Think Of Tor As A Honeypot
September 4th, 2013This is .mil laughing out loud at Tor heads.
“Tor is known to be insecure against an adversary that can observe a user’s traffic entering and exiting the anonymity network.”
Gee, I wonder who might be capable of doing something like that: NSA Laughs at PCs, Prefers Hacking Routers and Switches
Via: ohmygodel .PDF:
Tor is a volunteer-operated anonymity network that is estimated to protect the privacy of hundreds of thousands of daily users [13, 22]. However, Tor is known to be insecure against an adversary that can observe a user’s traffic entering and exiting the anonymity network. Quite simple and efficient techniques can correlate traffic at these separate locations by taking advantage of identifying traffic patterns [29]. As a result, the user and his destination may be identified, completely subverting the protocol’s security goals.
The traffic correlation problem in Tor has seen much attention in the literature. Prior Tor security analyses often consider entropy or similar statistical measures as metrics of the security provided by the system at a static point in time. In addition, while prior metrics of security may provide useful information about overall usage, they typically do not tell users how secure a type of behavior is. Further, similar previous work has thus far only considered adversaries that control either a subset of the members of the Tor network, a single autonomous system (AS), or a single Internet exchange point (IXP). These analyses have missed important characteristics of the network, such as that a single organization often controls several geographically diverse ASes or IXPs. That organization may have malicious intent or undergo coercion, threatening users of all network components under its control.
Given the severity of the traffic correlation problem and its security implications, we develop an analysis framework for evaluating the security of various user behaviors on the live Tor network and show how to concretely apply this framework by performing a comprehensive evaluation of the security of the Tor network [41] against the threat of complete deanonymization. To enable such an analysis, we develop a detailed model of a network adversary that includes (i) the largest and most accurate system for AS path inference yet applied to Tor and (ii) a thorough analysis of the threat of Internet exchange points and IXP coalitions. We also develop realistic metrics that inform this analysis, considering the network topology as it evolves over time, for example, as new relays are
introduced and others go offline.
Our analysis shows that 80% of all types of users may be deanonymized by a relatively moderate Tor-relay adversary within six months. Our results also show that against a single AS adversary roughly 100% of users in some common locations are deanonymized within three months (95% in three months for a single IXP). Further, we find that an adversary controlling two ASes instead of one reduces the median time to the first client de-anonymization by an order of magnitude: from over three months to only 1 day for a typical web user; and from over three months to roughly one month for a BitTorrent user. This clearly shows the dramatic effect an adversary that controls multiple ASes can have on security.
Related:
Tor Is Less Anonymous Than You Think
High-Traffic Colluding Tor Routers in Washington, D.C., and the Ugly Truth About Online Anonymity
Feds Pay for 60 Percent of Tor’s Development
