[tor-talk] Illegal Activity As A Metric of Tor Security and Anonymity

Paul Syverson paul.syverson at nrl.navy.mil
Tue Jul 1 20:00:59 UTC 2014 

On Tue, Jul 01, 2014 at 08:31:00PM +0100, Mark McCarron wrote:
> Paul,
> 
[snip]
> Eliminating this correlation attack is trivial.  

So you keep saying. Everybody who has worked on this who has responded
has said that they don't know how and that they find this a hard
problem. But your response is simply to keep repeating that it is
trivial to eliminate without telling us how.

> The attack is dependent on having visibility at both ends.  One at
> the users end (perhaps ISP) and one near the hidden service (perhaps
> exchange).  It doesn't take much to match these two together (like
> multiple nations sharing intelligence data).  One simple attack is
> just to flood the hidden service with connections and note where
> traffic spikes.
> 
> So, the simple solution is to distribute hidden services within Tor,
> so that class of attack will fail.  There are no servers in a data
> center to expose because it is everywhere and no one can tell, just
> by examining the flow of encrypted packets, who was looking at what.

Lots of smart people have thought about hidden service design. E.g.,
Karsten did his dissertation on it and earlier guard nodes were
introduced to Tor based on Lasse and my illustration of how easy
attacks were on hidden services without guards. Our original design of
hidden services in Tor harks back to notions of rendezvous services in
earlier NRL onion routing work and earlier work by Ian Goldberg, I
think in _his_ dissertation if memory serves.  That HS design
languished at times while other aspects of Tor were more urgently
worked on and that they could use more attention has been
acknowledged, and it is getting some. It could use still more and will
hopefully be getting it soon.

You may be way smarter than all of these people, but so smart that we
can't infer how your simple solution works from these two sentence
descriptions. As a kneejerk thought based on just even this brief
description: a malicious active client is a trivial adversary to
create. It can induce whatever signature it wants on its flow to the
HS and can actively affect flows from the HS. What keeps the Tor relay
adjacent to the HS or the ISP at the HS or between it and the adjacent
relay from recognizing timing signals from malicious clients?
For that matter, I don't understand why the system you mention would
not be vulnerable to the attack you mention to motivate it.

 
> 
> Now, I know there are a wide range of additional methods to expose
> users and the majority are beyond your direct control, but this type
> of attack is something within your control.

Please illustrate how. Please give a design sketch with at least
enough details and at a simple enough level of description that even
the world's top hidden service design and analysis researchers can
understand it since they keep telling you they don't understand these
trivial fixes you keep mentioning.

[snip]

aloha,
Paul

More information about the tor-talk mailing list