[tor-talk] How secure is a hidden service?
arma at torproject.org
Fri Feb 21 10:41:42 UTC 2020
On Thu, Feb 20, 2020 at 07:25:32AM +0100, Robin Lee wrote:
> I'm wondering how hidden a hidden service actually is? Because last
> week charges were brought against Flugsvamp, a Swedish darknet drug
> shop. In the documents made public for the court case the police states
> that is was able to trace the actual ip-addresses of the onion-
> addresses. Flugsvamp had two onion-addresses and the the police gave
> different probabilities that a certain ip-address was behind each.
> Is it just a function of time and amount of traffic, i.e. the longer
> you are online and the more traffic you generate, the more probable it
> is to discover the true ip-address?
I should start out with saying I'd never heard of Flugsvamp until your
email, and I have no notion of whether they used Tor or what. That said:
Services on the internet are inherently harder to make safe than clients,
(a) because they stay at the same place for long periods of time, and
(b) because the attacker can induce them to generate or receive traffic,
in a way that's harder to reliably do to clients.
Most identification problems with Tor users, and with onion services,
have turned out to be opsec mistakes, or flaws in the application
software at one end or the other. That is, nothing to do with the Tor
protocol at all. But of course in the "layers of conspiracy" world we
live in nowadays, you can never be quite sure, because maybe "they"
used a complex attack on Tor and then covered it up by pointing to an
opsec flaw. One hopefully productive way forward is to point out that
even if we don't know how every successful attack really started, we
know that opsec flaws are sufficient to explain most of them.
When I'm doing talks about Tor these days, I list these four areas
of concern, ordered by how useful or usable they are to attackers in
practice: (1) Opsec mistakes, (2) Browser metadata fingerprints / proxy
bypass bugs, (3) Browser / webserver exploits, and (4) Traffic analysis.
See e.g. the original story about Farmer's Market:
where at first people worried about a vulnerability in Tor, but then it
turned out that the operators had been identified and located far before
they even switched to using Tor.
To make this thread more productive and more concrete: can you point us
to these "documents made public for the court case"? Even if they're in
Svenska, they would still be useful to look at. The ones talking about
probabilities of IP address I mean.
More information about the tor-talk