arma's blog

Did the FBI Pay a University to Attack Tor Users?

The Tor Project has learned more about last year's attack by Carnegie Mellon researchers on the hidden service subsystem. Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes. We publicized the attack last year, along with the steps we took to slow down or stop such an attack in the future:

Here is the link to their (since withdrawn) submission to the Black Hat conference:
along with Ed Felten's analysis at the time:

We have been told that the payment to CMU was at least $1 million.

There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.

Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.

This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses "research" as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.

When we learned of this vulnerability last year, we patched it and published the information we had on our blog:

We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor — but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people's privacy, and certainly cannot give it the color of "legitimate research".

Whatever academic security research should be in the 21st century, it certainly does not include "experiments" for pay that indiscriminately endanger strangers without their knowledge or consent.

A technical summary of the Usenix fingerprinting paper

Albert Kwon, Mashael AlSabah, and others have a paper entitled Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services at the upcoming Usenix Security symposium in a few weeks. Articles describing the paper are making the rounds currently, so I'm posting a technical summary here, along with explanations of the next research questions that would be good to answer. (I originally wrote this summary for Dan Goodin for his article at Ars Technica.) Also for context, remember that this is another research paper in the great set of literature around anonymous communication systems—you can read many more at

"This is a well-written paper. I enjoyed reading it, and I'm glad the researchers are continuing to work in this space.

First, for background, run (don't walk) to Mike Perry's blog post explaining why website fingerprinting papers have historically overestimated the risks for users:
and then check out Marc Juarez et al's followup paper from last year's ACM CCS that backs up many of Mike's concerns:

To recap, this new paper describes three phases. In the first phase, they hope to get lucky and end up operating the entry guard for the Tor user they're trying to target. In the second phase, the target user loads some web page using Tor, and they use a classifier to guess whether the web page was in onion-space or not. Lastly, if the first classifier said "yes it was", they use a separate classifier to guess which onion site it was.

The first big question comes in phase three: is their website fingerprinting classifier actually accurate in practice? They consider a world of 1000 front pages, but and other onion-space crawlers have found millions of pages by looking beyond front pages. Their 2.9% false positive rate becomes enormous in the face of this many pages—and the result is that the vast majority of the classification guesses will be mistakes.

For example, if the user loads ten pages, and the classifier outputs a guess for each web page she loads, will it output a stream of "She went to Facebook!" "She went to Riseup!" "She went to Wildleaks!" while actually she was just reading posts in a Bitcoin forum the whole time? Maybe they can design a classifier that works well when faced with many more web pages, but the paper doesn't show one, and Marc Juarez's paper argues convincingly that it's hard to do.

The second big question is whether adding a few padding cells would fool their "is this a connection to an onion service" classifier. We haven't tried to hide that in the current Tor protocol, and the paper presents what looks like a great classifier. It's not surprising that their classifier basically stops working in the face of more padding though: classifiers are notoriously brittle when you change the situation on them. So the next research step is to find out if it's easy or hard to design a classifier that isn't fooled by padding.

I look forward to continued attention by the research community to work toward answers to these two questions. I think it would be especially fruitful to look also at true positive rates and false positives of both classifiers together, which might show more clearly (or not) that a small change in the first classifier has a big impact on foiling the second classifier. That is, if we can make it even a little bit more likely that the "is it an onion site" classifier guesses wrong, we could make the job of the website fingerprinting classifier much harder because it has to consider the billions of pages on the rest of the web too."

Preliminary analysis of Hacking Team's slides

A few weeks ago, Hacking Team was bragging publicly about a Tor Browser exploit. We've learned some details of their proposed attack from a leaked powerpoint presentation that was part of the Hacking Team dump.

The good news is that they don't appear to have any exploit on Tor or on Tor Browser. The other good news is that their proposed attack doesn't scale well. They need to put malicious hardware on the local network of their target user, which requires choosing their target, locating her, and then arranging for the hardware to arrive in the right place. So it's not really practical to launch the attack on many Tor users at once.

But they actually don't need an exploit on Tor or Tor Browser. Here's the proposed attack in a nutshell:

1) Pick a target user (say, you), figure out how you connect to the Internet, and install their attacking hardware on your local network (e.g. inside your ISP).

2) Wait for you to browse the web without Tor Browser, i.e. with some other browser like Firefox or Chrome or Safari, and then insert some sort of exploit into one of the web pages you receive (maybe the Flash 0-day we learned about from the same documents, or maybe some other exploit).

3) Once they've taken control of your computer, they configure your Tor Browser to use a socks proxy on a remote computer that they control. In effect, rather than using the Tor client that's part of Tor Browser, you'll be using their remote Tor client, so they get to intercept and watch your traffic before it enters the Tor network.

You have to stop them at step two, because once they've broken into your computer, they have many options for attacking you from there.

Their proposed attack requires Hacking Team (or your government) to already have you in their sights. This is not mass surveillance — this is very targeted surveillance.

Another answer is to run a system like Tails, which avoids interacting with any local resources. In this case there should be no opportunity to insert an exploit from the local network. But that's still not a complete solution: some coffeeshops, hotels, etc will demand that you interact with their local login page before you can access the Internet. Tails includes what they call their 'unsafe' browser for these situations, and you're at risk during that brief period when you use it.

Ultimately, security here comes down to having safer browsers. We continue to work on ways to make Tor Browser more resilient against attacks, but the key point here is that they'll go after the weakest link on your system — and at least in the scenarios they describe, Tor Browser isn't the weakest link.

As a final point, note that this is just a powerpoint deck (probably a funding pitch), and we've found no indication yet that they ever followed through on their idea.

We'll update you with more information if we learn anything further. Stay safe out there!

Sue Gardner and the Tor strategy project

Sue Gardner, the former executive director of the Wikimedia Foundation, has been advising Tor informally for several months. She attended Tor's most recent in-person meeting in Valencia in early March and facilitated several sessions. Starting today, and for about the next year, Sue will be working with us to help The Tor Project develop a long-term organizational strategy. The purpose of this strategy project is to work together, all of us, to develop a plan for making Tor as effective and sustainable as it can be.

Sue is a great fit for this project. In addition to being the former executive director of Wikimedia, she has been active in FLOSS communities since 2007. She's an advisor or board member with many organizations that do work related to technology and freedom, including the Wikimedia Foundation, the Sunlight Foundation, the Committee to Protect Journalists, and Global Voices. She has lots of experience developing organizational strategy, growing small organizations, raising money, handling the media, and working with distributed communities. She's a proud recipient of the Nyan Cat Medal of Internet Awesomeness for Defending Internet Freedom, and was recently given the Cultural Humanist of the year award by the Harvard Humanist Association.

We aim for this project to be inclusive and collaborative. Sue's not going to be making up a strategy for Tor herself: the idea is that she will facilitate the development of strategy, in consultation with the Tor community and Tor stakeholders (all the other people who care about Tor), as much as possible in public, probably on our wikis.

Sue's funding for this project will come via First Look Media, which also means this is a great opportunity to strengthen our connections to our friends at this non-profit organization. (You may know of them because of The Intercept.)

As she does the work, she'll be asking for participation from members of the Tor community. Please help her as much as you can.

I'm excited that we're moving forward with this project. We welcome Sue as we all work together to make security, privacy, and anonymity possible for everyone.

Tor and are released

Tor and fix two security issues that could be used by an attacker to crash hidden services, or crash clients visiting hidden services. Hidden services should upgrade as soon as possible; clients should upgrade whenever packages become available.

These releases also contain two simple improvements to make hidden services a bit less vulnerable to denial-of-service attacks.

We also made a Tor release so that Debian stable can easily integrate these fixes.

The Tor Browser team is currently evaluating whether to put out a new Tor Browser stable release with these fixes, or wait until next week for their scheduled next stable release. (The bugs can introduce hassles for users, but we don't currently view them as introducing any threats to anonymity.)

Changes in version - 2015-04-06

  • Major bugfixes (security, hidden service):
    • Fix an issue that would allow a malicious client to trigger an assertion failure and halt a hidden service. Fixes bug 15600; bugfix on Reported by "disgleirio".
    • Fix a bug that could cause a client to crash with an assertion failure when parsing a malformed hidden service descriptor. Fixes bug 15601; bugfix on Found by "DonnchaC".
  • Minor features (DoS-resistance, hidden service):
    • Introduction points no longer allow multiple INTRODUCE1 cells to arrive on the same circuit. This should make it more expensive for attackers to overwhelm hidden services with introductions. Resolves ticket 15515.

Changes in version - 2015-04-06

  • Major bugfixes (security, hidden service):
    • Fix an issue that would allow a malicious client to trigger an assertion failure and halt a hidden service. Fixes bug 15600; bugfix on Reported by "disgleirio".
    • Fix a bug that could cause a client to crash with an assertion failure when parsing a malformed hidden service descriptor. Fixes bug 15601; bugfix on Found by "DonnchaC".
  • Minor features (DoS-resistance, hidden service):
    • Introduction points no longer allow multiple INTRODUCE1 cells to arrive on the same circuit. This should make it more expensive for attackers to overwhelm hidden services with introductions. Resolves ticket 15515.
    • Decrease the amount of reattempts that a hidden service performs when its rendezvous circuits fail. This reduces the computational cost for running a hidden service under heavy load. Resolves ticket 11447.

Possible upcoming attempts to disable the Tor network

The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities. (Directory authorities help Tor clients learn the list of relays that make up the Tor network.) We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use.

We hope that this attack doesn't occur; Tor is used by many good people. If the network is affected, we will immediately inform users via this blog and our Twitter feed @TorProject, along with more information if we become aware of any related risks to Tor users.

The Tor network provides a safe haven from surveillance, censorship, and computer network exploitation for millions of people who live in repressive regimes, including human rights activists in countries such as Iran, Syria, and Russia. People use the Tor network every day to conduct their daily business without fear that their online activities and speech (Facebook posts, email, Twitter feeds) will be tracked and used against them later. Millions more also use the Tor network at their local internet cafe to stay safe for ordinary web browsing.

Tor is also used by banks, diplomatic officials, members of law enforcement, bloggers, and many others. Attempts to disable the Tor network would interfere with all of these users, not just ones disliked by the attacker.

Every person has the right to privacy. This right is a foundation of a democratic society. For example, if Members of the British Parliament or US Congress cannot share ideas and opinions free of government spying, then they cannot remain independent from other branches of government. If journalists are unable to keep their sources confidential, then the ability of the press to check the power of the government is compromised. If human rights workers can't report evidence of possible crimes against humanity, it is impossible for other bodies to examine this evidence and to react. In the service of justice, we believe that the answer is to open up communication lines for everyone, securely and anonymously.

The Tor network provides online anonymity and privacy that allow freedom for everyone. Like freedom of speech, online privacy is a right for all.

[Update Monday Dec 22: So far all is quiet on the directory authority front, and no news is good news.]
[Update Sunday Dec 28: Still quiet. This is good.]

Solidarity against online harassment

One of our colleagues has been the target of a sustained campaign of harassment for the past several months. We have decided to publish this statement to publicly declare our support for her, for every member of our organization, and for every member of our community who experiences this harassment. She is not alone and her experience has catalyzed us to action. This statement is a start.

The Tor Project works to create ways to bypass censorship and ensure anonymity on the Internet. Our software is used by journalists, human rights defenders, members of law enforcement, diplomatic officials, and many others. We do high-profile work, and over the past years, many of us have been the targets of online harassment. The current incidents come at a time when suspicion, slander, and threats are endemic to the online world. They create an environment where the malicious feel safe and the misguided feel justified in striking out online with a thousand blows. Under such attacks, many people have suffered — especially women who speak up online. Women who work on Tor are targeted, degraded, minimized and endure serious, frightening threats.

This is the status quo for a large part of the internet. We will not accept it.

We work on anonymity technology because we believe in empowering people. This empowerment is the beginning and a means, not the end of the discussion. Each person who has power to speak freely on the net also has the power to hurt and harm. Merely because one is free to say a thing does not mean that it should be tolerated or considered reasonable. Our commitment to building and promoting strong anonymity technology is absolute. We have decided that it is not enough for us to work to protect the world from snoops and censors; we must also stand up to protect one another from harassment.

It's true that we ourselves are far from perfect. Some of us have written thoughtless things about members of our own community, have judged prematurely, or conflated an idea we hated with the person holding it. Therefore, in categorically condemning the urge to harass, we mean categorically: we will neither tolerate it in others, nor will we accept it among ourselves. We are dedicated to both protecting our employees and colleagues from violence, and trying to foster more positive and mindful behavior online ourselves.

Further, we will no longer hold back out of fear or uncertainty from an opportunity to defend a member of our community online. We write tools to provide online freedom but we don't endorse online or offline abuse. Similarly, in the offline world, we support freedom of speech but we oppose the abuse and harassment of women and others. We know that online harassment is one small piece of the larger struggle that women, people of color, and others face against sexism, racism, homophobia and other bigotry.

This declaration is not the last word, but a beginning: We will not tolerate harassment of our people. We are working within our community to devise ways to concretely support people who suffer from online harassment; this statement is part of that discussion. We hope it will contribute to the larger public conversation about online harassment and we encourage other organizations to sign on to it or write one of their own.

For questions about Tor, its work, its staff, its funding, or its world view, we encourage people to directly contact us (Media contact: Kate Krauss, press @ We also encourage people join our community and to be a part of our discussions:

In solidarity against online harassment,

Roger Dingledine
Nick Mathewson
Kate Krauss
Wendy Seltzer
Caspar Bowden
Rabbi Rob Thomas
Karsten Loesing
Matthew Finkel
Griffin Boyce
Colin Childs
Georg Koppen
Tom Ritter
Erinn Clark
David Goulet
Nima Fatemi
Steven Murdoch
Linus Nordberg
Arthur Edelstein
Aaron Gibson
Anonymous Supporter
Matt Pagan
Philipp Winter
Sina Rabbani
Jacob Appelbaum
Karen Reilly
Meredith Hoban Dunn
Moritz Bartl
Mike Perry
Sukhbir Singh
Sebastian Hahn
Nicolas Vigier
Nathan Freitas
Leif Ryge
Runa Sandvik
Andrea Shepard
Isis Agora Lovecruft
Arlo Breault
Ásta Helgadóttir
Mark Smith
Bruce Leidl
Dave Ahmad
Micah Lee
Sherief Alaa
Virgil Griffith
Rachel Greenstadt
Andre Meister
Andy Isaacson
Gavin Andresen
Scott Herbert
Colin Mahns
John Schriner
David Stainton
Doug Eddy
Pepijn Le Heux
Priscilla Oppenheimer
Ian Goldberg
Rebecca MacKinnon
Nadia Heninger
Cory Svensson
Alison Macrina
Arturo Filastò
Collin Anderson
Andrew Jones
Eva Blum-Dumontet
Jan Bultmann
Murtaza Hussain
Duncan Bailey
Sarah Harrison
Tom van der Woerdt
Jeroen Massar
Brendan Eich
Joseph Lorenzo Hall
Jean Camp
Joanna Rutkowska
Daira Hopwood
William Gillis
Adrian Short
Bethany Horne
Andrea Forte
Hernán Foffani
Nadim Kobeissi
Jakub Dalek
Rafik Naccache
Nathalie Margi
Asheesh Laroia
Ali Mirjamali
Huong Nguyen
Meerim Ilyas
Timothy Yim
Mallory Knodel
Randy Bush
Zachary Weinberg
Claudio Guarnieri
Steven Zikopoulos
Michael Ceglar
Henry de Valence
Zachariah Gibbens
Jeremy M. Harmer
Ilias Bartolini
René Pfeiffer
Percy Wegmann
Tim Sammut
Neel Chauhan
Matthew Puckey
Taylor R Campbell
Klaus Layer
Colin Teberg
Jeremy Gillula
Will Scott
Tom Lowenthal
Rishab Nithyanand
Brinly Taylor
Craig Colman-Shepherd
A. Lizard
M. C. McGrath
Ross MacDonald
Esra'a Al Shafei
Gulnara Yunusova
Ben Laurie
Christian Vandrei
Tanja Lange
Markus Kitsinger
Harper Reed
Mark Giannullo
Alyssa Rowan
Daniel Gall
Kathryn Cramer
Camilo Galdos AkA Dedalo
Ralf-Philipp Weinmann
Miod Vallat
Carlotta Negri
Frederic Jacobs
Susan Landau
Jan Weiher
Donald A. Byrd
Jesin A.
Thomas Blanchard
Matthijs Pontier
Rohan Nagel
Cyril Brulebois
Neal Rauhauser
Sonia Ballesteros Rey
Florian Schmitt
Abdoulaye Bah
Simone Basso
Charlie Smith
Steve Engledow
Michael Brennan
Jeffrey Landale
Sophie Toupin
Dana Lane Taylor
Nagy Gabor
Shaf Patel
Augusto Amaral
Robin Molnar
Jesús Cea Avión
praxis journal
Jens Stomber
Noam Roberts
Ken Arroyo Ohori
Brian Kroll
Shawn Newell
Rasmus Vuori
Alexandre Guédon
Seamus Tuohy
Virginia Lange
Nicolas Sera-Leyva
Jonah Silas Sheridan
Ross McElvenny
Aaron Zauner
Christophe Moille
Micah Sherr
Gabriel Rocha
Yael Grauer
Kenneth Freeman
Dennis Winter
Lee Azzarello
Zaki Manian
Aaron Turner
Greg Slepak
Ethan Zuckerman
Pasq Gero
Pablo Suárez-Serrato
Kerry Rutherford
Andrés Delgado
Tommy Collison
Dan Luedders
Flávio Amieiro
Ulrike Reinhard
Melissa Anelli
Bryan Fordham
Nate Perkins
Jon Blanchard
Jonathan Proulx
Bunty Saini
Daniel Crowley
Matt Price
Charlie McConnell
Chuck Peters
Ejaz Ahmed
Laura Poitras
Benet Hitchcock
Dave Williams
Jane Avriette
Renata Avila
Sandra Ordonez
David Palma
Andre N Batista
Steve Bellovin
James Renken
Alyzande Renard
Patrick Logan
Rory Byrne
Holly Kilroy
Phillipa Gill
Leah Carey
Josh Steiner
Benjamin Mako Hill
Nick Feamster
Dominic Corriveau
Adrienne Porter Felt
Allen Gunn
Eric S Johnson
Hanno Wagner
Anders Hansen
Alexandra Stein
Tyler H. Meers
Shumon Huque
James Vasile
Andreas Kinne
Johannes Schilling
Niels ten Oever
David W. Deitch
Dan Wallach
Jon Penney
Starchy Grant
Damon McCoy
David Yip
Adam Fisk
Jon Callas
Aleecia M. McDonald
Marina Brown
Wolfgang Britzl
Chris Jones
Heiko Linke
David Van Horn
Larry Brandt
Matt Blaze
Radek Valasek
Galou Gentil
Douglas Perkins
Jude Burger
Myriam Michel
Jillian York
Michalis Polychronakis
Kostas Jakeliunas
Sebastiaan Provost
Sebastian Maryniak
Clytie Siddall
Claudio Agosti
Peter Laur
Maarten Eyskens
Tobias Pulls
Sacha van Geffen
Cory Doctorow
Tom Knoth
Fredrik Julie Andersson
Nighat Dad
Josh L Glenn
Vernon Tang
Jennifer Radloff
Domenico Lupinetti
Martijn Grooten
Rachel Haywire
Christoph Maria Sommer
J Duncan
Michael Kennedy Brodhead
Mansour Moufid
Melissa Elliott
Mick Morgan
Brenno de Winter
George Scriban
Ryan Harris
Ricard S. Colorado
Julian Oliver
Sebastian "bastik" G.
Te Rangikaiwhiria Kemara
Koen Van Impe
Kevin Gallagher
Sven "DrMcCoy" Hesse
Pavel Schamberger
Phillip M. Pether
Joe P. Lee
Stephanie Hyland
Maya Ganesh
Greg Bonett
Amadou Lamine Badji
Vasil Kolev
Jérémie Zimmermann
Cally Gordon
Hakisho Nukama
Daniel C Howe
Douglas Stebila
Jennifer Rexford
Nayantara Mallesh
Valeria de Paiva
Tim Bulow
Meredith Whittaker
Max Hunter
Maja Lampe
Thomas Ristenpart
Lisa Wright
August Germar
Ronald Deibert
Harlan Lieberman-Berg
Alan L. Stewart
Alexander Muentz
Erin Benson
Carmela Troncoso
David Molnar
Holger Levsen
Peter Grombach
John McIntyre
Lisa Geelan
Antonius Kies
Jörg Kruse
Arnold Top
Vladimir G. Ivanovic
Ahmet A. Sabancı
Henriette Hofmeier
Ethan Heilman
Daniël Verhoeven
Alex Shepard
Max Maass
Ed Agro
Andrew Heist
Patrick McDonald
Lluís Sala
Laurelai Bailey
José Manuel Cerqueira Esteves
Fabio Pietrosanti
Cobus Carstens
Harald Lampesberger
Douwe Schmidt
Sascha Meinrath
C. Waters
Bruce Schneier
George Danezis
Claudia Diaz
Kelley Misata
Denise Mangold
Owen Blacker
Zach Wick
Gustavo Gus
Alexander Dietrich
Frank Smyth
Dafne Sabanes Plou
Steve Giovannetti
Grit Hemmelrath
Masashi Crete-Nishihata
Michael Carbone
Amie Stepanovich
Kaustubh Srikanth
Enrique Piracés
Antoine Beaupré
Daniel Kahn Gillmor
Richard Johnson
Ashok Gupta
Alex Halderman
Brett Solomon
Raegan MacDonald
Joseph Steele
Marie Gutbub
Valeria Betancourt
Konstantin Müller
Emma Persky
Steve Wyshywaniuk
Tara Whalen
Joe Justen
Susan Kentner
Josh King
Juha Nurmi
John Saylor
Jurre van Bergen
Saedu Haiza
Anders Damsgaard
Sadia Afroz
Nat Meysenburg
Julian Assange
Dan Staples
Grady Johnson
Matthew Green
Cameron Williams
Roy Johnson
Laura S Potter-Brown
Meredith L. Patterson
Casey Dunham
Raymond Johansen
Kieran Thandi
Jason Gulledge
Matt Weeks
Khalil Sehnaoui
Brennan Novak
Casey Jones
Jesse Victors
Peter DeChristo
Nick Black
Štefan Gurský
Glenn Greenwald
Russell Handorf
Lisa D Lowe
Harry Halpin
Cooper Quintin
Mark Burdett
Conrad Corpus
Steve Revilak
Nate Shiff
Annie Zaman
Matthew Miller (Fedora Project)
David Fetter
Gabriella Biella Coleman
Ryan Lackey
Peter Clemenko
Serge Egelman
David Robinson
Sasa Savic
James McWilliams
Arrigo Triulzi
Kevin Bowen
Kevin Carson
Sajeeb Bhowmick
Dominik Rehm
William J. Coldwell
Niall Madhoo
Christoph Mayer
Simone Fischer-Hübner
George W. Maschke
Jens Kubieziel
Dan Hanley
Robin Jacks
Zenaan Harkness
Pete Newell
Aaron Michael Johnson
Kitty Hundal
Sabine "Atari-Frosch" Engelhardt
Wilton Gorske
Lukas Lamla
Kat Hanna
Polly Powledge
Sven Guckes
Georgia Bullen
Vladan Joler
Eric Schaefer
Ly Ngoc Quan Ly
Martin Kepplinger
Freddy Martinez
David Haren
Simon Richter
Brighid Burns
Peter Holmelin
Davide Barbato
Neil McKay
Joss Wright
Troy Toman
Morana Miljanovic
Simson Garfinkel
Harry Hochheiser
Malte Dik
Tails project
Kurt Weisman
Shaikh Rafia
Olivier Brewaeys
Sander Venema
James Murphy
Chris "The Paucie" Pauciello
Brad Parfitt
Jerry Whiting
Massachusetts Pirate Party
András Stribik
Alden Page
Juris Vetra
Zooko Wilcox-O'Hearn
Marcel de Groot
Ryan Henry
Joy Lowell
Guilhem Moulin
Werner Jacob
Tansingh S. Partiman
Bryce Alexander Lynch
Robert Guerra
John Tait
Sebastian Urbach
Atro Tossavainen
Alexei Czeskis
Greg Norcie
Greg Metcalfe
Benjamin Chrobot
Lorrie Faith Cranor
Jamie D. Thomas
EJ Infeld
Douglas Edwards
Cody Celine
Ty Bross
Matthew Garrett
Sam P.
Vidar Waagbø
Raoul Unger
Aleksandar Todorović
John Olinda
Graham Perkins
Casa Casanova
James Turnbull
Eric Hogue
Jacobo Nájera
Ben Adida

If you would like to be on this list of signers (please do — you don't have to be a part of Tor to sign on!), please reach us at tor-assistants @

Traffic correlation using netflows

People are starting to ask us about a recent tech report from Sambuddho's group about how an attacker with access to many routers around the Internet could gather the netflow logs from these routers and match up Tor flows. It's great to see more research on traffic correlation attacks, especially on attacks that don't need to see the whole flow on each side. But it's also important to realize that traffic correlation attacks are not a new area.

This blog post aims to give you some background to get you up to speed on the topic.

First, you should read the first few paragraphs of the One cell is enough to break Tor's anonymity analysis:

First, remember the basics of how Tor provides anonymity. Tor clients route their traffic over several (usually three) relays, with the goal that no single relay gets to learn both where the user is (call her Alice) and what site she's reaching (call it Bob).

The Tor design doesn't try to protect against an attacker who can see or measure both traffic going into the Tor network and also traffic coming out of the Tor network. That's because if you can see both flows, some simple statistics let you decide whether they match up.

Because we aim to let people browse the web, we can't afford the extra overhead and hours of additional delay that are used in high-latency mix networks like Mixmaster or Mixminion to slow this attack. That's why Tor's security is all about trying to decrease the chances that an adversary will end up in the right positions to see the traffic flows.

The way we generally explain it is that Tor tries to protect against traffic analysis, where an attacker tries to learn whom to investigate, but Tor can't protect against traffic confirmation (also known as end-to-end correlation), where an attacker tries to confirm a hypothesis by monitoring the right locations in the network and then doing the math.

And the math is really effective. There are simple packet counting attacks (Passive Attack Analysis for Connection-Based Anonymity Systems) and moving window averages (Timing Attacks in Low-Latency Mix-Based Systems), but the more recent stuff is downright scary, like Steven Murdoch's PET 2007 paper about achieving high confidence in a correlation attack despite seeing only 1 in 2000 packets on each side (Sampled Traffic Analysis by Internet-Exchange-Level Adversaries).

Second, there's some further discussion about the efficacy of traffic correlation attacks at scale in the Improving Tor's anonymity by changing guard parameters analysis:

Tariq's paper makes two simplifying assumptions when calling an attack successful [...] 2) He assumes that the end-to-end correlation attack (matching up the incoming flow to the outgoing flow) is instantaneous and perfect. [...] The second one ("how successful is the correlation attack at scale?" or maybe better, "how do the false positives in the correlation attack compare to the false negatives?") remains an open research question.

Researchers generally agree that given a handful of traffic flows, it's easy to match them up. But what about the millions of traffic flows we have now? What levels of false positives (algorithm says "match!" when it's wrong) are acceptable to this attacker? Are there some simple, not too burdensome, tricks we can do to drive up the false positives rates, even if we all agree that those tricks wouldn't work in the "just looking at a handful of flows" case?

More precisely, it's possible that correlation attacks don't scale well because as the number of Tor clients grows, the chance that the exit stream actually came from a different Tor client (not the one you're watching) grows. So the confidence in your match needs to grow along with that or your false positive rate will explode. The people who say that correlation attacks don't scale use phrases like "say your correlation attack is 99.9% accurate" when arguing it. The folks who think it does scale use phrases like "I can easily make my correlation attack arbitrarily accurate." My hope is that the reality is somewhere in between — correlation attacks in the current Tor network can probably be made plenty accurate, but perhaps with some simple design changes we can improve the situation.

The discussion of false positives is key to this new paper too: Sambuddho's paper mentions a false positive rate of 6%. That sounds like it means if you see a traffic flow at one side of the Tor network, and you have a set of 100000 flows on the other side and you're trying to find the match, then 6000 of those flows will look like a match. It's easy to see how at scale, this "base rate fallacy" problem could make the attack effectively useless.

And that high false positive rate is not at all surprising, since he is trying to capture only a summary of the flows at each side and then do the correlation using only those summaries. It would be neat (in a theoretical sense) to learn that it works, but it seems to me that there's a lot of work left here in showing that it would work in practice. It also seems likely that his definition of false positive rate and my use of it above don't line up completely: it would be great if somebody here could work on reconciling them.

For a possibly related case where a series of academic research papers misunderstood the base rate fallacy and came to bad conclusions, see Mike's critique of website fingerprinting attacks plus the follow-up paper from CCS this year confirming that he's right.

I should also emphasize that whether this attack can be performed at all has to do with how much of the Internet the adversary is able to measure or control. This diversity question is a large and important one, with lots of attention already. See more discussion here.

In summary, it's great to see more research on traffic confirmation attacks, but a) traffic confirmation attacks are not a new area so don't freak out without actually reading the papers, and b) this particular one, while kind of neat, doesn't supercede all the previous papers.

(I should put in an addendum here for the people who are wondering if everything they read on the Internet in a given week is surely all tied together: we don't have any reason to think that this attack, or one like it, is related to the recent arrests of a few dozen people around the world. So far, all indications are that those arrests are best explained by bad opsec for a few of them, and then those few pointed to the others when they were questioned.)

[Edit: be sure to read Sambuddho's comment below, too. -RD]

Syndicate content Syndicate content