The New Research from Northeastern University

by arma | July 25, 2016

We’ve been speaking to journalists who are curious about a HotPETS 2016 talk from last week: the HOnions: Towards Detection and Identification of Misbehaving Tor HSDirs research paper conducted by our colleagues at Northeastern University. Here's a short explanation, written by Donncha and Roger.

Internally, Tor has a system for identifying bad relays. When we find a bad relay, we throw it out of the network.

But our techniques for finding bad relays aren't perfect, so it's good that there are other researchers also working on this problem. Acting independently, we had already detected and removed many of the suspicious relays that these researchers have found.

The researchers have sent us a list of the other relays that they found, and we're currently working on confirming that they are bad. (This is tougher than it sounds, since the technique used by the other research group only detects that relays *might* be bad, so we don't know which ones to blame for sure.)

It's especially great to have this other research group working on this topic, since their technique for detecting bad relays is different from our technique, and that means better coverage.

As far as we can tell, the misbehaving relays' goal in this case is just to discover onion addresses that they wouldn't be able to learn other ways—they aren't able to identify the IP addresses of hosts or visitors to Tor hidden services.

The authors here are not trying to discover new onion addresses. They are trying to detect other people who are learning about onion addresses by running bad HSDirs/relays.

This activity only allows attackers to discover new onion addresses. It does not impact the anonymity of hidden services or hidden service clients.

We have known about and been defending against this situation for quite some time. The issue will be resolved more thoroughly with the next-generation hidden services design. Check out our blog post, Mission: Montreal!


Please note that the comment area below has been archived.

July 26, 2016


Always protect your private onions, ssh onions, etc. with HiddenServiceAuthorizeClient and HidServAuth. The bad HSDirs will still see your onion address, but they won't be able to access it.

> The bad HSDirs will still see your onion address,

Do all Tails users have an onion address (e.g. for Whisperback?).

As far as I know I am not running an onion service, but in the last month I have seen a good deal of what appear to me (as an experienced but noncoding Tor user) to suggest nefarious activity which sounds similar to what I have been reading about bad guys abusing HS to deanonymize Tor users.

@ Tor/Tails people: any information, suggestions, or links would be appreciated.

July 26, 2016


what to do AS USERS to "help" a bit" that mission montreal be a full success (for every one) in a near future ?
-stopping using compromised service or o.s (which ones must be avoid )?
-choosing/replacing safe server vpn:dns (which ones must be avoid ) ?
-adding relays (is it more predictive or less _ less or more trust _ ) ?
-using more tor (24/24 )?
-adding more users (spreading the world_ convincing more people) ?
-buying a laptop or a pi for a right entropy (should it be better with a chip faster_arm or a chip with virtual feature enable , with one or two gpu ) ?
-using 2 laptop/rasperry , one as server (protective personal first barrier/relay) and one as user ?
-creating a firewall which should eliminate 'bad' relays or putting it in a temporary black list ?
-building a special card with embedded chip/program or making/downloading a special program to increase the good statistics values (or decrease the bad) ?
Is the user still staying a spectator of tor project ?
*the new intel chip is compromised, ubuntu too (backdoor & new laws) , nvidia card too ... will it compromise the usage of tor ?

> *the new intel chip is compromised, ubuntu too (backdoor & new laws) , nvidia card too ... will it compromise the usage of tor ?

Citation? Details? Which chips and cards precisely? (Year, model, name). Compromised by whom? China? NSA? Intel itself? Compromised in what sense?

help yourself not using any closed source/commercial os and let windowz geeks be tracked and cracked by THE GREAT DEMOCRATIC COUNTRY LAW - they want it.

July 27, 2016


Been getting a lot of phishing relays that redirect you and then it goes to a cloned government phishing server or site and steals your info or de-anonymizes you.

July 28, 2016


OT, but relevant and ironical anecdote:

Civil libertarians often need to obtain official government datasets, often from some US government agency, sometimes from hostile agencies such as FBI which offer information to the public (even outside the USA) at the public website. But it is important to know you are connecting to the genuine website and not an impostor. Fortunately, most government websites use https. On the other hand, civil libertarians don't want to connect to a hostile government agency directly because we know better than most people that FBI is likely to start dangerously wrong guesses about why someone wants a copy of a public dataset. So naturally we use Tor. Which we use for everything anyway, because we know the Internet has become a very dangerous place (thank you NSA, and all such like that).

And if you connect to using Tor Browser, what happens? Why cloudflare happens, of course! And what do you see in Tor Browser's location pane? with a lock icon. But when you click to look at the certificate, you discover this is owned not by but by cloudflare, and the "Subject" line does not even mention FBI.

Doesn't this trickery subvert the very purpose of PKI?

Lesson: always check the certificate itself. It it is owned by cloudflare and makes no mention of the site you think you are connected to, you are not connected to the site you probably think you are. This opens the door to abuse by unknown parties.

See also a current thread in tor-talk about cloudflare being abused to deanonymize Tor users by requiring them to click on images. Doing that is not only dangerous (yes?), it won't work. In my experience, Tor users are never able to pass the bar, cloudflare makes them click until (presumably) they are deanonymized, but even then, cloudflare prevents them from accessing the promised public data.

Not all USG agencies are as tricky as FBI, of course. In my experience some other USG agency websites do provide public data even to Tor users without cloudflare blocks. Same for agencies of many EU governments. But FBI never did provide the promised public dataset.

July 28, 2016


Should I see the same node X in two places in two adjacent circuits listed in Onion Circuits?
Like so:
(relay and exit positions in two adjacent circuits to be used one right after the other, potentially).