Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerabilities in Tor: (past,) present, future

Published byRussell August Floyd Modified over 6 years ago

Similar presentations

Presentation on theme: "Vulnerabilities in Tor: (past,) present, future"— Presentation transcript:

1 Vulnerabilities in Tor: (past,) present, future
Roger Dingledine The Tor Project

2 Outline Crash course on Tor Solved / solvable problems Tough ongoing issues, practical Tough ongoing issues, research Future

3 Tor: Big Picture Freely available (Open Source), unencumbered.
Comes with a spec and full documentation: Dresden and Aachen implemented compatible Java Tor clients; researchers use it to study anonymity. 1500 active relays, active users, >1Gbit/s. Official US 501(c)(3) nonprofit. Eight full-time developers (!), dozens more dedicated volunteers. Funding from US DoD, Electronic Frontier Foundation, Voice of America, a French NGO, Google, NLnet, Human Rights Watch, ...you?

4 Anonymity serves different interests for different user groups.
Private citizens “It's privacy!”

5 Anonymity serves different interests for different user groups.
Businesses Anonymity “It's network security!” Private citizens “It's privacy!”

6 Anonymity serves different interests for different user groups.
“It's traffic-analysis resistance!” Businesses Governments Anonymity “It's network security!” Private citizens “It's privacy!”

7 Anonymity serves different interests for different user groups.
Blocked users “It's reachability!” “It's traffic-analysis resistance!” Businesses Governments Anonymity “It's network security!” Private citizens “It's privacy!”

8 The simplest designs use a single relay to hide connections.
Bob1 Alice1 E(Bob3,“X”) “Y” Relay Alice2 Bob2 E(Bob1, “Y”) “Z” “X” E(Bob2, “Z”) Alice3 Bob3 (example: some commercial proxy providers)

9 But a single relay (or eavesdropper!) is a single point of failure.
Bob1 Alice1 E(Bob3,“X”) “Y” Evil Relay Alice2 Bob2 E(Bob1, “Y”) “Z” “X” E(Bob2, “Z”) Alice3 Bob3

10 So, add multiple relays so that no single one can betray Alice.
Bob Alice R1 R3 R5 R4 R2

11 A corrupt first hop can tell that Alice is talking, but not to whom.
Bob Alice R1 R3 R5 R4 R2

12 A corrupt final hop can tell that somebody is talking to Bob, but not who.
Alice R1 R3 R5 R4 R2

13 Alice makes a session key with R1 ...And then tunnels to R2...and to R3
Bob Alice R1 R3 Bob2 R5 R4 R2

14 The basic Tor design uses a simple centralized directory protocol.
cache S1 Trusted directory Alice S2 Alice downloads consensus and descriptors from anywhere Trusted directory cache S3 Authorities publish a consensus list of all descriptors Servers publish self-signed descriptors.

15 Outline Crash course on Tor Tough ongoing issues, practical Tough ongoing issues, research Future

16 Snooping on Exit Relays (1)
Lots of press last year about people watching traffic coming out of Tor. (Ask your lawyer first...) Tor hides your location; it doesn't magically encrypt all traffic on the Internet. Though Tor does protect from your local network.

17 Snooping on Exit Relays (2)
https as a “premium” feature Should Tor refuse to handle requests to port 23, 109, 110, 143, etc by default? Torflow / setting plaintext pop/imap “traps” Need to educate users? Active attacks on e.g. gmail cookies? Some research on exit traffic properties is legitimate and useful. How to balance?

18 Who runs the relays? (1) At the beginning, you needed to know me to have your relay considered “verified”. We've automated much of the “is it broken?” checking. Still a tension between having lots of relays and knowing all the relay operators

19 Who runs the relays? (2) What if your exit relay is running Windows and uses the latest anti-virus gadget on all the streams it sees? What if your exit relay is in China and you're trying to read BBC? What if your exit relay is in China and its ISP is doing an SSL MitM attack on it? (What if China 0wns a CA?)

20 Who runs the relays? (3) What happens if ten Tor relays show up, all on /16, which is near DC? “EnforceDistinctSubnets” config option to use one node per /16 in your circuit (Tor alpha, 27 August 2006) No more than 2 relays on one IP address (Tor alpha, 29 July 2007) How about ASes? IXes? Countries?

21 Tor Browser Bundle traces
We want to let you use Tor from a USB key without leaving traces on the host “WINDOWS/Prefetch” trace Windows explorer's “user assist” registry entry Vista has many more?

22 Application-level woes (1)
Javascript refresh attack Cookies, History, browser window size, user-agent, language, http auth, ... Mostly problems when you toggle from Tor to non-Tor or back Mike Perry's Torbutton tackles many of these (30 July 2008)

23 Some Firefox privacy bugs remain
No way to configure/spoof timezones “Livemarks” / “Live bookmarks” does a lookup over Tor when Firefox starts. Client-side SSL certs are messy to isolate (Firefox happily sends them to the remote website even via Tor) The TLS ClientHello message in FF2 uses uptime for the “time” variable!

24 Application-level woes (2)
Some apps are bad at obeying their proxy settings. Adobe PDF plugin. Other plugins. Extensions. Especially Windows stuff.

25 Transparent proxying Easy to do in Linux / BSD: iptables/pf, getsockopt()/getsockname(), done. Put Tor client in a Linux QEMU running inside Windows. Then intercept outgoing traffic from Windows apps. Or, Put Tor client and apps inside a Linux QEMU, and launch it from Windows.

26 Filtering connections to Tor
By blocking the directory authorities By blocking all the relay IP addresses in the directory By filtering based on Tor's network fingerprint By preventing users from finding the Tor software

27 Alice Alice Alice Alice Blocked User Alice R3 Alice R4 Blocked User Bob Alice Alice R2 Blocked User Alice Alice R1 Blocked User Alice Alice Alice Blocked User Alice Alice

28 Outline Crash course on Tor Tough ongoing issues, practical Tough ongoing issues, research Future

29 Traffic confirmation If you can see the flow into Tor and the flow out of Tor, simple math lets you correlate them. Defensive dropping (2004)? Adaptive padding (2006)? Nick Feamster's AS-level attack (2004), Steven Murdoch's sampled traffic analysis attack (2007).

30 Website fingerprinting
If you can see an SSL-encrypted link, you can guess what web page is inside it based on size. Does this attack work on Tor? “maybe” Considering multiple pages (e.g. via hidden Markov models) would probably make the attack even more effective.

31 Clogging / Congestion attacks (1)
Murdoch-Danezis attack (2005) sent constant traffic through every relay, and when Alice made her connection, looked for a traffic bump in three relays. Couldn't identify Alice – just the relays she picked.

32 Clogging / Congestion attacks (2)
Hopper et al (2007) extended this to (maybe) locate Alice based on latency. Chakravarty et al (2008) extended this to (maybe) locate Alice via bandwidth tests. Evans et al (2009?) showed the original attack doesn't work anymore (too many relays, too much noise) – but “infinite length circuit” makes it work again?

33 Profiling at exit relays
Tor reuses the same circuit for 10 minutes before rotating to a new one. (It used to be 30 seconds, but that put too much CPU load on the relays.) If one of your connections identifies you, then the rest lose too. What's the right algorithm for allocating connections to circuits safely?

34 Declining to extend Tor's directory system prevents an attacker from spoofing the whole Tor network. But your first hop can still say “sorry, that relay isn't up. Try again.” Or your local network can restrict connections so you only reach relays they like.

35 Outline Crash course on Tor Tough ongoing issues, practical Tough ongoing issues, research Future

36 Traffic correlation It's just going to get better.
E.g., maybe somebody publishes mrtg graphs or other apparently innocent data, and that turns out to be enough? Or smoke ping data for all the relays?

37 Countries blocking Tor network
Blocking the website is a great start Eventually, they'll block the Tor relays, and bridges will be needed Then the arms race for blocking bridge relays will start.

38 Data retention “Service providers” must log “stuff”
It means major ISPs have to remember which customer had which IP address? GPF lawyer says doesn't apply to non- commercial service providers anyway? The police I talked to in Stuttgart said they didn't ask for this law.

39 Data retention Some modifications we can make to the Tor design to resist logging at ISPs. There will be no logging inside Tor. CCC is going to challenge this law. To start, they're going to use the CCC-Tor donations from They could use a lot more!

40 Last thoughts Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against all low-latency anonymity systems. Tor is still the best that we know of -- other than not communicating. People find things because of the openness and thoroughness of our design, spec, and code. We'd love to hear from you.

41 Debian RNG flaw [Addressed in Tor rc, 13 May 2008] 300 out of ~1500 Tor relay identity keys were bad. Logged traffic breakable too--if the client was Debian, or if it used only Debian relays! Three out of the six v3 dir authority keys were bad. Four would have really sucked.

Download ppt "Vulnerabilities in Tor: (past,) present, future"

Similar presentations

SOCIAL WEB MEDIA privacy and data mining part 2 4/12/2010.

SOCIAL WEB MEDIA privacy and data mining part 2 4/12/2010.
SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.
Tor: The Second-Generation Onion Router

Tor: The Second-Generation Onion Router
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
236349 Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.

Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.

Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.
Www.sti-innsbruck.at © Copyright 2012 STI INNSBRUCK www.sti-innsbruck.at Tor project: Anonymity online.

© Copyright 2012 STI INNSBRUCK Tor project: Anonymity online.
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.

0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.
Adrian Crenshaw. Darknets  There are many definitions, but mine is “anonymizing private networks ”  Use of encryption.

Adrian Crenshaw. Darknets  There are many definitions, but mine is “anonymizing private networks ”  Use of encryption.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Overview  Anonymity systems  Review of how Tor works  Tor Project Inc.  Helper tools and accessories  Advanced Tor control  Attack Vectors.

Overview  Anonymity systems  Review of how Tor works  Tor Project Inc.  Helper tools and accessories  Advanced Tor control  Attack Vectors.
Traffic Correlation in Tor Source and Destination Prediction PETER BYERLEY RINDAL SULTAN ALANAZI HAFED ALGHAMDI.

Traffic Correlation in Tor Source and Destination Prediction PETER BYERLEY RINDAL SULTAN ALANAZI HAFED ALGHAMDI.
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.

Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.

Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
1 How to make Tor play well with the rest of the Internet. Roger Dingledine The Tor Project https://www.torproject.org/

1 How to make Tor play well with the rest of the Internet. Roger Dingledine The Tor Project
1 Tor and circumvention: Lessons learned Roger Dingledine The Tor Project https://torproject.org/

1 Tor and circumvention: Lessons learned Roger Dingledine The Tor Project

Similar presentations

Ads by Google