overview of tor issues · 2019. 10. 10. · 56 attacks on tor pretty much any tor bug seems to turn...
TRANSCRIPT
![Page 1: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/1.jpg)
1
Overview of Tor issues
Roger DingledineThe Tor Project
https://torproject.org/
![Page 2: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/2.jpg)
2
Today's plan
● 0) Crash course on Tor● 1) History of Tor censorship attempts● 2) Attacks on low-latency anonymity● 3) Tor performance issues● 4) Next research questions
![Page 3: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/3.jpg)
3
What is Tor?
Online anonymity 1) open source software, 2) network, 3) protocolCommunity of researchers, developers, users, and relay operatorsFunding from US DoD, Electronic Frontier Foundation, Voice of America, Google, NLnet, Human Rights Watch, NSF, US State Dept, SIDA, ...
![Page 4: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/4.jpg)
4
501(c)(3) non-profit organization dedicated to the research and development of tools for online anonymity and privacy
The Tor Project, Inc.
![Page 5: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/5.jpg)
5
Estimated 400,000? daily Tor users
![Page 6: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/6.jpg)
6
Threat model:what can the attacker do?
AliceAnonymity network Bob
watch (or be!) Bob!
watch Alice!
Control part of the network!
![Page 7: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/7.jpg)
7
Anonymity serves different interests for different user groups.
Anonymity
Private citizens
Governments Businesses
“It's traffic-analysisresistance!”
“It's network security!”
“It's privacy!”
Human rightsactivists
“It's reachability!”
![Page 8: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/8.jpg)
8
The simplest designs use a single relay to hide connections.
Bob2
Bob1
Bob3
Alice2
Alice1
Alice3
Relay
E(Bob3,“X”)
E(Bob1, “Y”)
E(Bob2, “Z”)
“Y”
“Z”
“X”
(example: some commercial proxy providers)
![Page 9: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/9.jpg)
9
But a single relay (or eavesdropper!) is a single point of failure.
Bob2
Bob1
Bob3
Alice2
Alice1
Alice3
EvilRelay
E(Bob3,“X”)
E(Bob1, “Y”)
E(Bob2, “Z”)
“Y”
“Z”
“X”
![Page 10: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/10.jpg)
10
... or a single point of bypass.
Bob2
Bob1
Bob3
Alice2
Alice1
Alice3
IrrelevantRelay
E(Bob3,“X”)
E(Bob1, “Y”)
E(Bob2, “Z”)
“Y”
“Z”
“X”
Timing analysis bridges all connections through relay ⇒ An attractive fat target
![Page 11: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/11.jpg)
11
So, add multiple relays so thatno single one can betray Alice.
BobAlice
R1
R2
R3
R4 R5
![Page 12: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/12.jpg)
12
A corrupt first hop can tell that Alice is talking, but not to whom.
BobAlice
R1
R2
R3
R4 R5
![Page 13: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/13.jpg)
13
A corrupt final hop can tell that somebody is talking to Bob,
but not who.BobAlice
R1
R2
R3
R4 R5
![Page 14: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/14.jpg)
14
Alice makes a session key with R1...And then tunnels to R2...and to R3
BobAlice
R1
R2
R3
R4 R5
Bob2
![Page 15: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/15.jpg)
15
Today's plan
● 0) Crash course on Tor● 1) History of Tor censorship attempts● 2) Attacks on low-latency anonymity● 3) Tor performance issues● 4) Next research questions
![Page 16: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/16.jpg)
16
Smartfilter/Websense (2006)
● Tor used TLS for its encrypted connection, and HTTP for fetching directory info.
● Smartfilter just cut all HTTP GET requests for “/tor/...”
![Page 17: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/17.jpg)
17
Iran/Saudi Arabia/etc (2007)
● Picked up these Smartfilter/Websense rules by pulling an update
● The fix was to tunnel directory fetches inside the encrypted connection
● When Iran kicked out Smartfilter in early 2009, Tor's old (non-TLS) directory fetches worked again!
![Page 18: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/18.jpg)
18
Iran throttles SSL (June 2009)
● We made Tor's TLS handshake look like Firefox+Apache.
● So when Iran freaked out and throttled SSL bandwidth by DPI in summer 2009, they got Tor for free
![Page 19: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/19.jpg)
19
Tunisia (summer 2009)
● As of the summer of 2009, Tunisia used Smartfilter to filter every port but 80 and 443
● And if they didn't like you, they could block 443 just for you
● You could use a Tor bridge on port 80, but couldn't bootstrap into the main network
● So we set up a Tor directory authority doing TLS on port 80
![Page 20: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/20.jpg)
20
China (September 2009)
● China grabbed the list of public relays and blocked them
● They also enumerated one of the three bridge buckets (the ones available via https://bridges.torproject.org/)
● But they missed the other bridge buckets.
![Page 21: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/21.jpg)
21
Relay versus Discovery
There are two pieces to all these “proxying” schemes:
a relay component: building circuits, sending traffic over them, getting the crypto right
a discovery component: learning what relays are available
![Page 22: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/22.jpg)
22
The basic Tor design uses a simple centralized directory protocol.
S2
S1Alice
Trusted directory
Trusted directory
S3
cache
cache
Servers publishself-signeddescriptors.
Authoritiespublish a consensuslist of all descriptors
Alice downloadsconsensus anddescriptors fromanywhere
![Page 23: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/23.jpg)
23
Attackers can block users from connecting to the Tor network
By blocking the directory authoritiesBy blocking all the relay IP addresses in the directoryBy filtering based on Tor's network fingerprintBy preventing users from finding the Tor software
![Page 24: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/24.jpg)
24
R4
R2
R1
R3
Bob
Alice
Alice
Alice
Alice
Alice
BlockedUser
BlockedUser
BlockedUser
BlockedUser
BlockedUser
Alice
AliceAlice
Alice
Alice
Alice
Alice
Alice
AliceAlice
![Page 25: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/25.jpg)
25
How do you find a bridge?
1) https://bridges.torproject.org/ will tell you a few based on time and your IP address
2) Mail [email protected] from a gmail address and we'll send you a few
3) I mail some to a friend in Shanghai who distributes them via his social network
4) You can set up your own private bridge and tell your target users directly
![Page 26: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/26.jpg)
26
![Page 27: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/27.jpg)
27
![Page 28: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/28.jpg)
28
China (March 2010)
● China enumerated the second of our three bridge buckets (the ones available at [email protected] via Gmail)
● We were down to the social network distribution strategy, and the private bridges
![Page 29: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/29.jpg)
29
![Page 30: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/30.jpg)
30
Iran (January 2011)
● Iran blocked Tor by DPI for SSL and filtering our Diffie-Hellman parameter.
● Socks proxy worked fine the whole time
(the DPI didn't pick it up)● DH p is a server-side parameter, so the
relays and bridges had to upgrade, but not the clients
![Page 31: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/31.jpg)
31
![Page 32: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/32.jpg)
32
Egypt (January 2011)
● When Egypt unplugged its Internet, no more Tor either.
![Page 33: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/33.jpg)
33
![Page 34: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/34.jpg)
34
Libya (March-July 2011)
● Libya might as well have unplugged its Internet.
● But they did it through throttling, so nobody cared.
![Page 35: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/35.jpg)
35
![Page 36: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/36.jpg)
36
Syria (June 2011)
● One ISP briefly DPIed for Tor's TLS renegotiation and killed the connections.
● A week later, that ISP went offline. When it came back, no more Tor filters.
● Who was testing what?
![Page 37: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/37.jpg)
37
![Page 38: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/38.jpg)
38
Iran (September 2011)
● This time, DPI for SSL and look at our TLS certificate lifetime.
● (Tor rotated its TLS certificates every 2 hours, because key rotation is good, right?)
● Now our certificates last for a year● These are all low-hanging fruit. How do we
want the arms race to go?
![Page 39: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/39.jpg)
39
![Page 40: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/40.jpg)
40
October 2011 advances?
● Iran DPIs for SSL, recognizes Tor, and throttles rather than blocks?
● China DPIs for SSL, does active follow-up probing to see what sort of SSL it is?
![Page 41: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/41.jpg)
41
Today's plan
● 0) Crash course on Tor● 1) History of Tor censorship attempts● 2) Attacks on low-latency anonymity● 3) Tor performance issues● 4) Next research questions
![Page 42: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/42.jpg)
42
Operational attacks
● You need to use https – correctly.● Don't use Flash.● Who runs the relays?● What local traces does Tor leave on the
system?● ...Different talk.
![Page 43: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/43.jpg)
43
Traffic confirmation
● If you can see the flow into Tor and the flow out of Tor, simple math lets you correlate them.
● Feamster's AS-level attack (2004), Edman's followup (2009), Murdoch's sampled traffic analysis attack (2007).
![Page 44: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/44.jpg)
44
Countermeasures?
● Defensive dropping (2004)? Adaptive padding (2006)?
● Traffic morphing (2009), Johnson (2010)● Tagging attack, traffic watermarking
![Page 45: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/45.jpg)
45
Tor gives three anonymity properties● #1: A local network attacker can't learn, or
influence, your destination.– Clearly useful for blocking resistance.
● #2: No single router can link you to your destination.– The attacker can't sign up relays to trace users.
● #3: The destination, or somebody watching it, can't learn your location.– So they can't reveal you; or treat you differently.
![Page 46: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/46.jpg)
46
Tor's safety comes from diversity
● #1: Diversity of relays. The more relays we have and the more diverse they, the fewer attackers are in a position to do traffic confirmation. (Research problem: measuring diversity over time)
● #2: Diversity of users and reasons to use it. 60000 users in Iran means almost all of them are normal citizens.
![Page 47: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/47.jpg)
47
Website fingerprinting
● If you can see an SSL-encrypted link, you can guess what web page is inside it based on size.
● Does this attack work on Tor? “maybe”● Considering multiple pages (e.g. via
hidden Markov models) would probably make the attack even more effective.
![Page 48: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/48.jpg)
48
Low-resource routing attacks
● Bauer et al (WPES 2009)● Clients use the bandwidth as reported by
the relay● So you can sign up tiny relays, claim
huge bandwidth, and get lots of traffic● Fix is active measurement.
![Page 49: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/49.jpg)
49
Long-term passive attacks
● Matt Wright's predecessor attack● Øverlier and Syverson, Oakland 2006● The more circuits you make, the more
likely one of them is bad● The fix: guard relays
![Page 50: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/50.jpg)
50
Denial of service as denial of anonymity
● Borisov et al, CCS 2007● If you can't win against a circuit, kill it
and see if you win the next one● Guard relays also a good answer here.
![Page 51: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/51.jpg)
51
Epistemic attacks on route selection
● Danezis/Syverson (PET 2008)● If the list of relays gets big enough, we'd
be tempted to give people random subsets of the relay list
● But, partitioning attacks
![Page 52: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/52.jpg)
52
Congestion attacks (1)
● Murdoch-Danezis attack (2005) sent constant traffic through every relay, and when Alice made her connection, looked for a traffic bump in three relays.
● Couldn't identify Alice – just the relays she picked.
![Page 53: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/53.jpg)
53
Congestion attacks (2)
● Hopper et al (2007) extended this to (maybe) locate Alice based on latency.
● Chakravarty et al (2008) extended this to (maybe) locate Alice via bandwidth tests.
● Evans et al (2009) showed the original attack doesn't work anymore (too many relays, too much noise) – but “infinite length circuit” makes it work again?
![Page 54: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/54.jpg)
54
Profiling at exit relays
● Tor reuses the same circuit for 10 minutes before rotating to a new one.
● (It used to be 30 seconds, but that put too much CPU load on the relays.)
● If one of your connections identifies you, then the rest lose too.
● What's the right algorithm for allocating connections to circuits safely?
![Page 55: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/55.jpg)
55
Declining to extend
● Tor's directory system prevents an attacker from spoofing the whole Tor network.
● But your first hop can still say “sorry, that relay isn't up. Try again.”
● Or your local network can restrict connections so you only reach relays they like.
![Page 56: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/56.jpg)
56
Attacks on Tor● Pretty much any Tor bug seems to turn
into an anonymity attack. ● Many of the hard research problems are
attacks against all low-latency anonymity systems. Tor is still the best that we know of – other than not communicating.
● People find things because of the openness and thoroughness of our design, spec, and code. We'd love to hear from you.
![Page 57: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/57.jpg)
57
Today's plan
● 0) Crash course on Tor● 1) History of Tor censorship attempts● 2) Attacks on low-latency anonymity● 3) Tor performance issues● 4) Next research questions
![Page 58: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/58.jpg)
58
![Page 59: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/59.jpg)
59
![Page 60: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/60.jpg)
60
![Page 61: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/61.jpg)
61
![Page 62: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/62.jpg)
62
![Page 63: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/63.jpg)
63
Performance issues
● Not enough capacity● Bulk downloaders● Multiplexing circuits over one TCP flow● ExperimenTor / Shadow● Flow control, N23. Slow first hop?● Drop relays with less than x bandwidth
![Page 64: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/64.jpg)
64
Today's plan
● 0) Crash course on Tor● 1) History of Tor censorship attempts● 2) Attacks on low-latency anonymity● 3) Tor performance issues● 4) Next research questions
![Page 65: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/65.jpg)
65
What we're up against
Govt firewalls used to be stateless. Now they're buying fancier hardware.
Burma vs Iran vs ChinaNew filtering techniques spread by commercial (American) companies :(
How to separate “oppressing employees” vs “oppressing citizens” arms race?
![Page 66: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/66.jpg)
66
Only a piece of the puzzleAssume the users aren't attacked by their hardware and softwareNo spyware installed, no cameras watching their screens, etcUsers can fetch a genuine copy of Tor?
![Page 67: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/67.jpg)
67
Publicity attracts attention
Many circumvention tools launch with huge media splashes. (The media loves this.)
But publicity attracts attention of the censors.
We threaten their appearance of control, so they must respond.
We can control the pace of the arms race.
![Page 68: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/68.jpg)
68
BridgeDB needs a feedback cycle
● Measure how much use each bridge sees
● Measure bridge blocking● Then adapt bridge distribution to
favor efficient distribution channels● (Need to invent new distribution
channels)
![Page 69: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/69.jpg)
69
Measuring bridge reachability
● Passive: bridges track incoming connections by country; clients self-report blockage (via some other bridge)
● Active: scan bridges from within the country; measure remotely via FTP reflectors
● Bridges test for duplex blocking
![Page 70: Overview of Tor issues · 2019. 10. 10. · 56 Attacks on Tor Pretty much any Tor bug seems to turn into an anonymity attack. Many of the hard research problems are attacks against](https://reader034.vdocuments.us/reader034/viewer/2022051905/5ff6e0d9757f0e25de2ab8cf/html5/thumbnails/70.jpg)
70
Other discussion points
● Can bridges just be proxies?● Secure update (Diginotar/Iran)● Usability work● Can't bad people use Tor?● Hidden services