[tor-dev] "Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization"

Mon May 27 19:07:17 UTC 2013

On Mon, May 27, 2013 at 11:39:06AM -0700, Micah Lee wrote:
> Would it be fair to say that using the techniques published in this
> paper an attacker can deanonymize a hidden service?

Yes, if you're willing to sustain the attack for months.

But actually, this Oakland paper you're looking at is a mash-up of two
paper ideas. The first explores how to become an HSDir for a hidden
service (so you can learn its address and measure its popularity),
and then how to become all the HSDirs for a hidden service so you can
tell users it's not there. That part is novel and neat. The second idea
explores, very briefly, how guard rotation puts hidden services at risk
over the course of months. Imo this second issue, which I think is the one
you're interested in, is much better explored in Tariq's WPES 2012 paper:
http://freehaven.net/anonbib/#wpes12-cogs
and you should realize that the risk applies to all Tor users who use
Tor over time and whose actions are linkable to each other (e.g. logging
in to the same thing over Tor).

> Based on this thread it looks like there are several open bugs that need
> to be fixed to prevent these attacks. It seems to be that hidden
> services still have advantages to leak sites (sources are forced to use
> Tor, end-to-end crypto without relying on CAs), but for the time being
> the anonymity of the document upload server isn't one of them.

It still requires a pretty serious attacker to pull this off. But it
is also a realistic attack for this pretty serious attacker. I guess it
depends where your bar is -- it cannot, alas, be very high at this point
for a low-latency network like Tor that's still pretty small. But I think
it would be incorrect to say that hidden services have "no" anonymity.
(Also, as you say, anonymity for the news collection website may not be
its most important security property.)

The attack to compare it to would be a network-level (AS-level or
IX-level) observer who watches whatever parts of the Internet it can
see, and hopes that it observes a flow between Alice (the Tor client)
and one of her guards. As Alice rotates guards, both due to natural
relay churn and due to guard rotation, the chance that such an attacker
sees one of these flows goes up. This attack is not easy to resolve,
since it has to do with Internet topology, Tor network topology, and
the user and destination locations relative to these.

Hidden services do seem inherently at a disadvantage, because the
attacker can dictate how often they talk to the network. Whether that
disadvantage is significant depends on how pessimistic you are about
the rest of the problem.

See also "Measuring the safety of the Tor network" and "Better guard
rotation parameters" on http://research.torproject.org/techreports.html
for further background open research questions.

> Is this
> accurate, and is there any estimate on how long do you think this will
> be the case? Months, years?

Depends how we end up resolving the guard rotation issue. We should
raise the guard rotation period, which will screw up load balancing
(and thus performance) unless we teach clients to handle it; and we
should reduce the number of guards a client uses, which will increase
variance of performance, making more Tor users stuck with crappy guards
and hating life.

"Sooner if you help", I think is the phrase the Debian folks use? :)

--Roger