De-Anonymization, Smart Homes, and Erlang: Tor is Coming to SHA2017
One of the most common questions we get about Tor is some variation of “Is it safe to use?”
To answer the question, we rely on researchers and developers to look at the code and to try and find vulnerabilities and weaknesses in Tor. We just announced a bug bounty campaign for this purpose — literally paying you to hack Tor.
One researcher who’s doing a lot of work on Tor vulnerabilities is Juha Nurmi. Next month, at the SHA2017 hacker camp and conference, he’ll present real world cases where Tor was de-anonymized, including cases of operational security failures, fingerprinting, or traffic analysis.
Tor makes all of its users look the same, which makes them anonymous (learn more). Because of this, any possible correlation attacks require monitoring and compromising the network on a global scale. To say that’s incredibly difficult to achieve is an understatement.
In fact, when users are de-anonymized, it’s usually because they didn’t follow one of the our guidelines (enabling plugins in Tor Browser, for example) and not because of any inherent flaw in the Tor network. We document warnings about common pitfalls, and we’re working on our user interface to provide more alerts when users do something potentially comprising, like adjusting the size of the browser’s window.
More information about the possible pitfalls and how to mitigate them will be available in Nurmi’s upcoming paper that will be published after the conference. It’ll include suggestions for how Tor and Tor users can mitigate these attacks.
But that’s not all — there are several other Tor talks happening at SHA2017.
Smart Home Security with Tor
Most people are familiar with Tor as a network and as a browser, but moving forward, we’d like to include Tor in more parts of the web. To borrow some internet-speak, we want to Tor all the things!
Kalyan Dikshit from Mozilla will speak on one most important uses of Tor in the next decade: securing a plethora of internet-connected “smart home” devices.
Talla: An Erlang Implementation of Tor
Alexander Færøy will provide a technical walk-through of Talla, a third-party implementation of a Tor relay daemon in Erlang. You’ll gain a better understanding of the design, architecture and testing of a highly concurrent, fault-tolerant and complex application in Erlang.
Tor & Configuration Management
Sebastiaan Provost will talk about another area of focus for Tor moving forward: sustainably growing the Tor network.
Join the Tor Meetup
The conference has more than talks, and includes a Tor meetup (details to come!), a Family Area, and a host of interest-specific villages.
SHA2017 will take place in Zeewolde, about 35 miles east of Amsterdam, from 4-8 August. Get your tickets, and we’ll see you there.
I edited the post above for clarity. Thanks for your comment!
- when will we have a test page updated about the fingerprint (eff one is outdated) ?
- i love ricochet & onionshare.
- debian tor exists (as source-list) but default is now (hkps) https://deb.debian.org so could you contact them (debian-team) for providing an official option : onion_deb.debian.org ?
- what is the advantages of the erlang version (talla) ?
growing the tor network is really difficult ; the potential is great but you cannot convince the bad guys to walk on the right side : even free speech is becoming very difficult to be applied , censure, troll, spam, are a technique flooding a discussion often noticed (some blogs & mailing-list provide a tag reply but , in fact, you can't , it is locked and most of them (admin) do not allow any more comment.) so you should maybe spreading the (world) of the necessity for the news paper online (the guardian , register etc.) & the blogs speaking about security/tech to set an onion site opened for the comment as an unofficial/international free version (russian dissident need a free voice e.g)
i live too far for being present at the tor meetup/talks : it is a pity.
- could i create virtual tor user : virtual server / virtual onion (x100 e.g.) for hiding myself or someone else during a secret com and for protecting a user at a defined moment ?
i think about a special alert (the request) asking help on a private channel inside tor.
if someone is in danger or need to be a bit more invisible , this solidarity could be useful.
- Is it possible to implement this option ?