De-Anonymization, Smart Homes, and Erlang: Tor is Coming to SHA2017

 

One of the most common questions we get about Tor is some variation of “Is it safe to use?”

To answer the question, we rely on researchers and developers to look at the code and to try and find vulnerabilities and weaknesses in Tor. We just announced a bug bounty campaign for this purpose — literally paying you to hack Tor.

De-anonymization Techniques

One researcher who’s doing a lot of work on Tor vulnerabilities is Juha Nurmi. Next month, at the SHA2017 hacker camp and conference, he’ll present real world cases where Tor was de-anonymized, including cases of operational security failures, fingerprinting, or traffic analysis.

Tor makes all of its users look the same, which makes them anonymous (learn more). Because of this, any possible correlation attacks require monitoring and compromising the network on a global scale. To say that’s incredibly difficult to achieve is an understatement.

Tor Browser warning text. It reads "Maximizing Tor Browser can allow websites to determine your monitor size, which can be used to track you. We recommend that you leave Tor Browser windows in their original default size."

In fact, when users are de-anonymized, it’s usually because they didn’t follow one of the our guidelines (enabling plugins in Tor Browser, for example) and not because of any inherent flaw in the Tor network. We document warnings about common pitfalls, and we’re working on our user interface to provide more alerts when users do something potentially comprising, like adjusting the size of the browser’s window.

More information about the possible pitfalls and how to mitigate them will be available in Nurmi’s upcoming paper that will be published after the conference. It’ll include suggestions for how Tor and Tor users can mitigate these attacks. 

But that’s not all — there are several other Tor talks happening at SHA2017.

Smart Home Security with Tor

Most people are familiar with Tor as a network and as a browser, but moving forward, we’d like to include Tor in more parts of the web. To borrow some internet-speak, we want to Tor all the things!

Kalyan Dikshit from Mozilla will speak on one most important uses of Tor in the next decade: securing a plethora of internet-connected “smart home” devices.

Talla: An Erlang Implementation of Tor

Alexander Færøy will provide a technical walk-through of Talla, a third-party implementation of a Tor relay daemon in Erlang. You’ll gain a better understanding of the design, architecture and testing of a highly concurrent, fault-tolerant and complex application in Erlang.

Tor & Configuration Management

Sebastiaan Provost will talk about another area of focus for Tor moving forward: sustainably growing the Tor network.

Join the Tor Meetup

The conference has more than talks, and includes a Tor meetup (details to come!), a Family Area, and a host of interest-specific villages.

SHA2017 will take place in Zeewolde, about 35 miles east of Amsterdam, from 4-8 August. Get your tickets, and we’ll see you there.

 

Anonymous

July 24, 2017

Permalink

Hello t0mmy!

In fact, when users are de-anonymized, it’s usually because they didn’t follow one of the our guidelines (enabling Javascript in Tor Browser, for example)

I think you mean Java and not Javascript, correct?

By the way, for people that are a bit confused, see these nice paragraphs from mikeperry on why Javascript is enabled by default in the Tor Browser:

https://lists.torproject.org/pipermail/tor-talk/2012-May/024227.html

(why isn't this one linked to in the Tor FAQ? It should be IMHO)

Anonymous

July 24, 2017

Permalink

- will you please contact the team of the web-mails (tutanota e.g.) of your choice and educate them about providing a login without JavaScript ?
- when will we have a test page updated about the fingerprint (eff one is outdated) ?
- i love ricochet & onionshare.
- debian tor exists (as source-list) but default is now (hkps) https://deb.debian.org so could you contact them (debian-team) for providing an official option : onion_deb.debian.org ?
- what is the advantages of the erlang version (talla) ?
growing the tor network is really difficult ; the potential is great but you cannot convince the bad guys to walk on the right side : even free speech is becoming very difficult to be applied , censure, troll, spam, are a technique flooding a discussion often noticed (some blogs & mailing-list provide a tag reply but , in fact, you can't , it is locked and most of them (admin) do not allow any more comment.) so you should maybe spreading the (world) of the necessity for the news paper online (the guardian , register etc.) & the blogs speaking about security/tech to set an onion site opened for the comment as an unofficial/international free version (russian dissident need a free voice e.g)
i live too far for being present at the tor meetup/talks : it is a pity.
- could i create virtual tor user : virtual server / virtual onion (x100 e.g.) for hiding myself or someone else during a secret com and for protecting a user at a defined moment ?
i think about a special alert (the request) asking help on a private channel inside tor.
if someone is in danger or need to be a bit more invisible , this solidarity could be useful.
- Is it possible to implement this option ?

- will you please contact the team of the web-mails (tutanota e.g.) of your choice and educate them about providing a login without JavaScript ?

How can they decrypt messages on your browser without JS? By the way I don't think services that own your private key should be trusted (although they may be slightly better than some other services).

- when will we have a test page updated about the fingerprint (eff one is outdated) ?

See: https://fpcentral.irisa.fr/ and https://browserprint.info/

- i love ricochet & onionshare.

Me too :)

- debian tor exists (as source-list) but default is now (hkps) https://deb.debian.org so could you contact them (debian-team) for providing an official option : onion_deb.debian.org ?

I don't understand, are you saying that there should be a debian onion service? If so note that they already run onion services: https://onion.debian.org

Thank you for your long explanation.

#i said that the official source-list is not an onion service (deb + Tor http) but a new depo (deb.debian.org + hkps) ...
#if you want that Tor be more influent you should ask that the alternative (onion) become an official source-list : it is your job.

- is it relevant to add DANE on Tor ?
https://www.dnssec-validator.cz/
- are you able to make one ?
https://tutanota.com/blog/old-blog/YLZNI.html
https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
#if you want that Tor be more influent it could maybe the right decision to take : it is your job.
#i do not like OCSP , Calomel.org says that it useless.
#Edit : Preferences : advanced : Requests : Query OCSP responder servers to confirm the current validity of certificates

/How can they decrypt messages on your browser without JS?
#That's the point !
#innovation ? another option ? inherently insecure ? no quantum resistant ? a new model built security in mind must be created ?
#if you want that Tor be more influent a solution must be found : it is your job.
/By the way I don't think services that own your private key should be trusted (although they may be slightly better than some other services).
#That's the point !
#Built my own mail-server ? i should have to buy a raspery & a domain name for less than 100 e-mail/year ? i should pay the help that i give gratis to the others ? ... let's be serious pls.
#about the private-key on tutanota :
https://tutanota.uservoice.com/knowledgebase/articles/470721-where-are-…
#you can also store the key on your own pc/tablet see login page

/see: https://fpcentral.irisa.fr/ and https://browserprint.info/
Tor said on an old post that its own version was planned so i asked when will the Tor fingerprint test page be ready to use.
#if you want that Tor be more influent you could provide a tor fingerprint page test made by tor for tor users : it is your job.

When you install and update Debian normally, everyone on the line can see what you download, right? Debian explicit don't allow updating with TLS?
A kind of problematic De-Anonymization?
Debian-onion-mirrors are no help for that problem.

The topic is 'growing the Tor network' :
debian provides an onion service & sks provides one.
https://sks-keyservers.net/overview-of-pools.php
Tor hidden service
An experimental Tor OnionBalance hidden service is running as hkp://jirk5u4osbsr34t5.onion consisting of the servers marked with Tor support in the status list as backend.

[install and update Debian] : Your comment should be better at the right place posted at a debian mailing-list.
- you can install with jigdo or torrent via a vpn/proxy or not e.g.
jigdo & torrent verify the download & you verify again by comparing gpg key /sha
using onion is anonymous so no one can know who you are & what you are downloading is protected by an encrypted layer (https , vpn, proxies).
do not mix anonymity/integrity_authenticity/privacy : onion = anonymity, gpg = authenticity, layer/addon = privacy
using onion debian service you obtain privacy & anonymity , using sks you obtain also both but you can add an extra layer securing your download & update using a vpn/proxy.
gpg key are protected using hkp/hkps so no one can see your keys (verification/update).
- no, When you install and update Debian normally, everyone on the line cannot see what you download.
- yes, Debian-onion-mirrors are a help for that problem.

* a mirror is configured for authenticity & integrity is given by torrent/jigdo & gpgkey ; onion provides an anonymity/privacy layer but for a paranoid mode, you should use a vpn:proxy e.g.

[install and update Debian] is a beginner question : Setting/securing/ your o.s & be involved is up to you.

It is worth spending some time poking around debian.org for information. Not the best organized site in the world, but exploring it will yield rewards.

In the past, owing to a lack of server capacity, Debian discouraged users from downloading iso images for install media (suggesting jigdo or torrents instead), but owing to some generous server donations and to increased recognition of the all too real danger posed by bad guys modifying software during downloads, they seem to have become more willing to provide safer alternatives for at-risk Debian users.

In particular, there are several official Debian repository mirrors from which you can download an iso image of DVD#1 (the "live DVD" install disk) plus a GPG-signed list of SHA-256 and other hashes. Because of the size of the file (about 1.3 GB as I recall), you probably cannot do this using a browser but must use something like curl or wget. If you have Tails, you can painlessly tunnel wget through Tor simply by typing "wget [options] url" in a terminal while using Tails. This may be worth doing for the stronger authentication of the mirror itself, but may not actually provide strong anonymity.

With some effort, you can ask wget to use an encrypted connection (from the exit node to the mirror). However, because of the strong cryptographic verification and the anonymity which we hope is provided by the Tor circuit via Tails, this may not be needed.

(Not a TP employee, just another Tor and Debian user, so I defer to their expertise if I got anything wrong.)

(Speaking of cryptographic signatures: the founder of Debian, the late Ian Murdock, pretty much invented the modern package management system used by Ubuntu, Debian, and many other *nix distributions. Further, Debian was one of the first distributions to introduce cryptographic signatures for packages. However, Debian packages are not directly signed; rather, a file listing cryptographic hashes is signed. The potential problem here for Debian users is that it appears to be difficult to ensure that your package manager (probably synaptic) is using SHA-256 hashes rather than SHA-1 or MD-5, which are now considered to be unsafe. I'd welcome comment from Debian Project on this point, because I have never been able to find a clear description at debian.org of how the cryptographic package verification works.)

Anonymous

July 24, 2017

Permalink

Even recently killed services were worth to kill, it was too many success against tor...hopefully somebody will find the leak...

Anonymous

July 24, 2017

Permalink

> Smart Home Security with Tor: Most people are familiar with Tor as a network and as a browser, but moving forward, we’d like to include Tor in more parts of the web. To borrow some internet-speak, we want to Tor all the things!

Sounds like a terrific idea, and a great example of how TP is becoming more creative and ambitious in helping other groups use Tor to do good deeds, such as protecting IOT devices from the bad guys.

Anonymous

July 24, 2017

Permalink

> Sebastiaan Provost will talk about another area of focus for Tor moving forward: sustainably growing the Tor network.

Hurrah! This is very important for ensuring that Tor can continue to protect old users while protecting tens or hundreds of millions of new users in the new future.

@ Shari:

It should be a major TP goal to try to ensure that new researchers are constantly recruited to this field, while continuing to express our appreciation to those who have been working in it for many years.

Anonymous

July 24, 2017

Permalink

TBB is handling the warning "Maximizing Tor Browser can allow websites...."
really WRONG. !.
It needs the warning and the OK-button BEFORE the window is maximizing and not after. Logical, isn't it?

I always assumed that unless you

o hit "reload"

o click on a link

o enter another url and hit return,

the browser is not making any new connections and thus not sending up the wire the information that the window size has just changed. If so, the pop-up gives you the chance to immediately revert the maximization before potentially hostile website operators learn your maximal window size.

(Not a TP employee but just another user, so I defer to their expertise if I got anything wrong.)

Anonymous

July 25, 2017

Permalink

If we want more data going through TOR to avoid correlation attacks (or is this the least concern?), couldn't there be added some method of sending plenty of spoofing packages from one endpoint to another in some way. On top of running TOR Relays, people could be running "spoofing relays" that sends data packages to various sites. (maybe even some that are being visited by another TOR user at the same moment - without monitoring their activity somehow of course)

Or how about making some data packages grow in size with extra arbitrary data which would just be discarded upon arrival, (like make a 1kb entry data package look like a 3kb data package at the endpoint), making it harder to connect data packages going from entry to exit.

(I'm not a TOR export or even a novice, just have a big imagination which can give crazy ideas)

> spoofing packages

I presume you mean "spoofed traffic", e.g. loading random Wikipedia articles or randomly loading popular website pages.

Over the years, this tactic has often been discussed in this blog, and the response from TP has always been that currently the Tor network lacks capacity to support widespread traffic spoofing, and that TP discourages users from writing their own scripts to do this.

(Not a TP employee, just another user like you, so I defer to their expertise if I got anything wrong.)

If you knew more about cryptography than "omg SHA1 is bad!!!11!" and if you kept up with the work that Tor is almost done doing, you'd know this is a really dumb comment to make.

Anonymous

July 25, 2017

Permalink

I have been receiving error messages stating "Access denied" from different sites when i use Tor. Has this happened to anyone?

Anonymous

July 25, 2017

Permalink

i would like to know if these apps/researchs could be improved using Tor technical background or are better than a Tor solution :
Riffle: An Efficient Communication System With Strong Anonymity
Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis
i know that it is a first approach and not yet a stable perfect system but Riffle&Vuvuzela look interesting.

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

8 + 8 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.