0

Tor traffic correlation attacks by global adversaries

I know what traffic correlation attack is but I find it hard to understand this article or how it got to its conclusions about 'de-anonymize' 'typical web user' who use Tor within a day just with the ability to monitor enough web traffic. I also don't get how dark markets and child porn still exists on onion sites if all it takes is a little bit of cooperation to de-anonymize everyone?, The article is from 2013 so the governments had a long time to do it.

At the end all what the 'global adversaries' can see is traffic volume and timing(that is affected by some timing noise) right? so if you are just a typical web user who just connected few times(lets say 5 times) to an average website/webpage with an average size of 700kb who said that you are one of the few Tor users who visited a website/webpage in this size 5 times around the time you did it?. I am missing something here?.

forest
  • 65,613
  • 20
  • 208
  • 262
randoman
  • 3
  • 1
  • check it please: https://security.stackexchange.com/questions/226076/does-tor-still-hide-all-tracks/229177#229177 – ANB Apr 03 '20 at 12:47
  • Wasn't there a sting operation against a pedophile ring on Tor a while ago? – Philipp Apr 03 '20 at 12:55

1 Answers1

2

TL;DR: correlation attacks are a possibility but there is always a gap between theory and practice. The other limitation is scalability.

An excerpt from that 2013 study shows that the technique is not that trivial:

Our analysis shows that 80% of all types of users may be de-anonymized by a relatively moderate Tor-relay adversary within six months. Our results also show that against a single AS adversary roughly 100% of users in some common locations are deanonymized within three months (95% in three months for a single IXP). Further, we find that an adversary controlling two ASes instead of one reduces the median time to the first client de-anonymization by an order of magnitude: from over three months to only 1 day for a typical web user; and from over three months to roughly one month for a BitTorrent user. This clearly shows the dramatic effect an adversary that controls multiple ASes can have on security

The other takeaway from the study is that you still need time, even a lot of time for uncertain results. The study does not suggest the ability of real-time deanonymization.

One thing we have learned in IT circles is that encryption in general is seldom defeated, but circumvented. People get caught because of opsec failures and lack of understanding of the tools they use.

Let's put the Tor network aside for a minute.

A browser has a huge attack surface. Even the Tor browser, which is configured with hardened settings is not immune to bugs or 0days. Javascript (which I understand is enabled by default in the Tor browser) gives away many small bits like the local time (which can be used to infer the timezone) and other bits of information that can be used for fingerprinting the browser or the user. The small bits add up and it is a start.

Now imagine an alphabet soup agency is after you, and they have some 0days in store, and they can weaponize a flaw in the Tor browser you are using. If they manage they take control of your computer, execute malicious code in the context of your user, or manage to leak your IP address you are done.

In this scenario Tor was not directly compromised. Sounds like something they could do or have done ? Probably. There is an obvious limitation to this approach: a good 0day is expensive, therefore you cannot waste it against a low-value target because it is going to be noticed in the wild and ultimately fixed.

Bottom line: if you do something illegal or objectionable on Tor, you should be not using it from your home connection. Instead, you should borrow some public/restaurant/library connection and move from place to place. Preferably where cameras are rare. Most likely, this is the most effective defense against deanonymization attacks.

How do criminals using Tor get caught ?

From what we know it's not because of a weakness in Tor but because they did stupid things, like checking their personal Gmail account because they confused the Tor browser with their regular Firefox. All it takes is one mistake.

Or another stupid thing: lack of separation between their online and offline personae. Using a bitcoin wallet, funded with their regular bank account, making withdrawals to an account in their name (because they thought that BTC is "anonymous" and "untraceable").

Sounds so silly and yet this happens. Criminals get caught because they are dumb, careless and sometimes unlucky. It's not the because the police have magic powers.

Online crime is not just fought online but offline. Police resort to controlled purchases and classic infiltration techniques eg: buy stuff like weed, preferably from someone trusted in the community, a mod or someone high-up. Then trace the packages, figure out their shipping patterns, obtain camera footage. Identify the guy. Find the guy. Arrest the guy. Move up the chain. Get closer to the admins.

I also don't get how dark markets and child porn still exists on onion sites if all it takes is a little bit of cooperation to de-anonymize everyone?

A couple reasons among many:

  • Many countries actually have established channels and cooperate on law enforcement issues, but not all countries are interested in cooperating with each other especially when they are adversaries
  • Many countries governments are corrupt to some degree, some engage in criminal activity for financial gain
  • Law enforcement agencies (LEA) do not have the time and resources to go after every offender, so they have to prioritize targets. When your darkmarket is regularly mentioned in the news, then assume it is already under investigation and possibly infiltrated. You have probably noticed that nearly every darkmarket ends up doing an exit scam and disappears. So you could say justice is already meted out without intervention from the authorities.
  • LEA take their time: rather than shut down an illegal operation outright they could watch the action and wait to catch more offenders. Consider for example the case of Hansa: Operation Bayonet: Inside the Sting That Hijacked an Entire Dark Web Drug Market. Everything takes time.

The conclusion is that no system can be guaranteed to be foolproof but can nonetheless thwart the efforts of adversaries to unmask you. If you are a wanted person Tor should not be the sole security layer, but a component in your personal strategy and you still need good opsec. Tor does not protect against human mistakes and stupidity, this is beyond the scope of the project.

Kate
  • 7,092
  • 21
  • 23