[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] End-to-end correlation for fun and profit



----- Forwarded message from Bryce Lynch <virtualadept@xxxxxxxxx> -----

From: Bryce Lynch <virtualadept@xxxxxxxxx>
Date: Tue, 21 Aug 2012 12:49:02 -0400
To: zs-p2p@xxxxxxxxxxxxxxxx
Cc: doctrinezero@xxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] End-to-end correlation for fun and profit
Reply-To: zs-p2p@xxxxxxxxxxxxxxxx

On Mon, Aug 20, 2012 at 3:43 PM, Eugen Leitl <eugen@xxxxxxxxx> wrote:
> ----- Forwarded message from Maxim Kammerer <mk@xxxxxx> -----

Beta testing some criticism here...

> Anyway, let's do some math. Below, you will find a table where left
> column denotes the number of Guard+Exit+Fast+Stable Tor relays one
> needs to sniff at Class-C level, and right column denotes the

"...at Class-C level..."

This sounds like a class C network, i.e. a /24 (like 192.168.1.0/255.255.255.0).

> 10 11.50%

So, in other words, you'd hav to have 10 Tor routers on the same
network.  That's like me having 10 Tor nodes on my home network and
not setting the NodeFamily directive in torrc.  Somebody playing games
aside, I can see this happening for nodes that are spun up in VPS
environments, like the EC2 or Linode.

I've cut the rest of the percentages, not to be catty but just for the
sake of brevity.

> As you can see, sniffing just 25 Class-C networks (or 42 individual
> nodes) lets an adversary correlate ~25% of (non-.onion) circuits.

Ouch.

Poking around in the Tor sourcecode (config.c) I find the function
is_local_addr(), which takes an IP address as its argument and
determines whether or not an IP address is on the same /24 (class C
network) as the instance of Tor.

Now, I will freely admit that I might be talking through my hat on
this matter because it's been ages since I last read through the Tor
codebase so my recollection may be incorrect.  But, wasn't Tor
designed to not pick other nodes that were within the same /24 of a
particular instance?

> All of these servers are in US/CA or EU jurisdiction, so even an
> unsophisticated LE operation can issue ~20 wiretapping orders at ISP
> level (many of these networks are operated by same hosting providers),
> and immediately deanonymize ~25% of Tor traffic. So far for anonymity!

Or they could get a blanket wiretapping order and catch them all at
once.  I've often wondered if it's worth running Tor routers on the
EC2 for this reason.

> [1] http://pastebin.com/hgtXMSyx

Now to catch up on the Tor mailing list to see whether or not I'm full of it...

-- 
The Doctor [412/724/301/703] [ZS]
https://drwho.virtadpt.net/
"I am everywhere."

-- 
You received this message because you are subscribed to the Google Groups "ZS-P2P" group.
To post to this group, send email to zs-p2p@xxxxxxxxxxxxxxxxx
To unsubscribe from this group, send email to zs-p2p+unsubscribe@xxxxxxxxxxxxxxxxx
For more options, visit https://groups.google.com/groups/opt_out.


----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk