● Restrict the flow of certain kinds of information – Embarrassing (rights violations, corruption) – Opposing (opposition movements, sites that organize protests) ● Chill behavior by impression that online activities are monitored

34 34 Attacker's goals (2) ● Complete blocking is not a goal. It's not even necessary. ● Similarly, no need to shut down or block every circumvention tool. Just ones that are – popular and effective (the ones that work) – highly visible (make censors look bad to citizens -- and to bosses)

35 35 Attacker's goals (3) ● Little reprisal against passive consumers of information. – Producers and distributors of information in greater danger. ● Censors (actually, govts) have economic, political, social incentives not to block the whole Internet. – But they don't mind collateral damage.

36 36 Main network attacks ● Block by IP address / port at firewall ● Intercept DNS requests and give bogus responses or redirects ● China: Keywords in TCP packets ● Iran: DPI to filter SSL when they want ● Russia: Don't block, just pollute

37 37 What we're up against (1) ● Govt firewalls used to be stateless. Now they're buying fancier hardware. – Burma vs Iran vs China ● New filtering techniques spread by commercial (American) companies :( ● How to separate “oppressing employees” vs “oppressing citizens” arms race?

38 38 What we're up against (2) ● Censorship is not uniform even within each country, often due to different ISP policies ● Attacker can influence other countries and companies to help them censor or track users. We'll see if the GNI (Global Network Initiative) changes that.

39 39 Blocking goes both ways ● If China blackholes your IP address, you can't reach Chinese websites either. ● So if exit relays are blackholed, Tor users can't read Chinese websites. :( ● And if you use dynamic IP addresses, then more and more of your neighbors can't read Chinese websites?

40 40 Only a piece of the puzzle (1) ● Assume the users aren't attacked by their hardware and software – No spyware installed, no cameras watching their screens, etc ● Users need to know about SSL for gmail. Cookies. Etc. ● Many people in Iran in June were using plaintext proxies!

41 41 Only a piece of the puzzle (2) ● Users can fetch a genuine copy of Tor? ● GPG signatures are great, but nobody knows what that means, and nobody in Burma has my key. ● Gettor email autoresponder. USB key spread by hand. ● Our secure updater should help.

42 42 Tor gives three anonymity properties ● #1: A local network attacker can't learn, or influence, your destination. – Clearly useful for blocking resistance. ● #2: No single router can link you to your destination. – The attacker can't sign up relays to trace users. ● #3: The destination, or somebody watching it, can't learn your location. – So they can't reveal you; or treat you differently.

43 43 Sustainability ● Tor has a community of developers and volunteers. ● Commercial anonymity systems have flopped or constantly need more funding for bandwidth. ● Our sustainability is rooted in Tor's open design: clear documentation, modularity, and open source.

44 44 Responding to China blocks ● In late Sept, conflicting advice from experts: ● “Hit 'em in the nose, show that you care about your users” ● “Lie low and let it pass. You're about more than China.” ● Tor is a new approach to China bloggers: “Find new bridge” rather than “get software update”.

45 45 Publicity attracts attention ● Many circumvention tools launch with huge media splashes. (The media loves this.) ● But publicity attracts attention of the censors. ● We threaten their appearance of control, so they must respond. ● We can control the pace of the arms race.

46 46 Using Tor in oppressed areas ● Common assumption: risk from using Tor increases as firewall gets more restrictive. ● But as firewall gets more restrictive, more ordinary people use Tor too, for more mainstream activities. ● So the “median” use becomes more acceptable?

47 47 Other Iran user count ● Talked to chief security officer of one of the web 2.0 social networking sites: – 10% of their Iranian users in June were coming through Tor – 90% were coming from proxies in the Amazon cloud

48 48 Trust and reputation ● See Hal Roberts' blog post about how some circumvention tools sell user data ● Many of these tools see circumvention and privacy as totally unrelated goals

49 49

50 50

51 51 Other ongoing questions ● How to detect if bridges are blocked (and what to do once we know) ● Better strategies for giving bridges out (Twitter, better use of social networks; Kaist design project)

52 52 Bridge communities ● Volunteers run several bridges at once, or coordinate with other volunteers. ● The goal is that some bridges will be available at any given time. ● Each community has a bridge authority, to add new bridges to the pool, expire abandoned or blocked bridges, etc. ● All automated by the Tor client.

53 53 Advocacy and education ● Unending stream of people (e.g. in DC) who make critical policy decisions without much technical background ● Worse, there's a high churn rate ● Need to teach policy-makers, business leaders, law enforcement, journalists,... ● Data retention? Internet driver's license?

54 54 Next steps ● Technical solutions won't solve the whole censorship problem. After all, firewalls are socially very successful in these countries. ● But a strong technical solution is still a critical puzzle piece. ● You should run a bridge! We only have 400. ● We'd love to help with some trainings, to help users and to make Tor better.

Download ppt "1 Tor and circumvention: Lessons learned Roger Dingledine The Tor Project https://torproject.org/"

Similar presentations

Tor: The Second-Generation Onion Router

Tor: The Second-Generation Onion Router
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.

Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Www.sti-innsbruck.at © Copyright 2012 STI INNSBRUCK www.sti-innsbruck.at Tor project: Anonymity online.

© Copyright 2012 STI INNSBRUCK Tor project: Anonymity online.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Lecture 12 Page 1 CS 236 Online Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite coasts.

Lecture 12 Page 1 CS 236 Online Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite coasts.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.

Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.

Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.

Similar presentations

Ads by Google