4

I recently came across a paper called "Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries" (Aaron Johnson et al) ... which seems to be saying that adversaries (like the NSA) that can see large segments of the Internet can relatively easily de-anonymize most Tor traffic:

"... previous work has thus far only considered adversaries that control either a subset of the members of the Tor network, a single autonomous system (AS), or a single Internet exchange point (IXP). These analyses have missed important characteristics of the network, such as that a single organization often controls several geographically diverse ASes or IXPs. That organization may have malicious intent or undergo coercion, threatening users of all network components under its control. Our analysis shows that 80% of all types of users may be de-anonymized by a relatively moderate Tor-relay adversary within six months. Our results also show that against a single AS adversary roughly 100% of users in some common locations are de-anonymized within three months (95% in three months for a single IXP). Further, we find that an adversary controlling two ASes instead of one reduces the median time to the first client de-anonymization by an order of magnitude: from over three months to only 1 day for a typical web user; and from over three months to roughly one month for a BitTorrent user. This clearly shows the dramatic effect an adversary that controls multiple ASes can have on security."

Does this mean that Tor is essentially useless for defending against US government surveillance? I feel like I might be misinterpreting the paper, because I would think the Tor Project would go out of their way to make that clear if it was the case (and there is nothing on their website about this) ... Is it really the case that in less than a day the NSA can de-anonymize 80-100% of Tor users?

Can someone explain to me what the practical implications are of this for Tor users who are worried about NSA/FBI surveillance? What kinds of additional steps could be taken to mitigate some of these threats described here?

jessetaylor84
  • 41
  • 1
  • 3
  • I think the question at http://security.stackexchange.com/questions/41542/how-does-tor-protect-against-an-attacker-just-running-thousands-of-nodes?rq=1 may provide you some useful insight. – anhldbk Jan 12 '14 at 04:06
  • 1
    Thanks anhldbk, there was some interesting info in there, even though it doesn't directly answer my question. I'm definitely interested in understanding more about what they are talking about as far as choosing paths to route through multiple countries ... but I don't know how I would find trustworthy nodes to do this. Nor am I clear I would go about configuring this safely even if I did somehow know people in several different countries that couldn't be watched by the NSA (if there is such a place anymore these days ...) – jessetaylor84 Jan 12 '14 at 06:03
  • I don't have time for a full answer, but I feel any answer should point to the Snowden leaked presentation "Tor Sucks" which shows how much trouble the NSA has at breaking Tor. – Megan Walker Jan 12 '14 at 13:26
  • Doesn't this go in Tor.SE? – mirimir Jan 14 '14 at 05:46

2 Answers2

3

Tor doesn't necessarily protect you against a powerful attacker. Section 3.1 of the Tor design document states it:

A global passive adversary is the most commonly assumed threat when analyzing theoretical anonymity designs. But like all practical low-latency systems, Tor does not protect against such a strong adversary. Instead, we assume an adversary who can observe some fraction of network traffic; who can generate, modify, delete, or delay traffic […]

However if you have a look at the recent leaks there was one about Tor: 'The king of high-secure, low-latency anonymity'. Especially the title of the presentation said it all:

Tor stinks

So as far the leaks show it both NSA and GCHQ had a hard time to de-anonymize Tor users. What they basically do is to attack flaws in other systems like Firefox.

If you need a higher level of security you should take a look at special CDs. Tails is one of them. It routes all traffic throught Tor and tries to save you from some known attacks. Also the above mentioned slides write about Tails:

Adds Severe CNE misery to equation

So it seems that Tails and others might bring you a higher level of anonymity and security against attacks. However if take targeted attacks into the equation you might want to read the documents from Der Spiegel and draw your own conclusions.

qbi
  • 1,611
  • 2
  • 14
  • 27
1

Tor was ment to provide obfuscation in the middle of the connection so you may know where a connection goes or where it comes from but you wouldn't know both. The revelations about the NSA capabilities renders much of the protection worthless. Many of the documents released show that the NSA, working with other governments intel group have access to a large number of hosting servers, home networks, etc. If these documents are to be believed than tor is pretty useless right now.

dmaynor
  • 458
  • 2
  • 3
  • 1
    That's the way that I read it as well (i.e. that the NSA can fairly easily de-anonymize most Tor traffic), but I wasn't sure if I was misunderstanding something or not. – jessetaylor84 Jan 22 '14 at 19:03
  • Actually the documents rather explicitly said that attacking Tor, even through sybil attacks, was woefully inadequate for deanonymizing users. In fact it says quite clearly that they cannot deanonymize users at will, but with _significant effort_ can deanonymize a _small percentage_ of users. – forest Dec 14 '17 at 03:58