The last 10 years activist technology and its supporting NGO’s have been pushing the encrypted web as secure form of communication. From the Indymedia network “not logging IP’s” to Wikileaks “secure whistleblowing” to numerous encrypted chat and social networks. Not to mention all the corporate dotcoms “solutions” jumbling up the space.
This naiveté working had driven alt-tech into oblivion, by complexity and obfuscation. Has this in any way been worth while? I would have liked to right this up but you will have to make do with the notes – This is a good example summing up of the issue (from SN-493-Notes.pdf)
TOR: Not so Anonymous after all
Our previous coverage:
● SN#70 (Internet Anonymity) – seven years ago, March 28th, 2008
● SN#394 (TOR Hidden Services) – nearly two years ago, March 8th, 2013
● In our earlier “what is TOR” coverage, we primarily focused upon the cleverness of
TOR’s ONION layering cryptography.
● “81% of Tor users can be de-anonymised by analysing router information, research
● Using weak but pervasive built-in Cisco “NetFlow” tech and deliberate traffic
perturbation.● Perturb the traffic from the server a user is connecting to, and watch the exit nodes’
● The point was that even very weak “NetFlow” aggregation was enough. More expensive
“per packet” monitoring and analysis was not needed.
Did feds mount a sustained attack on Tor to decloak crime suspects?
● <quote> Despite the use of Tor, FBI investigators were able to identify IP addresses
that allegedly hosted and accessed the servers, including the Comcast-provided IP
address of one Brian Farrell, who prosecutors said helped manage SilkRoad2. In the
affidavit, DHS special agent Michael Larson wrote:
○ From January 2014 to July 2014, a FBI NY Source of Information (SOI) provided
reliable IP addresses for TOR and hidden services such as SilkRoad2, which
included its main marketplace URL, its vendor URL, its forum URL, and its support
interface (uz434sei7arqunp6.onion). The SOI’s information ultimately led to the
identification of SilkRoad2 servers, which led to the identification of at least
another seventeen black markets on TOR.
○ The SOI also identified approximately 78 IP addresses that accessed a vendor
.onion address. A user cannot accidentally end up on the vendor site. The site is
for vendors only, and access is only given to the site by the SilkRoad2
administrators/moderators after confirmation of a significant number of successful
transactions. If a user visits the vendor URL, he or she is asked for a user name
and password. Without a user name and password, the vendor website cannot be
The Internet was never designed to provide anonymity… and it doesn’t.
● True anonymity is extremely difficult to achieve.
● In a high-latency store & forward system it’s somewhat feasible…
● But in any low-latency near real time network, it’s arguably impossible.
Review… What is TOR?
● TOR is a LOW LATENCY anonymity-enhancing network service.
● The original designers of TOR made some assumptions and compromises that are
coming back to haunt us now…
● One academic paper put it this way: “Tor aims to protect against a peculiar threat
model, that is unusual within the anonymous communications community. It is
conventional to attempt to guarantee the anonymity of users against a global passive
adversary, who has the ability to observe all network links. It is also customary to
assume that transiting network messages can be injected, deleted or modified and that
the attacker controls a subset of the network nodes. This models a very powerful
adversary, and systems that protect against it can be assumed to be secure in a very
wide range of real world conditions.
Tor, on the other hand, assumes a much weaker threat model. It protects against a
(weaker) non-global adversary, who can only observe a fraction of the network, modify
the traffic only on this fraction, and control a fraction of the Tor nodes.
Furthermore, Tor does not attempt to protect against traffic confirmation attacks, wherean adversary observes two parties that he suspects to be communicating with each
other, to either confirm or reject this suspicion. Instead, Tor aims to make it difficult for
an adversary with a very poor a priori suspicion of who is communicating with whom, to
gain more information.
The Crypto Model:
● Choose a “circuit”, default is three nodes.
● Negotiate keys with the 1st node.
● Using the first node, get keys for a randomly chosen second node.
● Using the first and second nodes, get keys for the randomly chosen third node.
● Wrap outgoing traffic in an onion from node 3 to node 2 to node 1.
● The onion model nailed it. No one is attacking that. But…
The Traffic Flow Model: (and the Achilles’ heel)
● Deliberate obfuscation of individual packets with random length padding.
● TCP flows are divided into 512 byte cells… And are sent round robin out of the node.
● The power of the global observer
● Much like metadata… traffic pattern analysis is a POWERFUL tool.
● The power of active vs passive attacks
● Being able to “perturb” the flow makes attacks far more powerful.
The extreme power of active assumption confirmation attacks.
● One academic paper: <quote> “Tor does not attempt to protect against traffic
confirmation attacks, where an adversary observes two parties that he suspects to be
communicating with each other, to either confirm or reject this suspicion.”
● IOW — In any near real time network, traffic confirmation is a killer.
Bottom line… *I* would never rely upon TOR alone.
● Consider it, itself, another layer of a more full “Defense in Depth.”
● The dream is that someone can sit at home and be fully anonymous. But that’s not the
Defense in depth:
● First of all… DO NOT do anything illegal. Do not do anything that you wouldn’t want the
Federal Government to know about.
● Traditional old school & new school.
● Go somewhere as far away as convenient.
● Be anonymous there… Pay with cash.
● Don’t go anywhere familiar, don’t stay long, don’t know anyone, don’t talk to anyone.
● Plan ahead to get in and out. Rehearse for speed. Get it done and leave.
● Don’t do ANYTHING having to do with your own identity.
● Perhaps purchase a cheap laptop just for this. Pay with cash.
● Override your laptop’s default MAC address.
● Use TOR and sacrifice real time performance
● Use widely dispersed global nodes.
● Use many nodes.
● In other words… Tor IS useful, but it’s not perfect. So always act as though it’s not.