[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Getting de-anonymized with SSH (J. S. Evans)

Hello, first of all, thank you for the feedback.

On 2018-04-08 15:40, Me wrote:
It can be complicated. Tor itself provides a multi-hop anonymizing TCP
connection, however what your application may or
may not do outside of Tor is uncontrolled, this is why the Tor Browser
is recommended for use instead of simply proxying
your regular browser through Tor, TBB is designed to minimize
undesired side channels.

Your question really is asking about undesired side channels, so the
answer is, "It Depends". I'm not trying to be
flippant, it can be complicated. For example if you client application
checks server SSH certificates for status (CRL &
OCSP) then you have two immediate concerns: (1) is the OCSP check
routing outside of Tor, thus potentially
de-anonymizing you immediately, (2) Even if the cert check runs
through Tor, do you ever access it outside of Tor,
creating a potential for correlation. This is why there is still
ongoing discussion of whether one should use certs
within Tor.

I would like to be specific what I have in mind. In /etc/tor/torrc, I uncomment these lines:

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22

I then start the tor service and block port 22 with my local firewall so no normal TCP traffic goes to it.

I only access it remotely via "torsocks ssh xxxxxxxxx.onion"

I wasn't thinking about potential issues with the certificate. Thanks for bringing that up, I'll look into that. Vanilla telnet might be an option. Obviously, you would never do that in the open internet, but it's not such a bad idea within the confines of Tor and it's inherent security.

Another common side channel is DNS. Does the address resolution happen
outside Tor (unfortunately a common error), in
which case you're immediately de-anonymized. Even if it takes place
within Tor, do you ever use it outside of Tor, again
creating a potential for correlation.

From what I can tell, torsocks acts like a wrapper around the application that I am trying to use, in the case of my example, it is only the ssh client in most Linux distros. Does torsocks block or intercept DNS requests or does it just allow those requests to go through Tor? If it's just a passive proxy, I will need to research how to keep the ssh client from trying to use DNS.

Then there is more esoteric concerns such as the potential for traffic
analysis. Does you application create a periodic
pattern of traffic bursts that could be correlated? This would require
some pretty heavy effort, but not impossible. Do
you have a Hidden Service that comes up and goes down in sync with a
public presence?

Last but not least, there are many executable products that run on
your local machine, like JavaScript, that may
de-anonymize, intentionally or otherwise, that are not obvious, such
as: PDF documents, MS Office documents, and others.
It's important to set your routing rules to allow ONLY your expected
Tor connects and disallow everything else.

I don't think this would be an issue in my situation as there would be one application only using Tor and not the entire system.

Message: 1
Date: Sun, 8 Apr 2018 02:40:22 -0600
From: "J. S. Evans" <jsevans@xxxxxxxxxxxxxx>
To: <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Subject: [tor-talk] Getting de-anonymized with SSH
Message-ID: <000701d3cf15$3e1c6ef0$ba554cd0$@gardeng.nom.es>
Content-Type: text/plain;	charset="us-ascii"

Hi all,

First of all, I know that the best way to stay anonymous on Tor when
browsing the web is to use the Tor Browser and be smart about how you use
What about when you're not using the web? If I am using ssh over Tor, is there a good chance that I can be de-anonymized? By this I mean ssh to an
onion service not to the external internet.
I would think that it is more safe than the web since you don't have to
worry about things like javascript, etc.

Am I correct, or are there other things that I am not aware of? Thanks!


tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to