Possible upcoming attempts to disable the Tor network

The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities. (Directory authorities help Tor clients learn the list of relays that make up the Tor network.) We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use.

We hope that this attack doesn't occur; Tor is used by many good people. If the network is affected, we will immediately inform users via this blog and our Twitter feed @TorProject, along with more information if we become aware of any related risks to Tor users.

The Tor network provides a safe haven from surveillance, censorship, and computer network exploitation for millions of people who live in repressive regimes, including human rights activists in countries such as Iran, Syria, and Russia. People use the Tor network every day to conduct their daily business without fear that their online activities and speech (Facebook posts, email, Twitter feeds) will be tracked and used against them later. Millions more also use the Tor network at their local internet cafe to stay safe for ordinary web browsing.

Tor is also used by banks, diplomatic officials, members of law enforcement, bloggers, and many others. Attempts to disable the Tor network would interfere with all of these users, not just ones disliked by the attacker.

Every person has the right to privacy. This right is a foundation of a democratic society. For example, if Members of the British Parliament or US Congress cannot share ideas and opinions free of government spying, then they cannot remain independent from other branches of government. If journalists are unable to keep their sources confidential, then the ability of the press to check the power of the government is compromised. If human rights workers can't report evidence of possible crimes against humanity, it is impossible for other bodies to examine this evidence and to react. In the service of justice, we believe that the answer is to open up communication lines for everyone, securely and anonymously.

The Tor network provides online anonymity and privacy that allow freedom for everyone. Like freedom of speech, online privacy is a right for all.

[Update Monday Dec 22: So far all is quiet on the directory authority front, and no news is good news.]
[Update Sunday Dec 28: Still quiet. This is good.]

Ok, I'm going to cut off the namecoin thread here before it takes over the whole comment section.

Somebody should actually build an actual proposal here. Come back when you have one. Thanks! :)

(A great place to send such a proposal is the tor-dev mailing list.)

Feel free to fork -- the license lets you do so and we are big free software fans.

But please do not name your resulting thing "Tor but better" or a name like that, which will confuse users into thinking your thing is somehow written by the Tor people.

Why not use a cryptocoin like namecoin to determine authority of nameservers?

They would have to take over the whole cryptocoin system with a 50 percent attack which is very difficult to do _especially on a proof of stake coin like the newer coins.

But blockchains by their nature record a history of all transactions. It seems to me you're just creating a new risk, here.

hans andersen

December 19, 2014

Permalink

It's such a shame to see the country I live in among the "repressive regimes" :(

Thanks for what you're doing.

It's a shame to not see the country I live in (US) among them. I think it might turn the tide of public opinion if it were more widely accepted that the chilling effect of "passive" communication interference should be grouped with other forms of repression.

hans andersen

December 19, 2014

Permalink

This whole North Korean hack thing is so obviously a false flag operation. And who can trust anything the US Government says any more anyway? The worldwide political elite are a haven for crooks, liars, and murderous paedophiles.

Yeah I def think it's a false flag operation. The public has been very anti-government of late; wouldn't it be great to rally everyone behind a common enemy?

fine new name for nsa net - lizardnet. so i see headlines - "lizardnet define new dangerous trend in user behavior - before watching new daily propaganda block they visiting toilet. our new swat teams ready to fight such illegal behavior."

If its false flag then the government has been feeding our media misinformation for years about NK. Everything about the Sony hack fits perfectly and points directly at NK. Not to mention they have reason to not like Sony and lack of rationality to care about getting caught.

i do not like sony so what? and if they have some damage i will not be sorry at all.
but what about damage for everyone because of lowering ttl numbers in dns responces by many corporations? for me its more important than some problems in some corporation.

The messages sound American to me. Like in a comedy where a teenager pretends to be Korean but using cornball Engrish. At one point, the part between the parentheses, they slipped into regular American English.

Same goes for the UK government,GCHQ are known to want to get a good foothold into TOR some even argue they may have the capability to fully compromise its infrastructure.

I've got my little 10Megabit exit node running, so I'm doing my part. I bet the TAO are hanging out on my network watching it though....

Thanks for running an exit relay!

As for TAO hanging out on it, that seems unlikely -- not because nobody would want to watch it, but because various intelligence agencies already work to surveil large parts of the Internet, and I don't think they need the TAO group to help them there.

As for the original point about how it seems there are fewer exit relays these days, check out
https://metrics.torproject.org/bwhist-flags.html?graph=bwhist-flags&sta…
The capacity provided by exit relays is slowly growing (the capacity provide by non-exit relays is indeed growing faster).

And the *number* of exit relays (not really the best measure but it's another way to judge) has been very slowly growing too:
https://metrics.torproject.org/relayflags.html?graph=relayflags&start=2…

I see exclusively big and growing log of "We tried for 15 seconds to connect to 'xxx' using exit yyy at zzz. Retrying on a new circuit" records. So maybe many relays are just fake? Or they allow connections to to sites interesting for nsa operations only? Kind of prefiltering?

You might still be seeing the 15 second timeout thing, if the site you're loading pulls in some third-party component which is unreasonable. And your telnet test to the primary site would not notice this.

Just noticed while running distro updates on node smitty that tor had been down for 3 days. Only a disk space issue, however.

hans andersen

December 19, 2014

Permalink

Sounds like a good case of needing to decentralize your directory services... If only there were an amazingly great invention called Bitcoin or Namecoin that could be leveraged to do such a feat.

See above:

"The current situation is that nobody knows of a better design that is actually better in practice. The one we have is well-studied and has well-understood downsides, so I'm not eager to move to one that is poorly-studied and has poorly-understood downsides."

Right. So every time you connected, your IP would be registed in a permanent blockchain, as a means of being discovered by others on the network.

You totally know what you're talking about.

Not necessarily, you could publish the most recent node list via a blockchain transaction. The publishing address would then be the "announce" address which client's would lookup. That scenario would require no writing to the blockchain. What we don't know is how secure that scenario is.

Decentralization is very much needed, but what's essential for Tor to realize such things is "Developers, developers, developers" ~Steve Ballmer

By the way, i'm not a developer.

hans andersen

December 19, 2014

Permalink

The funny thing is that the more they attack (or attempt to), it just teaches the devs how to strengthen the network. Govts can try to whack-a-mole TOR, but their attempts are futile.

hans andersen

December 19, 2014

Permalink

Is there nothing the community can do to improve the situation? Wouldn't it be possible to launch extra DAs in places that are more difficult to shut down?

Unfortunately, just adding more DAs doesn't make the system more robust. There's a significant overhead in dirauth communication and the voting process is not as robust as we'd like. We're pretty happy with the set of dirauths we have currently.

The community can do many things to improve the situation. Primarily: donate and educate. Make a financial contribution to Tor Project, be it cash or virtual currency. Educate others about right to privacy. Defend Tor from media attacks labeling it as a nothing but a merchant of death, drugs, and dissidents.

Wait, what?? Donations???
Doesn't the government pay you and your project anymore? Or did you already burn the $100k+ you got and the multi million $ the NSA/DoD/HomelandSec donated to the project this year?

The funding we have from various government agencies comes in the form of specific deliverables. For example, everybody likes funding work on pluggable transports and censorship circumvention (it's uncontroversial to help with providing freedom for "over there"). But nobody cares much about funding stronger anonymity, since they think we have a great handle on it and thus there's no need to work on it. So donations are how we are able to spend developer and researcher time on the things that the world needs but it's hard to find funders for.

For other background and explanations, see
https://blog.torproject.org/blog/transparency-openness-and-our-2013-fin…
and also our 30c3 talk which discusses funders and funding:
https://www.youtube.com/watch?v=CJNxbpbHA-I

hans andersen

December 19, 2014

Permalink

Did I miss something?
"Our previous plan had been to sit tight and hope nothing happens. Then we realized that was a silly plan when we could do this one instead."

What plan / action is, "this one instead?"
Other than announcing the possible attack, or the already "built in Tor network redundancy," what plan are we talking? But those are good, on their own.
Thanks.

Thanks. And Roger is probably busy right now (should be), so can't answer.
But while announcing it on a blog & tor-talk may? be a good idea, it isn't really a "plan" at all. That's why I thought I'd missed something.

"Wait & see" is sometimes prudent, but not a plan.

hans andersen

December 19, 2014

Permalink

I live in the United States. I use Tor for my everyday web surfing because I believe any record of my web activity to be a violation of privacy. I have nothing to hide, but hiding is my choice. Online privacy is a right for all.

The threat to internet security is pregnable systems, not a network that allows anonymous access to those systems. The threat to our nation is not the threats of anonymous hackers, but adhering to their demands. Sony Pictures, Regal Entertainment, AMC Entertainment and others have put our nation at risk by rolling over at the demand of terrorists. By refusing to release that movie they have set a dangerous precedent and opened the door to future attacks.

nice addition to the nudist company "We have nothing to hide"TM. EVERYBODY have. Otherwise you are controlled by by some inter-terrestrial government because they have something to hide. How this something can appear if it was nothing?

I live in the United States. I use Tor for my everyday web surfing because I believe any record of my web activity to be a violation of privacy. Online privacy is a right for all.

100% agreed. I'm also using Tor for each and everything I do on the internet.

I have nothing to hide.

If one has nothing to hide, why would one put their letters in envelops?
If one has nothing to hide, why wouldn't one walk naked through the streets?

Someone who has nothing to hide is an "exhibitionist", which is considered to be a state of psychological disorder.

hans andersen

December 19, 2014

Permalink

Roger: As far as I can tell there are 9 servers that are listed in the Tor source as directory authorities. Let's say that 4 of them were be seized and taken offline indefinitely.

How would this affect the remainder of the Tor network? My guess is that it would increase the load on the other nodes, but if they have sufficient spare capacity it would not result in an outage. Is that generally correct? (I apologize for not knowing as much about Tor's internals as I probably should.)

(Sorry, not Roger)

Correct, there are currently 9 directory authorities. More than half of the authorities must be online and they must reach a consensus on the current state of the network every hour for them to create and publish the hourly networkstatus-consensus (the list of all the known relays). If four out of the 9 dir auths were compromised and taken offline, then the remaining 5 will continuing publishing the consensus and the network will continue operating normally. If more than 5 are taken offline then this was a horrendously large operation and the necessary corrective actions will be taken to ensure the network remains operational.

The one performance impact will be seen by new clients. When they first try connecting to the network (download and launch Tor Browser for the first time) they will try connecting to one of the directory authorities and download the networkstatus consensus from it. If some of the directory authorities are offline, it may take some time for each connection to timeout (while the client connects to an unavailable authority), but eventually the client will reach an operational authority and it will then be able to use the Tor network as usual.