[tor-talk] Illegal Activity As A Metric of Tor Security and Anonymity

Mark McCarron mark.mccarron at live.co.uk
Tue Jul 1 21:06:38 UTC 2014



What you are seeking a full design for a distributed Web Hosting platform within Tor.  Let's see...

We can use the existing mechanisms for hidden services, but rather than directing packets to/from a externally hosted site, we direct the packets internally within onion land.  On an initial page request, packets are directed to a random node on Tor network to find the first portion of the page.  That node then selects another random node to deliver the next portion.  This process repeats until all content is delivered to the client.

There are are a number of important elements in this design:  

1.  "Page/Content/Media portions" can be migrated anywhere in the network randomly.  This is an automated system.  
2.  The network forgets content/media not access for a long time.
3.  Migrations should look no different than regular connections
4.  There is no way to query the location of "Page/Content/Media portions" (that is internal to the network)
5.  No optimisation should be made for geographic delivery
6.  Uploads are shredded and delivered to different nodes (network migrates them)
7.  All data is encrypted before upload. (route through decryption nodes when properly accessed as a .onion address)
8.  Encryption keys are regularly changed
9.  Multiple copies of each site improving availability.
10.  Using hashes, remove duplicates of pages/content/media (instead share the same resource as a link/reference)

That would be the basics of it.  It needs fully fleshed out but to the end user it would be a CPanel like interface and a standard website with DB support.

I'll see about expanding on this.


Mark McCarron

> Date: Tue, 1 Jul 2014 16:00:59 -0400
> From: paul.syverson at nrl.navy.mil
> To: tor-talk at lists.torproject.org
> Subject: Re: [tor-talk] Illegal Activity As A Metric of Tor Security and Anonymity
> On Tue, Jul 01, 2014 at 08:31:00PM +0100, Mark McCarron wrote:
> > Paul,
> > 
> [snip]
> > Eliminating this correlation attack is trivial.  
> So you keep saying. Everybody who has worked on this who has responded
> has said that they don't know how and that they find this a hard
> problem. But your response is simply to keep repeating that it is
> trivial to eliminate without telling us how.
> > The attack is dependent on having visibility at both ends.  One at
> > the users end (perhaps ISP) and one near the hidden service (perhaps
> > exchange).  It doesn't take much to match these two together (like
> > multiple nations sharing intelligence data).  One simple attack is
> > just to flood the hidden service with connections and note where
> > traffic spikes.
> > 
> > So, the simple solution is to distribute hidden services within Tor,
> > so that class of attack will fail.  There are no servers in a data
> > center to expose because it is everywhere and no one can tell, just
> > by examining the flow of encrypted packets, who was looking at what.
> Lots of smart people have thought about hidden service design. E.g.,
> Karsten did his dissertation on it and earlier guard nodes were
> introduced to Tor based on Lasse and my illustration of how easy
> attacks were on hidden services without guards. Our original design of
> hidden services in Tor harks back to notions of rendezvous services in
> earlier NRL onion routing work and earlier work by Ian Goldberg, I
> think in _his_ dissertation if memory serves.  That HS design
> languished at times while other aspects of Tor were more urgently
> worked on and that they could use more attention has been
> acknowledged, and it is getting some. It could use still more and will
> hopefully be getting it soon.
> You may be way smarter than all of these people, but so smart that we
> can't infer how your simple solution works from these two sentence
> descriptions. As a kneejerk thought based on just even this brief
> description: a malicious active client is a trivial adversary to
> create. It can induce whatever signature it wants on its flow to the
> HS and can actively affect flows from the HS. What keeps the Tor relay
> adjacent to the HS or the ISP at the HS or between it and the adjacent
> relay from recognizing timing signals from malicious clients?
> For that matter, I don't understand why the system you mention would
> not be vulnerable to the attack you mention to motivate it.
> > 
> > Now, I know there are a wide range of additional methods to expose
> > users and the majority are beyond your direct control, but this type
> > of attack is something within your control.
> Please illustrate how. Please give a design sketch with at least
> enough details and at a simple enough level of description that even
> the world's top hidden service design and analysis researchers can
> understand it since they keep telling you they don't understand these
> trivial fixes you keep mentioning.
> [snip]
> aloha,
> Paul
> -- 
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

More information about the tor-talk mailing list