[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Thoughts on Guards

On Mon, Jun 09, 2014 at 05:09:31PM +0200, Martin Kepplinger wrote:
> So assuming that people here
> https://www.blackhat.com/us-14/briefings.html#you-dont-have-to-be-the-nsa-to-break-tor-deanonymizing-users-on-a-budget
> are serious and do a "straight-forward", yet clever passive-observer
> attack on Users; Given that they are listening *really* well and
> knowingly manage to become Guard + Exit of Users in order to deanonymize
> them:

I really don't think you need to be Guard+Exit for that. They talk about
"successful real-world de-anonymization case studies, ranging from attribution
of botnet command and control servers, to drug-trading sites, to users of
kiddie porn places". Those are cases in which they should be able to get law
enforcement assistance, even more so given that they work for CERT. And with
law enforcement assistance, you can do lots of fancy attacks.

As far as I can see, you don't need to be the guard to deanonymize
someone, it's enough to find out who the guard is, get a court order and sniff
the guard's traffic. And finding out who the guard is doesn't sound
terrifyingly hard to me - you could flood Tor relays with traffic and measure
whether there is any impact on the user's connection speed, you could measure
IP ID increses for all the windows boxes that send out globally monotonic IP
IDs and are still allowed on the Tor network (see these posts on tor-relays by
me: https://lists.torproject.org/pipermail/tor-relays/2014-March/004199.html 
https://lists.torproject.org/pipermail/tor-relays/2014-April/004208.html ),
heck, maybe you'd even be able to use the bandwidth stats that relays publish
to trace stuff to the guard.

So I think that being a malicious exit might well be sufficient to trace
a user. Of course, all this stuff should work even better against hidden
services because it shouldn't matter if your attack takes a month to complete
as long as the entry guards stay the same.

> 2. Would some kind of "web-noise" generation in Torbrowser help? like so
> https://addons.mozilla.org/en-US/firefox/addon/white-noise-generator

Heh, never. In particular not because the exit or the server at the other end
might attack you with something like this open-source PoC I built for tracing
connections through Tor with an active end-to-end-correlation attack:


To prevent that attack traffic from being measurable, you'd need so much cover
traffic that the Tor network couldn't handle it anymore, I think.

Attachment: signature.asc
Description: Digital signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to