Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Tor blocking-resistance design overview Roger Dingledine The Tor Project https://www.torproject.org/

Published byBritney Sheila Norris Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Tor blocking-resistance design overview Roger Dingledine The Tor Project https://www.torproject.org/"— Presentation transcript:

1 1 Tor blocking-resistance design overview Roger Dingledine The Tor Project https://www.torproject.org/

2 2 Tor: Big Picture ● Freely available (Open Source), unencumbered. ● Comes with a spec and full documentation: Dresden and Aachen implemented compatible Java Tor clients; researchers use it to study anonymity. ● 1500 active relays, 200000+ active users, >1Gbit/s. ● Official US 501(c)(3) nonprofit. Seven funded developers, dozens more dedicated volunteers. ● Funding from US DoD, Electronic Frontier Foundation, Voice of America, Internews, Google, NLnet,...you?

3 3 Outline ● Crash course on Tor ● What adversaries do we expect? (threat model) ● What properties of Tor make it useful for blocking resistance? ● How we've modified Tor

4 4 Anonymity serves different interests for different user groups. Anonymity Private citizens “It's privacy!”

5 5 Anonymity serves different interests for different user groups. Anonymity Private citizens Businesses “It's network security!” “It's privacy!”

6 6 Anonymity serves different interests for different user groups. Anonymity Private citizens Governments Businesses “It's traffic-analysis resistance!” “It's network security!” “It's privacy!”

7 7 Anonymity serves different interests for different user groups. Anonymity Private citizens Governments Businesses “It's traffic-analysis resistance!” “It's network security!” “It's privacy!” Blocked users “It's reachability!

8 8 The simplest designs use a single relay to hide connections. Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Relay E(Bob3,“X”) E(Bob1, “Y”) E(Bob2, “Z”) “Y” “Z” “X” (example: some commercial proxy providers)

9 9 But a single relay (or eavesdropper!) is a single point of failure. Bob2 Bob1 Bob3 Alice2 Alice1 Alice3 Evil Relay E(Bob3,“X”) E(Bob1, “Y”) E(Bob2, “Z”) “Y” “Z” “X”

10 10 So, add multiple relays so that no single one can betray Alice. Bob Alice R1 R2 R3 R4 R5

11 11 A corrupt first hop can tell that Alice is talking, but not to whom. Bob Alice R1 R2 R3 R4 R5

12 12 A corrupt final hop can tell that somebody is talking to Bob, but not who. Bob Alice R1 R2 R3 R4 R5

13 13 Alice makes a session key with R1...And then tunnels to R2...and to R3 Bob Alice R1 R2 R3 R4 R5 Bob2

14 14 Relay versus Discovery ● There are two pieces to all these “proxying” schemes: ● a relay component: building circuits, sending traffic over them, getting the crypto right ● a discovery component: learning what relays are available

15 15 The basic Tor design uses a simple centralized directory protocol. S2 S1 Alice Trusted directory S3 cache Servers publish self-signed descriptors. Authorities publish a consensus list of all descriptors Alice downloads consensus and descriptors from anywhere

16 16 Attackers can block users from connecting to the Tor network ● By blocking the directory authorities ● By blocking all the relay IP addresses in the directory ● By filtering based on Tor's network fingerprint ● By preventing users from finding the Tor software

17 17 Outline ● Crash course on Tor ● What adversaries do we expect? (threat model) ● What properties of Tor make it useful for blocking resistance? ● How we've modified Tor

18 18 Attacker's goals (1) ● Restrict the flow of certain kinds of information – Embarrassing (rights violations, corruption) – Opposing (opposition movements, sites that organize protests) ● Chill behavior by impression that online activities are monitored

19 19 Attacker's goals (2) ● Complete blocking is not a goal. It's not even necessary. ● Similarly, no need to shut down or block every circumvention tool. Just ones that are – popular and effective (the ones that work) – highly visible (make censors look bad to citizens -- and to bosses)

20 20 Attacker's goals (3) ● Little reprisal against passive consumers of information. – Producers and distributors of information in greater danger. ● Censors (actually, govts) have economic, political, social incentives not to block the whole Internet. – But they don't mind collateral damage.

21 21 Main network attacks ● Block by IP address / port at firewall ● Keyword searching in TCP packets ● Intercept DNS requests and give bogus responses or redirects

22 22 Design assumptions (1) ● Network firewall has limited CPU and memory per connection – full steganography not needed, thankfully ● Time lag between attackers sharing notes – Most commonly by commercial providers of filtering tools – Insider threat not a worry initially

23 23 Design assumptions (2) ● Censorship is not uniform even within each country, often due to different ISP policies ● Attacker can influence other countries and companies to help them censor or track users.

24 24 Design assumptions (3) ● Assume the users aren't attacked by their hardware and software – No spyware installed, no cameras watching their screens, etc ● Assume the users can fetch a genuine copy of Tor: use GPG signatures, etc.

25 25 Outline ● Crash course on Tor ● What adversaries do we expect? (threat model) ● What properties of Tor make it useful for blocking resistance? ● How we've modified Tor

26 26 Tor gives three anonymity properties ● #1: A local network attacker can't learn, or influence, your destination. – Clearly useful for blocking resistance. ● #2: No single router can link you to your destination. – The attacker can't sign up relays to trace users. ● #3: The destination, or somebody watching it, can't learn your location. – So they can't reveal you; or treat you differently.

27 27 Other Tor design features (1) ● Well-analyzed, well-understood discovery mechanism: directory authorities. ● They automatically aggregate, test, and publish signed summaries of the available routers. ● Tor clients fetch these summaries to learn which routers have what properties. ● Directory information is cached throughout the Tor network.

28 28 Other Tor design features (2) ● Tor automatically builds paths, and rebuilds and rotates them as needed. ● More broadly, Tor is just a tool to build paths given a set of relays. And we can learn about these relays in more than one way.

29 29 Other Tor design features (3) ● Tor separates the role of “internal relay” from the role of “exit relay”. ● Because we don't force all volunteers to play both roles, we end up with more relays. ● This increased diversity gives Tor users better anonymity.

30 30 Other Tor design features (4) ● Tor is sustainable. It has a community of developers and volunteers. ● Commercial anonymity systems have flopped or constantly need more funding for bandwidth. ● Our sustainability is rooted in Tor's open design: clear documentation, modularity, and open source.

31 31 Other Tor design features (5) ● Tor has an established user base of hundreds of thousands of people around the world. ● Ordinary citizens, activists, corporations, law enforcement, even govt and military users. ● This diversity contributes to sustainability. ● It also provides many many IP addresses!

32 32 Outline ● Crash course on Tor ● What adversaries do we expect? (threat model) ● What properties of Tor make it useful for blocking resistance? ● How we've modified Tor

33 33 R4 R2 R1 R3 Bob Alice Blocked User Blocked User Blocked User Blocked User Blocked User Alice

34 34 “Bridge” relays ● Hundreds of thousands of Tor users, already self-selected for caring about privacy. ● Rather than signing up as a normal relay, you can sign up as a special “bridge” relay that isn't listed in any directory. ● No need to be an “exit” (so no abuse worries), and you can rate limit if needed ● Integrated into Vidalia (our GUI) so it's easy to offer a bridge or to use a bridge

35 35 Bridge directory authorities ● Specialized dir authorities that aggregate and track bridges, but don't provide a public list: – You can keep up-to-date about a bridge once you know its key, but can't just grab list of all bridges. ● Identity key and address for default bridge authorities ship with Tor. ● Bridges publish via Tor, in case somebody is monitoring the authority's network.

36 36 One working bridge is enough ● Connect via that bridge to the bridge authority. ●...and to the main Tor network. ● Remember, all of this happens in the background. ● “How to circumvent for all transactions (and trust the pages you get)” is now reduced to “How to learn about a working bridge”.

37 37 How do you find a bridge? ● If you can, go to https://bridges.torproject.org/ and it will tell you a few based on time and your IP address ● Mail bridges@torproject.org from a gmail/yahoo address, and we'll send you a few ● From your friends and neighbors, like before

38 38 Hiding Tor's network fingerprint ● We got rid of plaintext HTTP (used by directories). Now clients tunnel their directory requests over the same TLS connection as their other Tor traffic. ● We've made Tor's TLS handshake look more like Firefox+Apache. ● Not perfect, but hopefully an arms race we can handle.

39 39 Anonymity is useful for censorship-resistance too! ● If a Chinese worker blogs about a problem at her factory, and she routes through her uncle's computer in Ohio to do it,...? ● If any relay can expose dissident bloggers or compile profiles of user behavior, attacker should attack relays. ●...Or just spread suspicion that they have, to chill users.

40 40 Packaging ● Tor Browser Bundle: Tor, Vidalia, Firefox, Torbutton, Polipo for USB stick ● JanusVM, Xerobank virtual machine ● Incognito LiveCD ● Wireless router images?

41 41 Next steps ● Technical solutions won't solve the whole censorship problem. After all, firewalls are socially very successful in these countries. ● But a strong technical solution is still a critical puzzle piece. ● Next steps: get more bridges, tell the right people, keep working on all the messy details. ● We'd love to help with some trainings, to help users and to make Tor better.

42 42 Using Tor in oppressed areas ● Common assumption: risk from using Tor increases as firewall gets more restrictive. ● But as firewall gets more restrictive, more ordinary people use Tor too, for more mainstream activities. ● So the “median” use becomes more acceptable? ● (Of course, that doesn't mean they won't try to block it.)

43 43 Relays in censored countries? ● What if your exit relay is in China and you're trying to read BBC? ● What if your exit relay is in China and its ISP is doing an SSL MitM attack on it? ● What if your exit relay is running Windows and uses the latest anti-virus gadget on all the streams it sees?

44 44 Publicity attracts attention ● Many circumvention tools launch with huge media splashes. (The media loves this.) ● But publicity attracts attention of the censors. ● We threaten their appearance of control, so they must respond. ● We can control the pace of the arms race.

Download ppt "1 Tor blocking-resistance design overview Roger Dingledine The Tor Project https://www.torproject.org/"

Similar presentations

Tor: The Second-Generation Onion Router

Tor: The Second-Generation Onion Router
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.

Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Sofya Rozenblat 11/26/2012 CS 105 TOR ANONYMITY NETWORK.

Sofya Rozenblat 11/26/2012 CS 105 TOR ANONYMITY NETWORK.
Www.sti-innsbruck.at © Copyright 2012 STI INNSBRUCK www.sti-innsbruck.at Tor project: Anonymity online.

© Copyright 2012 STI INNSBRUCK Tor project: Anonymity online.
1 The SpaceWire Internet Tunnel and the Advantages It Provides For Spacecraft Integration Stuart Mills, Steve Parkes Space Technology Centre University.

1 The SpaceWire Internet Tunnel and the Advantages It Provides For Spacecraft Integration Stuart Mills, Steve Parkes Space Technology Centre University.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
Detrick Robinson & Amris Treadwell.  Computer viruses- are pieces of programs that are purposely made up to infect your computer.  Examples: › Internet.

Detrick Robinson & Amris Treadwell.  Computer viruses- are pieces of programs that are purposely made up to infect your computer.  Examples: › Internet.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.

Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.
NETWORK COMPONENTS Assignment #3. Hub A hub is used in a wired network to connect Ethernet cables from a number of devices together. The hub allows each.

NETWORK COMPONENTS Assignment #3. Hub A hub is used in a wired network to connect Ethernet cables from a number of devices together. The hub allows each.
(c) University of Technology, Sydney 2000 - 20041 Firewall Architectures.

(c) University of Technology, Sydney Firewall Architectures.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Similar presentations

Ads by Google