On being targeted by the NSA

As quoted in the original article on Das Erste:

We've been thinking of state surveillance for years because of our work in places where journalists are threatened. Tor's anonymity is based on distributed trust, so observing traffic at one place in the Tor network, even a directory authority, isn't enough to break it. Tor has gone mainstream in the past few years, and its wide diversity of users -- from civic-minded individuals and ordinary consumers to activists, law enforcement, and companies -- is part of its security. Just learning that somebody visited the Tor or Tails website doesn't tell you whether that person is a journalist source, someone concerned that her Internet Service Provider will learn about her health conditions, or just someone irked that cat videos are blocked in her location.

Trying to make a list of Tor's millions of daily users certainly counts as widescale collection. Their attack on the bridge address distribution service shows their "collect all the things" mentality -- it's worth emphasizing that we designed bridges for users in countries like China and Iran, and here we are finding out about attacks by our own country. Does reading the contents of those mails violate the wiretap act? Now I understand how the Google engineers felt when they learned about the attacks on their infrastructure.


July 03, 2014


Time to make ALL Tor connections, client-relay, relay-relay, and relay-exit obfs3 by default. It won't take anything to make, the code is already there, enhances security and anonymity, and give one up the NS@'s @$$!!

Good thinking, but it's not clear to me that this step would help as much as you hope. First, it isn't actually free to layer obfs3 on top of things -- many of the fastest relays are CPU-bound from doing AES, and adding an obfs3 layer effectively doubles the amount of work they'd do.

Second, the list of relays is still public, so they could still recognize Tor flows by their endpoints.

Also, the rules published in this article are not the entirety of their rules. We could easily imagine xkeyscore rules to recognize obfs2 flows, including a "does it have at least this much entropy" rule. Doing traffic obfuscation to defeat a real-time adversary who is deciding whether to filter you is quite different from doing obfuscation to defeat an adversary that computes on the flows after-the-fact. The latter seems much harder.

All of this said, I'm increasingly thinking that some sort of better obfuscation layer by default, between clients and the Tor network, would be useful. A simple DPI rule is one that they can write, deploy, and leave in place for weeks or months. A rule that involves grabbing a snapshot of IP addresses means pushing out new rules much more often. Maybe that's a difference that matters in practice. Also, using transient bridge addresses (a la Flashproxy) could be a big step forward in the arms race.

This comes up every once in a while, and obfs3 specifically is as "not-that-great" of an idea as the last time I commented on it.


arma appears to think that there is benefit to using some obfuscation for the link protocol, but I'm not convinced if that would raise the bar to the point where it's worth the engineering effort.

Is there a TOR Forum where people can share information about enhancements to TOR, vulnerabilities and what people's experiences are when using TOR?

This would be useful if such a forum doesn't already exist.

I have information which was provided by let's say an expert in the field for the time being and want that information to get to the developers of TOR for implementation.

For the use case you describe, you probably want to open a trac ticket:
Or mail us privately (e.g. tor-assistants) if it's something that should stay private to start.

For more general discussion, the mailing lists and irc channels are where the developers are:

We also launched a Tor stackexchange for general Q&A:

The forum question has come up several times, but if no developers will pay attention to it, it could easily be harmful rather than helpful. After all, all the developers but me have abandoned the blog comments here too. There is so much to do!

Perhaps we should do the exact opposite, G00berments around the globe are expecting us to try and hide in the shadows, as they do. Maybe we should expose them with all of the codes they use and plaster all of it over the www. Tor is already compromised so what have we to loose? I will wager the NSA will not take kindly to being exposed all over the world, and if they have no place to hide, there screwed and exposed, i think they have alot more to loose than we do.

A) Tor is already compromised? Citation please? See all the other threads here for background.

B) To "expose them with all the codes they use", what do you propose we actually do? That sure sounds hard.

Solutions for Tor's problems are known and available, but you won't adopt them because the real and ultimate truth is that Tor has always been an NSA honey-pot. You can deny it to yourselves so you can sleep nights, but that is the entire point of it. Any insider can tell you that the core, fundamental strategy of the NSA is to use the mathematical "attractor phenomenon." The MORE one uses, that person is self-selecting as even MORE worthy of attention. You can fix Tor if you really want to, but you'll notice an odd internal resistance to the very solutions that are clear and self-apparent. Any creative person or inventive engineer can show you the boring, methodical way to define a problem solution. There is no magical insight out of dark nothing and nowhere. Someone forms a list of the probable solutions or likely leads toward a solution. If the list is sufficiently long, somewhere on that list the better, best and even insightful solutions will rise higher on the list. Any of you can make such a list of ways to tighten Tor, but notice how those solutions will never be adopted. Because Tor is paid for by the U.S. government and fully controlled at highest levels so that it is kept with fundamental weaknesses to keep it open to the NSA. Include Russian, Chinese, Iranian, Cuban servers in the network. Ones that "tunnel" their information, in ways that no NSA or other government could trace the information, through those rabbit holes through Wonderlands. Name solutions that really work and you'll find the shouts growing louder around you from the inside, against those solutions. The better they are, the louder the voices against them.

More details would be useful for others to assess whether this is fact or conspiracy theory. Anonymity is actually really hard to do right, and here you are saying that there are good solutions, without specifying any of them, and then saying that people won't use them.

I encourage you to read http://freehaven,net/anonbib/ and attend the PETS symposium https://petsymposium.org/ and help design and research these solutions.

Funny how my comments were moderated, or removed. Censored as though in China actually. I didn't say anything other than that Tor is a honey-trap, financed by the U.S. And that insiders at Tor would stop any true improvements that really stopped the NSA from being effective. Just funny how this was moderated out. CENSORED. You people are as evil as Soviet Russia to censor what I said. And Despots all have their day. You will have yours.

Sorry about the delay. As you can read from other comments here, I'm the only one who thinks the blog comments are worth responding to, and I've been at PETS talking to researchers all of last week rather than dealing with the blog.

Or I guess the other alternative is that there's a massive conspiracy, and we actually *do* have plenty of time to sit around trying to figure out how to thwart everybody's efforts to make Tor better. :/


July 03, 2014


This is genuinely scary. It actually makes me scared to use Tor (which is their intention, I guess) or visit the Tor Project's website.

The future is dark.

Well, try not to do anything else on the Internet either then. :/ At least when you're using Tor they have a tough time tracking down what you're up to.

Somehow we have to get to the point where people think of Tor like they think of https. If you'd just read an article about how NSA is targeting people who use https, would you be scared of using https and switch to unencrypted browsing in order to stay under their radar?

I agree we have a right to our privacy! Good law abiding citizens value their privacy. Because one uses Tor or any other privacy software does not make them a criminal or should automatically put them under suspicion of such!

Meanwhile, some facts, points and questions to consider:

1.) The overwhelming majority of sites on the WWW do not use HTTPS (or any other form of encryption or authentication)
2.) The content of any such non-encrypted, non-authenticated site visited via Tor can be manipulated by any exit node via packet injection/ Man In The Middle (MITM)attacks-- especially when JavaScript is enabled.
3.) JavaScript is fully-enabled in the default configuration of both Tor Browser Bundle as well as Tails.
4.) For HTTPS sites, how many people actually verify the certificates (e.g., by using the SHA1 fingerprints)?

And round and round we go. I don't want to downplay the huge problem that lack of https plays on our Internet (it is a huge problem!), but I do want to make sure we don't downplay that same risk for non-Tor users. I can do these attacks on my fellow comcast users. Or see the thread here about Starbucks. And VPNs have the same issues. And if we're talking about NSA like we are in this discussion, they apparently have lots of places on the Internet to see flows and inject/modify content.

So yes, I totally agree, but you missed a "2b" about similar dangers when trusting your local network instead. It really depends a lot on what sort of situation you're in.

"At all", yes -- especially during the initial handshake where it has to establish keys, send certs, etc. But hopefully it's not too different compared to the general slow-down introduced by Tor and introduced by general network latency.

Personally, it makes me want to use Tor more and more.
They can track me and come to my place if they want to, I'd be glad they loose their time for nothing.

At least in theory, a passive observer can't see the URL that you're fetching at an https website. So you are only saying hello to the nsa here if they're doing an active man-in-the-middle attack on your https connection, or if they are recording the flow and later plan to decrypt it somehow.

So, sounds good, carry on, but you might want to say hello to them in some other way too if you want them to be sure to notice. :)

No, when you're using https, an observer of the connection to the website can see the domain you're visiting ("torproject.org") but not the URL you fetch ("/?hello-nsa!").

The EFF "Tor and HTTPS" diagram blurs them together.


July 03, 2014


Kaspersky also have a lots of Tor nodes.
Why tor doesn't block them automatically?

Almost 66% of tor nodes are governmental, packet-loggered, HTTP-proxied nodes.

I'm a fan of Kaspersky running exit relays. Many groups run exit relays. Diversity is where Tor's security comes from.

As for your "almost 66%" number... citation please? I think it is "almost 0%". But that should not make you happy, since one of the huge risks is about how many parts of the network they can observe, not how many relays they operate.

Happy to see people working in this direction. If you care about the topic, you should help them make the tool better.

That said, hidden services are a tiny fraction of the overall Tor network and Tor usage, and the issues in this blog post are primarily around use of Tor in general. So the upside of such a tool, in the face of these sorts of attacks, seems limited.

But that's not to say it wouldn't be useful against other attacks. Making the Internet safe means working on many directions at once.


July 04, 2014


I have one question about interception. Lets say, the NSA controls Directory Authority and some exit points. Client (A) connects with a Directory Authority they survey and uses one of their exit points too. Couldn't they connect the dots by only comparing the length of the session of Client A? Just curious.

Right idea but wrong details. If the adversary controls (or observes) just the directory authority and the exit relay, they don't have enough information to do the attack you describe (which we call an "end-to-end correlation attack" or a "traffic confirmation attack"), because they can't see your traffic as it enters the Tor network. You only use the directory authority to learn the list of relays, not to actually route traffic through.

However, if they control (or observe) the first relay that you pick in your circuit and also the last relay in your circuit, then they're in the right position to do such an attack. That's why the Tor design is about distributed trust.

For many more details, I recommend watching my 'Internet Days' talk. It's at point 'h' on https://www.torproject.org/docs/documentation#UpToSpeed

13:15 - 14:22 "surely no one will correlate their database this well, well we'll find out in 3 years whether they will or not"... the video was uploaded october 2010 + 3 years = october 2013.... 3 months after the snowden leaks #Conspiracy


July 04, 2014


I think the tag "target-humanity" instead of "target-america" would be more fitting...

The leaked code snippet (http://daserste.ndr.de/panorama/xkeyscorerules100.txt) is "only" a selector for mining in NSA's data cache - we need to wait for a whistle-blower describing the amount of intercepted backbone traffic to better assess the significance of the XKeyscore rules.

Yes, I completely agree.

Some unknown questions are still: 1) ok, so what flows do you run these rules on? and then 2) do you collect enough info about each flow to be able to do correlation on them? If we assume the NSA has all the packets on the Internet, then we already know we're in bad shape. And if we assume they don't see that much, or they do but they don't write down that much, then we're in better shape.


July 04, 2014


This means all nodes and all bridges are monitored in real time. Then anonymity of tor network is broken because tor is not designed to resist co-relation attacks on both ends of the circuit.

Not necessarily -- it means that they have rules that could be run on traffic if they had the traffic. It doesn't say anything about whether they have the traffic. See

(Just seeing DPI rules is not that surprising -- http://freehaven.net/anonbib/ has many papers about how to do such attacks once you have the traffic flows.)


July 04, 2014


Ladies and Gentleman: Start you relays!
Folks, I can tell you that this only motivates me more to provide anonymity services to the users. I am sure that not only the NSA is snooping for Tor, but every serious surveillance service in the world (China, Russia, Iran, Europe ...). But the fact that the NSA commits that "Tor stinks" (1), shows that our distributed anonymity service works.
There is no 100 % security and even the TBB can be cracked (2)(3), but at least this is more costly effort for the surveillants.
And that is what it's all about: Make surveillance difficult and expensive. The agencies are limited in budget and workforce, we *can* cause trouble to them! It depends only on us, the users, how many of us are surveilled to what extend.

=> So (re)start your relays and increase the bandwidth!

1) http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-networ…
2) http://arstechnica.com/security/2013/08/attackers-wield-firefox-exploit…
3) http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted…


July 04, 2014


And in other news...

torproject.org used to be 256-bit encrypted.

Now 128-bit - because the USA government National Spy Agency has the keys already?

But this won't be posted anyhow.


July 05, 2014

In reply to by Anonymous (not verified)


I have disabled every non-256 bit encryption and torproject.org gets loaded using AES-256.

For Firefox goto about:config, search for "ssl3" and leave only lines enabled with "256" in it, problem solved.

How does the NSA break SSL?

On the NSA

Has the NSA broken SSL? TLS? AES?

Have spooks smashed RC4?

The conclusion of it at the time is that breaking TLS on a large scale as in worldwide, is very expensive and it seems no one has actually broken TLS. Successful attacks don't scale well and therefore don't seem to be widespread. The easiest way to break crypto are weak implementations. If you don't want to stop using TLS entirely, the best thing you can do is to use the best thing you can get. So disable everything below 256 bit.