[tor-talk] Getting de-anonymized with SSH (J. S. Evans)

jsevans at gardeng.nom.es jsevans at gardeng.nom.es
Mon Apr 9 02:54:54 UTC 2018


Hello, first of all, thank you for the feedback.


On 2018-04-08 15:40, Me wrote:
> It can be complicated. Tor itself provides a multi-hop anonymizing TCP
> connection, however what your application may or
> may not do outside of Tor is uncontrolled, this is why the Tor Browser
> is recommended for use instead of simply proxying
> your regular browser through Tor, TBB is designed to minimize
> undesired side channels.
> 
> Your question really is asking about undesired side channels, so the
> answer is, "It Depends". I'm not trying to be
> flippant, it can be complicated. For example if you client application
> checks server SSH certificates for status (CRL &
> OCSP) then you have two immediate concerns: (1) is the OCSP check
> routing outside of Tor, thus potentially
> de-anonymizing you immediately, (2) Even if the cert check runs
> through Tor, do you ever access it outside of Tor,
> creating a potential for correlation. This is why there is still
> ongoing discussion of whether one should use certs
> within Tor.

I would like to be specific what I have in mind. In /etc/tor/torrc, I 
uncomment these lines:

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22

I then start the tor service and block port 22 with my local firewall so 
no normal TCP traffic goes to it.

I only access it remotely via "torsocks ssh xxxxxxxxx.onion"

I wasn't thinking about potential issues with the certificate. Thanks 
for bringing that up, I'll look into that. Vanilla telnet might be an 
option. Obviously, you would never do that in the open internet, but 
it's not such a bad idea within the confines of Tor and it's inherent 
security.

> 
> Another common side channel is DNS. Does the address resolution happen
> outside Tor (unfortunately a common error), in
> which case you're immediately de-anonymized. Even if it takes place
> within Tor, do you ever use it outside of Tor, again
> creating a potential for correlation.

 From what I can tell, torsocks acts like a wrapper around the 
application that I am trying to use, in the case of my example, it is 
only the ssh client in most Linux distros. Does torsocks block or 
intercept DNS requests or does it just allow those requests to go 
through Tor? If it's just a passive proxy, I will need to research how 
to keep the ssh client from trying to use DNS.


> 
> Then there is more esoteric concerns such as the potential for traffic
> analysis. Does you application create a periodic
> pattern of traffic bursts that could be correlated? This would require
> some pretty heavy effort, but not impossible. Do
> you have a Hidden Service that comes up and goes down in sync with a
> public presence?
> 
> Last but not least, there are many executable products that run on
> your local machine, like JavaScript, that may
> de-anonymize, intentionally or otherwise, that are not obvious, such
> as: PDF documents, MS Office documents, and others.
> It's important to set your routing rules to allow ONLY your expected
> Tor connects and disallow everything else.
> 

I don't think this would be an issue in my situation as there would be 
one application only using Tor and not the entire system.

>> Message: 1
>> Date: Sun, 8 Apr 2018 02:40:22 -0600
>> From: "J. S. Evans" <jsevans at gardeng.nom.es>
>> To: <tor-talk at lists.torproject.org>
>> Subject: [tor-talk] Getting de-anonymized with SSH
>> Message-ID: <000701d3cf15$3e1c6ef0$ba554cd0$@gardeng.nom.es>
>> Content-Type: text/plain;	charset="us-ascii"
>> 
>> Hi all,
>> 
>> First of all, I know that the best way to stay anonymous on Tor when
>> browsing the web is to use the Tor Browser and be smart about how you 
>> use
>> it.
>> What about when you're not using the web? If I am using ssh over Tor, 
>> is
>> there a good chance that I can be de-anonymized? By this I mean ssh to 
>> an
>> onion service not to the external internet.
>> I would think that it is more safe than the web since you don't have 
>> to
>> worry about things like javascript, etc.
>> 
>> Am I correct, or are there other things that I am not aware of? 
>> Thanks!
>> 
>> Jason
>> 


More information about the tor-talk mailing list