This is an easier version of a traffic analysis attack, an attack that Tor expressly does not attempt to provide a strong defense against.
It relies on a malicious server and entry node. The contribution of this paper is that if you have the malicious server and entry node, you can use a less expensive data source (Cisco NetFlow data) rather than raw packets to perform a correlation attack.
The correlation they achieve in a private Tor network is impressive; however, if you look at the graphs in the actual paper[0], you can see that the differences in correlations are actually quite small in the wild.
The title of this post and article is actually incorrect; the technique demonstrated has an 81.4% accuracy. This means that the base rate fallacy will make it nearly unusable in practice, and more so as the scale of Tor traffic grows. For more on the Base Rate Fallacy, see [1].
So in summary:
* This is an incremental improvement of an already existing and known attack pattern on low-latency anonymity systems
* The technique presented in this paper is only a threat if your threat model is an adversary that can control your entry guard and the server you are trying to communicate with, but does not have the budget for packet-level correlation attacks
* This technique does not achieve sufficiently high accuracy and sufficiently low false positives to reliably identify arbitrary Tor users, but might be more successful if used in combination with a prior hypothesis that, say, a specific NSA employee is communicating with GlobalLeaks.
They need to be able to access netflow data at the entry point.
To put it another way, let's say someone is posting bomb threats over Tor on Google Plus. Google cooperates with the FBI and deterministically perturbs all traffic going into the Tor network. What router does the FBI get netflow data from in order to find the bomber?
You should be aware that every tier 1 ISP already collects, aggregates, and stores NetFlow, which means they have archives of historical data (though probably not raw flow archives, though it would be possible to do that for "anomalous" traffic --- meaning, not port 80) and, more importantly, the capability to very easily enable filtered high-fidelity collection from most points on their network with very few keystrokes.
You can thank DDOS trolls for that, I guess, because that's why the ISPs paid to build that out.
I hope you understood what I was saying. I wasn't saying ISPs are limited to monitoring non-port-80 traffic. They can most certainly do sophisticated monitoring of "HTTP" traffic as well. All I was saying is that it was unlikely that most ISPs had high-fidelity raw flow archives for all traffic, but possible they they might already have them for non-port-80 traffic.
Hiding in port 80 will protect you not-at-all from traffic analysis, and all the major ISPs already have the infrastructure to deploy traffic analysis.
From what I understood in the OP, Top doesn't add that kind of noise to keep latency down (latency is already high due to the extra hops and would get even worse if you added perturbations)
So, I'm a motivated privacy-seeker with enough technical chops to configure any not-yet-for-the-masses technology out there. I would very much prefer for my ideal strategy not to be "poop my pants in terror" -- any guidance from the knowledgeable HN-osphere?
>Upsides: Much more secure than Tor, (since it doesn't try to be a low-latency mixing router) not funded by USG.
Most academic computer science is funded by the American government. Does that mean that all academic computer science is backdoored by the military?
To put it more specifically, most compilers researchers I know have at some point been on a DARPA grant, because DARPA has money and academics want money. I'm sure plenty of LLVM contributors have been paid from DARPA grants. Is LLVM backdoored?
===========================
On an entirely different point, how is Freenet even comparable to Tor? They address totally different use cases (Tor is an anonymizing TCP overlay; Freenet is a distributed censorship-resistant store), and have very different threat models.
Further, it seems very unlikely that Tor (which is a piece of very well-maintained software with some of the foremost privacy researchers working on it) would have fewer bugs than Freenet, which is a sprawling Java program maintained by one man. Further, the security of Freenet in abstract hugely depends on having a functional small-world network, which requires Freenet to have been widely adopted to start with.
The comment parent's request was vague, but you simply cannot replace Tor with Freenet because they do totally different things. It is nonsensical to compare them because they address different threat models and accomplish different goals.
I'm glad we're discussing this because there is a point I'd like to raise...
I always like to remind people that Tor is funded by the USG (currently, actively). I think it's very important that people understand that and adjust their threat models based on that.
However, it's not all bad news ... in fact, I think there's a very significant upside to the USG funding of Tor:
It provides a very compelling defense in the event that simply participating in Tor begins to be prosecuted.
There is very often a worry put forth that simply participating in Tor (as a client or by running a relay, etc.) can in itself be considered an illegal act. I think that as long as the USG is funding the development, people in the US can rest easy that they can't be prosecuted in any way for simply participating on the Tor network.
"If the USG is funding it and the state department is encouraging people to use it (think arab spring) then how could my use of it be illegal ?"
It's even better than that; tor was built to be used by spooks to cover their open-source intelligence gathering efforts. [0] Tor continues to be used by those same parties for those purposes.
Also, the Tor Project periodically sends out folks to remind the FBI and friends that tor has many legitimate uses, and is routinely used by law enforcement agencies as part of their day-to-day business. [1]
People don't strictly want what either Tor or Freenet gets them, they want other things and mangle both technologies into serving those purposes. In these shared use-cases, their usefulness can be compared.
For example, people use both Tor and Freenet to enable anonymized private messaging. On Tor, this is achieved by connecting to a hidden-service forum and posting. On Freenet, this is achieved through an app that uses Shared Subspace Keying to basically have two people watch one-another's RSS feeds for updates. Either way, people get to send anonymous messages and have other anonymous people see them.
"Most academic computer science is funded by the American government. Does that mean that all academic computer science is backdoored by the military?"
If you were some one who believed that your liberty or even life depended on it, then yes, you would have to assume that. Obviously day to day, it really doesn't matter. When it actually does matter, you have to assume the worst.
I haven't found Freenet latency to be bad for most keys these days. For example, I mirror my blog in Freenet and it's on the order of seconds rather than minutes. Even an image gallery I tried has reasonable response. Uploading data on the other hand is very slow.
I haven't looked at Freenet in years, but won't objects for keys that you've requested (/uploaded?) exist in your local cache (until they get pushed out by other traffic on the network)?
No, content you upload is not kept in your local cache at all. That would open you to the threat of being singled out as the uploader.
Instead your node is no more statistically likely to have any portion of the objects you've uploaded than any other objects throughout Freenet. When an upload is complete your node doesn't have a full copy, all the chunks are spread out amongst the nodes within a few hops of you instead.
When it's developed entirely in the open I'm not sure I see the concern here. If you have reason to believe they are somehow compromised or backdooring Tor please do share it, otherwise this is just FUD.
Freenet is faster than that in aggregate, total node throughput can be in the 150-250KB/s range even if single requests are, as you say, potentially in the tens of KB/s. File transfers can be fast, static webpages can be loaded reasonably quickly if they are popular (in the sense of being frequently accessed by users).
Big security downside is that in the purely opennet configuration, your peer nodes are both untrusted strangers AND your own traffic is visible to them. There is NO "onion" effect going on, just reliance on the possibility that any traffic a peer node observes from your node is not necessarily YOUR traffic as all nodes are also routing requests for other nodes.
What about i2p? I hear it has quite a few bugs, but so did Tor in the beginning I'm sure. Maybe it just needs better funding. Isn't it a better design at least?
Phantom also seems to have great design, but it was discontinued quite early in its implementation. No idea if it's because it was unworkable or for other reasons. Maybe someone with experience in such networks can take a look at it:
I2P's garlic routing design is superior to onion routing regarding this particular attack due to the ability to shuffle packets, and being variable-latency (flows which don't need low latency can benefit from increased traffic-analysis resistance).
However Tor has a big advantage in practice right now: lots of users, of every kind, to hide among.
When GCHQ talked about "staining" in this context (as in the REMATION conference docs), by the way, they generally mean either a timing-based fingerprint (as here) or cookie-based fingerprint (unfortunately it seems to be used in at least two entirely different contexts, oh well).
Test the latest attacks including this one against yourself continuously. Are you going to do this tinfoil?
Seems like a lot of security products demand trust from their users (even gnunet). This implicit bossing is no less pretentious than a gas pump that says "Thankyou".
As the summary mentions: Tor is susceptible to this kind of traffic analysis because it was designed for low-latency.
You give up a certain amount of security, but gain a lot of comfort.
Perhaps a future version of tor can offer a "comfort level" setting that introduces a varying amount of delays, bogus traffic and other concealment methods (ideally at every hop).
Well if that's the case then that should apply to anyone on the internet. It'd be much more secure to just not go on the web, so anyone on the web is sacrificing a huge amount of security. These aren't black and white arguments.
The current Panopticlick measurements are not as numerically accurate as they were were it was first created. That's because the commonness of the things that it measures changes over time (for example, how common it is to have a particular browser version) and the Panopticlick site took a lot of measurements from the public when it was first released, but is taking comparatively few now. However, it's still calculating the statistics based on a database of everyone who has ever visited the site.
Also, Panopticlick hasn't been updated with some possible distinguishing measurements that have been identified since it was created. In that sense it was always meant as a lower bound on uniqueness, and should still be understood that way.
Try it and see! Tor Browser contains modifications specifically to make fingerprinting harder. Panopticlick gets 11.36 bits of information from Tor Browser on my computer, compared to 22.16 bits from unmodified Firefox on the same machine. With Tor, Panopticlick says "Within our dataset of several million visitors, only one in 2,620 browsers have the same fingerprint as yours."
That said, browser fingerprinting is very hard to fight, and it's a lot easier to come up with new fingerprinting techniques than it is to mitigate them. So I expect that determined fingerprinters have the edge in this arms race.
Last I had checked, using the browser bundle in Tails with javascript disabled puts the fingerprint to about 1 in 22,000, but it's been a couple months since I last tested. Going to fire up my machine and see what it shows now, will report back with results shortly.
Update: Tor Browser in Tails 1.2 with javascript disabled returns a fingerprint that's shared by 1 in 2,615 with 11.35 bits of identifying information.
How do I have more identifying bits of information, but it's shared by more browsers?
>Within our dataset of several million visitors, only one in 4,955 browsers have the same fingerprint as yours.
>Currently, we estimate that your browser has a fingerprint that conveys 12.27 bits of identifying information.
I figured it would be more unique due to my running Tor Browser on a Mac - but I don't see how the math works out. Unless it actually has a count of machines with information identical to mine?
If you have the technical and OPSEC wherewithal, it appears that running you own "private" (PublishServerDescriptor 0) exit node has become an extremely attractive anonymity tool.
There are lots of downsides to this (epistemic attacks), but if your anon use case makes sense for such a setup, it is a valuable tool to have in the toolbox.
So encrypting content as it travels through Tor is generally considered best practice, but how does one get/manage/pay for a VPN such that the VPN itself doesn't lead directly back to you?
So, to clarify something: you connect to the VPN, and the VPN connects to TOR. If you do it the other way around (as you point out) it's pretty worthless. If you connect to TOR from the VPN then the most de-anonymized you are going to get is "customer of this VPN provider".
As for paying for services such that "customer of this VPN provider" can't be linked to you, I'd look at places that specifically accept bitcoin (I'm not a fan in general, but in this case, it signals their willingness to avoid collecting normal billing data like name, address, cc#, etc.).
I have no affiliation but they popped up in the googlings. Seems to be simple enough to get their service without giving away anything personally identifiable.
EDIT: the reason I tease out those two parts is because I'm concerned people will think TOR can protect against entities that can do a global customer-of-VPN dereference. TOR doesn't protect against global super-adversaries, consult your local security practitioner before feeling safe, etc. etc.
VPN -> TOR is wrong. Think about what happens if the VPN gets owned or seized. The bottom line is if your need for anonymity isn't just fantasy (i.e. you are actually a target of law enforcement) then no layer of your protection should be an IP that is connected to your real identity or location.
I am unsure at this VPN -> TOR notification, would you mind clarifying it for me please?
At the moment if I start up my VPN client and wait for the connection to my very trustworthy VPN provider, and only then open to Tor Browser Bundle, is that the right way round?
There are dozens of vpn providers that are not based in the US, who accept bitcoin and don't even require an email address for an account. Many of them proudly do not record logs, let alone retain them.
Bitcoin isn't anonymous (it's not a design goal, either). It might be pseudonymous, but that depends entirely of how you acquire bitcoins in the first place.
Good luck with your "no logs" operation in any NATO member/friendly country. Not sure about Russia and its allies, but I expect you'd be hard pressed to achieve "no logs" in China as well. South-Africa and Israel is probably out too. Not sure what that leaves you.
My immediate thought is cryotocurrency. You could probably lose direct links quite easily by using some sort of tumbler process - that should stop the trivial tracing back route. Bitcoin is not strictly designed to be anonymous but I do wonder whether something built on bitcoin or another crypto will achieve that in the near future.
Use bitcoin, pay for the bitcoins with cash. Or buy a VPN and use a giftcard to pay for it. When connecting to the VPN, use a public WiFi or a WiFi without a password, use a long range antenna so your very far away.
More and more just keeps coming out and it honestly seems like Tor is not a flawless method at all for anonymity and it is not something I'd trust relying on. I'd put more trust on using Tor in combination with a logless VPN.
Well, you can construct the following protocol for fully untraceable communication between n nodes, numbered i \in 1...n: Divide time into intervals of size t, where t is larger than the time it takes to propagate a message of constant size s from any node to all of the remaining n-1 (e.g. by flooding). For interval j, node i = j % n always transmits a message m of size s to all other nodes with the following characteristic: m is either the output of a PRG or a message encrypted with the key for a host k to which i wishes to communicate a message, the choice of which is entirely up to i. Under this scheme - assuming previously set up authentication between every pair of nodes and an encryption scheme in which encrypted messages are indistinguishable from random data without the decryption key - any node can send a message to any other node in such a way that no one else inside or outside this network can know the contents of the message or even that the communication took place. For any node not receiving communication, the protocol would be indistinguishable of one in which all transmissions are random noise.
Of course, the issue is that latency in this scheme is O(n) and per-node bandwidth is O(1/n), with large constants. Also, it's a reasonable suspicion in practice that no one would set up this scheme and then actually have zero communication going on over it, so it still reveals that "at least one of the n nodes is talking to at least another of the n nodes".
Or use multiple layers so at least you are less likely to be targeted by larger more automated operations, and only so much at risk to a targeted attacked.
It's obviously hard to verify it, but I'd love to hear tor devs take on this.
I may be paranoid, but it seems to be that there is some FUD around tor lately. And if many people will stop using it, it will indeed become less secure.
i think it's largely a misinformation campaign to keep people who aren't doing anything illegal from anonymizing their traffic. I like the idea of using Tor, but from what I can see, there's nothing of value for me on there. I don't need to buy drugs or get illegal porn, and I don't really care about anarchist-cookbook style sites. I'm glad it exists for journalists and whatnot, but I don't find it useful for an average person.
One more reason to have open-developed, ground-up-built endpoint hardware. I'm surprised there hasn't been a credible Kickstarter or something. People wouldn't mind slightly fewer features or lower performance due to reverse engineering an older design - if it meant real, publicly auditable security at that link in the chain. Still lots to do to improve security but that's one that's always seemed neglected to me.
While I agree that open hardware is a good idea, Cisco has no malicious intent with NetFlow. It is a legitimate tool for maintaining and improving network quality. This isn't an instance of a vendor providing a back door to the NSA (or whoever). It's an accident of the protocol that it is easier to derive this data from than raw packet sniffing.
The paper says that NetFlow is not optimized for this kind of attack, that it is merely representative of flow data available from core routers in general ("traffic monitoring functionality built into the routers of major IXs and ASs, such as Cisco’s NetFlow"), and that you have to do research to figure out how to make it work. The authors aren't saying that Cisco intended to facilitate traffic analysis attacks against users, or that using Cisco routers in a network you set up makes you or your users more vulnerable to traffic analysis attacks by other people.
I'd love to see much more research on new approaches to anonymity, but it's also important to understand the tradeoffs. In the face of active attacks like this one, it seems that a network needs to be synchronously padded (all participants and potential participants always transmit and receive at a fixed speed, regardless of whether they're communicating or not) or else high-latency (you wait a long time to forward communications far enough through the network that they genuinely could have been from anyone in a large population based on detailed traffic statistics). Even the padded versions might be vulnerable to an adversary who can actually disrupt or degrade people's connections (to prevent particular nodes from sending or receiving the amounts of traffic that they're expected to by the protocol). Even a very successful Kickstarter project isn't going to provide a path to escape these tradeoffs.
Hmm. This is a borderline case. The article mostly lifts from the paper, especially the diagrams. On the other hand, HN often prefers the best popular article on a story, with the specialized paper linked in the comments. The reason is that specialized papers are less accessible to a general-interest audience.
That said, papers in computing are an exception because the audience here is informed in that field. And the thread, at this point, provides a lot of context.
If you count China as a police state, more people live in a police state than in a "free" state. Anonymous flow of information is critical to the progress of freedom in the world even if you are lucky enough to live in a state where you feel free.
The "nothing to hide" thing doesn't really hold water. And anyway, you might not live in a police state but there are millions and millions who do and rely on this kind of thing.
Those things might have been reasonable in the past, but we live in 2014. We live in a country that has an ethnic minority president, the first nation anywhere in the world to be progressive enough to do so. We have abolished racism, sexism, homophobia, and classism. We live in an equal, classless, democratic society.
It's totally fine to see problems, even with our highly progressive and forward-looking society. Dissent is the highest form of patriotism. But we are a nation of laws, and there are established procedures for changing those laws. We have the ballot box instead of the Anonabox, and for good reason.
If you are a good, loyal citizen, true to the ideas of the founding fathers and possessed of respect for the rule of law, there is no reason to be anonymous. Either you are right, and the democratic voice of the people will join you in a chorus of freedom, or you are wrong and if you continue to inflict harm on our society it will be forced to defend itself.
"If you are a good, loyal citizen, true to the ideas of the founding fathers and possessed of respect for the rule of law, there is no reason to be anonymous."
You are incredibly optimistic here. The US government has the ability to monitor the communications of darn near the entire planet. This is new territory for human beings. Just because things are good for most of us right now, doesn't mean they always will be.
I guess you are living in a parallel universe. The fact that the president is issued from an ethic minority changes absolutely nothing to system. The power is still concentrated in a few hands and lobby groups are dominating everything. As we saw in the past few years, even in a "nation of laws" as you say it, the laws are only in practice mostly applied to constraint the freedom of citizens (Is the massive electronic surveillance done by the NSA is just to make sure that everyone is a good and loyal citizen ?).
There are so many things wrong with this that I don't know where to start....
> Those things might have been reasonable in the past, but we live in 2014. We live in a country that has an ethnic minority president, the first nation anywhere in the world to be progressive enough to do so. We have abolished racism, sexism, homophobia, and classism. We live in an equal, classless, democratic society.
In what world do you live that we have "We have abolished racism, sexism, homophobia, and classism" because I can tell you all 4 of those are still going strong today. Please don't associate the abolishment of slavery with the abolishment of racism, it's so wrong that it's just sad that you seem to think that they are one in the same. Just because we elected "an ethnic minority president" it doesn't mean we get to whitewash history or pretend that racism is dead. As for sexism and homophobia I have witnessed both of these first hand within the last month easily and probably within the last week if I really thought about it. And lastly I would argue classism is actually on the rise, in the US at least (Probably elsewhere but I'm only going to say the US for sure right now).
> It's totally fine to see problems, even with our highly progressive and forward-looking society. Dissent is the highest form of patriotism. But we are a nation of laws, and there are established procedures for changing those laws. We have the ballot box instead of the Anonabox, and for good reason.
"established procedures for changing those laws".... Yeah how is congress doing on that front again?
> If you are a good, loyal citizen, true to the ideas of the founding fathers and possessed of respect for the rule of law, there is no reason to be anonymous. Either you are right, and the democratic voice of the people will join you in a chorus of freedom, or you are wrong and if you continue to inflict harm on our society it will be forced to defend itself.
Majority != Right. It wasn't too long ago that voicing support for homosexuality could have easily gotten you killed (there are many parts of the work were this is still the case) and law enforcement wouldn't have batted an eye. There are and always will be the need for anonymous speech/dissent because it is impossible to change unjust/unfair laws without being associated with the thing you want to change. If you remove anonymity then you also remove the ability to change the laws that you mention we have an "established procedures for changing". Democracy cannot exist without dissent and dissent cannot easily exist without some form of anonymity or dissenting will immediately bring a mob/law enforcement to your front door.
It relies on a malicious server and entry node. The contribution of this paper is that if you have the malicious server and entry node, you can use a less expensive data source (Cisco NetFlow data) rather than raw packets to perform a correlation attack.
The correlation they achieve in a private Tor network is impressive; however, if you look at the graphs in the actual paper[0], you can see that the differences in correlations are actually quite small in the wild.
The title of this post and article is actually incorrect; the technique demonstrated has an 81.4% accuracy. This means that the base rate fallacy will make it nearly unusable in practice, and more so as the scale of Tor traffic grows. For more on the Base Rate Fallacy, see [1].
So in summary:
* This is an incremental improvement of an already existing and known attack pattern on low-latency anonymity systems
* The technique presented in this paper is only a threat if your threat model is an adversary that can control your entry guard and the server you are trying to communicate with, but does not have the budget for packet-level correlation attacks
* This technique does not achieve sufficiently high accuracy and sufficiently low false positives to reliably identify arbitrary Tor users, but might be more successful if used in combination with a prior hypothesis that, say, a specific NSA employee is communicating with GlobalLeaks.
[0] https://mice.cs.columbia.edu/getTechreport.php?techreportID=...
[1] http://archives.seul.org/or/dev/Sep-2008/msg00016.html