Possible upcoming attempts to disable the Tor network

The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities. (Directory authorities help Tor clients learn the list of relays that make up the Tor network.) We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use.

We hope that this attack doesn't occur; Tor is used by many good people. If the network is affected, we will immediately inform users via this blog and our Twitter feed @TorProject, along with more information if we become aware of any related risks to Tor users.

The Tor network provides a safe haven from surveillance, censorship, and computer network exploitation for millions of people who live in repressive regimes, including human rights activists in countries such as Iran, Syria, and Russia. People use the Tor network every day to conduct their daily business without fear that their online activities and speech (Facebook posts, email, Twitter feeds) will be tracked and used against them later. Millions more also use the Tor network at their local internet cafe to stay safe for ordinary web browsing.

Tor is also used by banks, diplomatic officials, members of law enforcement, bloggers, and many others. Attempts to disable the Tor network would interfere with all of these users, not just ones disliked by the attacker.

Every person has the right to privacy. This right is a foundation of a democratic society. For example, if Members of the British Parliament or US Congress cannot share ideas and opinions free of government spying, then they cannot remain independent from other branches of government. If journalists are unable to keep their sources confidential, then the ability of the press to check the power of the government is compromised. If human rights workers can't report evidence of possible crimes against humanity, it is impossible for other bodies to examine this evidence and to react. In the service of justice, we believe that the answer is to open up communication lines for everyone, securely and anonymously.

The Tor network provides online anonymity and privacy that allow freedom for everyone. Like freedom of speech, online privacy is a right for all.

[Update Monday Dec 22: So far all is quiet on the directory authority front, and no news is good news.]
[Update Sunday Dec 28: Still quiet. This is good.]

Anonymous

December 22, 2014

In reply to by Anonymous (not verified)

Permalink

a) stop using google
b) set useragent string "google go away"
c) go to real shop, buy some real beer, drink it and think who the fuck is that sony? bear?
d) change everything back and relax watching new pr show.

Anonymous

December 19, 2014

Permalink

Umm, who wants to and is going to seize which nodes where an why?
Stop with all the veiled silence bullshit, it makes you look stupid, and like some questionable entity.
Torproject is not the only voice and direction of tor, and you're preventing the rest of the voices from speaking freely in support.

To be sure to keep our source safe, we're not providing more details quite yet.

But actually, we don't know many more details than the ones we posted. And as for your 'why', that's an excellent question, and one we've been wrestling with too. There are nine directory authorities, spread around the US and Europe. If they're trying to hunt down particular Tor users, most possible attacks on directory authorities would be unproductive, since those relays don't know anything about what particular Tor users are doing.

Our previous plan had been to sit tight and hope nothing happens. Then we realized that was a silly plan when we could do this one instead.

What exactly is the upside of making the rumor public? Downside is the seizure doesn't actually occur for whatever reason (good so far..) and then Pando publishes a series of 'cry wolf' articles about how Tor is run by delusional paranoids with a persecution complex.

I think it depends on the definition of upside and downside. If there is no attack, then that is good for Tor users. Maybe the attack was delayed or redesigned, or maybe it never actually existed. If this happens, we may never know. There may be repercussions, but it's a necessary risk, because if there is an attack and we didn't say anything then that puts users at risk, and that goes against the purpose of this project.

Who believes that paranoiacs are delusional anymore?

All anyone has to do is point at the NSA and that argument is invalidated.

It's a real blow for mental health workers, actually.

What if they know what the person was doing, ie. which websites they were on and what they were doing and they wanted to find out what their real IP was? Would this be a way to do it?

No (but yes, kind of). The directory authorities know nothing about Tor users, so taking these servers offline or compromising them has no direct impact on the anonymity of users. However, if you control enough of the directory authorities then you can define which relays are in the network. At this point, users can potentially be deanonymized. This is a huge attack, though.

Yes. Two refinements to sysrqb's answer:

A) Taking over a threshold of directory authorities would tell you nothing about what Tor users did in the past. It would allow you, at worst, to make up a new fake Tor network and try to trick users into switching to it. See my comment below for more details.

B) By "huge attack" I might instead say "hugely expensive attack", at least in terms of political capital and goodwill.

they want it - to own internet and allow only marked with your id-number ip packets. they want to insert in you head identification chip with this number and to trace it (and they have done it with home animals). they want you to be part of their own internet machine. they want to harass you with if you try to not use their "services". they simply want to control you. so please try to read some uncontrolled by them sources(real books?) and think.

Surely each operator has a disaster recovery plan in place already, for more usual events like hardware failure. If the servers were seized, could you all not just execute that, and be up and running again within minutes to hours?

In practical terms, is this not simply a minor inconvenience?

Could authorities replace seized DAs with their own clones that only send users to NSA/GCHQ controlled nodes? Is this possible without knowing DA private keys if you have full control of the hosting server?

It depends what exactly they can extract from each computer. Years ago we separated the directory authority keys into a long-term (offline) key and a medium-term (online) signing key. Directory authorities have their medium-term key expiring at various times:
https://consensus-health.torproject.org/#authoritykeys

We've taken some steps recently that we hope will make it quite hard for attackers to extract the medium-term key even if they seize the computer. So for the ones where that hope turns out to be true, they get basically nothing besides disruption by seizing that authority.

If they nonetheless can extract five unexpired signing keys, then they can make up their own consensus and point people to their own relays. That would indeed be really bad. For a bit of consolation, it would be super highly illegal and places like EFF would be happy to mess them up for it. But let's hope that doesn't happen, especially now that we've made clear to them all the collateral damage involved.

In any case, even if just one is seized, we'll likely put out a new Tor release that stops trusting that one. Otherwise they could in theory keep chipping away at the directory authorities (though the expiration dates on the keys will put an upper bound on how effective that approach could be for them).

Hope that helps.

if you haven't already, you should consider auto-wiping the keys on those servers if motion is detected in their proximity. (assuming they're located somewhere where there normally isn't movement around them, like a cage, anyways.)

from a layer 7 and above perspective.. are you confident that all directory authority operators will be able to detect whether someone may have physically tampered with or replaced a directory authority box?

for example, jake's most likely not going to be in the US anytime soon, although i'm guessing he has friends who could examine the physical integrity of the directory server he runs.

physical custody of keys/boxes has been on my mind lately, since recent TBB releases were signed with erinn's key even though she doesn't work for the tor project anymore.

These are indeed all important topics to pay attention to.

As for Erinn's key signing Tor Browser packages (and she does indeed still participate in Tor Browser development stuff), check out
https://trac.torproject.org/projects/tor/ticket/13407
(And also remember that the builds are reproducible, so the signature is not as important as it would have been in the past.)

thanks for the quick reply; i agree re: signing keys. wasn't trying to cast doubts..just was pointing out that some of my own tor-related assumptions about who physically controls keys came up recently

Please in an update add a revocation so that at least any long term signing key could revoke any of the medium term keys and itself.

Then each node would only have to hear a revocation once to take that key out of service. It would greatly reduce the benefit of compromising the keys.

>>Could authorities replace seized DAs with their own clones
yes
>>Is this possible without knowing DA private keys
seized the key got the server

Agreed on the first one (though that's the sort of behavior that EFF would be excited to litigate, since it harms a huge number of ordinary people).

As for the second one, I assume you mean "seized the server got the key", but even then it's somewhat more complicated than that.

I use the torrc to select the DA I trust.
DirAuthority [nickname] [flags] address:port fingerprint

my relays can NoAdvertise
ORPort [address:port] NoAdvertise IPv4Only
but I can't find a way to add relays or include nodes not in the bad DA lists

You should learn more about the directory design and how the threshold of signatures works. I can't quite figure out what you're doing from what you've said, but it sounds likely that you're shooting yourself in the foot.

In particular, configuring your Tor client to use a subset of the current directory authorities could actually make you weaker than configuring all of them, even if you genuinely do trust only that subset.

Honestly, I agree with the poster above. With this threat and the online harassment blog post, you folks are woefully short on *facts*. To me, if you don't share the *reasons* for why you're doing what you're doing, what you're doing is of little use.

It's like the US asking us to trust them, because we can't handle the truth...and we all know how much we trust them.

For a non-profit that's all about openness, Tor sure isn't open when it comes it its own dealings.

Anonymous

December 19, 2014

Permalink

Couldn't Tor get rid of the directory authorities somehow ?

I hear that the Tribler network uses a Tor-like protocol without DAs. Anyone can run a bootstrap node, and that's enough to keep the network running apparently.
It looks like bridges for exemple could take on the additional role of bootstrap nodes for Tor.

Has there been any discussion on that ?
I'm not too fond of trusting a couple of servers that may or may not have been seized.
There's not even a warrant cannary page afaik.

There are a bunch of research papers looking at exactly this question.

Check out
http://freehaven.net/anonbib/#usenix11-pirtor
for one direction, and then
http://freehaven.net/anonbib/#wpes09-dht-attack
http://freehaven.net/anonbib/#ccs09-shadowwalker
http://freehaven.net/anonbib/#ccs09-torsk
http://freehaven.net/anonbib/#ccs10-lookup
for another direction to consider.

The current situation is that nobody knows of a better design that is actually better in practice. The one we have is well-studied and has well-understood downsides, so I'm not eager to move to one that is poorly-studied and has poorly-understood downsides.

As for Tribler, my current understanding is that Tribler provides *significantly* less anonymity than Tor does, and a lot of its weakness comes exactly because it has an easily attacked network discovery mechanism.

Would you care to extrapolate on why Tribler is less secure than Tor? I'm pretty new to Tribler, and haven't found any good sources on that information.

If enough directory authorities are controlled than the available hosts can be specified by an attacker and they can specify only their hosts. In your the directory authorities are trusted parties in the other one they are whoever wants and so an attacker can create a ton of those.

Somebody should actually write out the design for this and work through all the details. I bet there will be some interesting, subtle, and devastating attacks on the first couple of versions of this design. More research required!

I disagree. See my above comment.

(Part of the confusion probably is that directory authorities serve a variety of purposes in Tor, to defend against a variety of attacks. To move beyond "yes they do no they don't", somebody should write up a clear explanation of everything directory authorities need to do to serve their purposes well. The above links are a good start there, but see also
http://freehaven.net/anonbib/#danezis-pet2008 )

I feel a fork is in order.
OpenTOR will have
+local node list addition in torrc ie. private nodes or boot strap nodes
+namcoin tor/ node list option
+namecoin DNS
+node invisablity by dual socks4/https on port 443

Moar on node invisablity.

make a tls/ssl connection to port 443 tor reads first data.
if (first byte 'H') http stream to web server
if (first byte 04 & password good) relay trafic
if (password wrong) stream to web server to send back error

This is a private node if the password is private and a new type of bridge if public. aka f2f bridge

no not at all
starttls is just encrypting a port
you can have socks4 and http share a tls port

buffers.c
parse_socks(
...
switch (socksver) {
case 5: /* socks5 */
...
case 4: { /* socks4 */
...
case 'G': /* get */
case 'H': /* head */
case 'P': /* put/post */
case 'C': /* connect */
strlcpy((char*)req->reply,
"HTTP/1.0 501 Tor is not an HTTP Proxy\r\n"
"Content-Type: text/html; charset=iso-8859-1\r\n\r\n"
"\n"
"\n"
"Tor is not an HTTP Proxy\n"

just hand off http(and socks5 because hand shake is required) connection to a web server.
if socks4 has good password relay in tor else connect to web server to return error.

trust me it works! and should be part of tor

starttls is nsa invention. nobody in his mind should chance protocol after connection. it is like inviting all the spies in the path. right sequence _must_ be as in: service should wait for some information from a client to select own behavior according to that information. if something wrong - drop connection.