[tor-talk] How secure is a hidden service?

Sat Feb 22 07:15:08 UTC 2020

On Fri, 2020-02-21 at 05:41 -0500, Roger Dingledine wrote:
> On Thu, Feb 20, 2020 at 07:25:32AM +0100, Robin Lee wrote:
> > I'm wondering how hidden a hidden service actually is? Because last
> > week charges were brought against Flugsvamp, a Swedish darknet drug
> > shop. In the documents made public for the court case the police
> > states
> > that is was able to trace the actual ip-addresses of the onion-
> > addresses. Flugsvamp had two onion-addresses and the the police
> > gave
> > different probabilities that a certain ip-address was behind each.
> > 
> > Is it just a function of time and amount of traffic, i.e. the
> > longer
> > you are online and the more traffic you generate, the more probable
> > it
> > is to discover the true ip-address?
> 
> It's complicated.
> 
> I should start out with saying I'd never heard of Flugsvamp until
> your
> email, and I have no notion of whether they used Tor or what. That
> said:
> 
> Services on the internet are inherently harder to make safe than
> clients,
> (a) because they stay at the same place for long periods of time, and
> (b) because the attacker can induce them to generate or receive
> traffic,
> in a way that's harder to reliably do to clients.
> 
> Most identification problems with Tor users, and with onion services,
> have turned out to be opsec mistakes, or flaws in the application
> software at one end or the other. That is, nothing to do with the Tor
> protocol at all. But of course in the "layers of conspiracy" world we
> live in nowadays, you can never be quite sure, because maybe "they"
> used a complex attack on Tor and then covered it up by pointing to an
> opsec flaw. One hopefully productive way forward is to point out that
> even if we don't know how every successful attack really started, we
> know that opsec flaws are sufficient to explain most of them.
> 
> When I'm doing talks about Tor these days, I list these four areas
> of concern, ordered by how useful or usable they are to attackers in
> practice: (1) Opsec mistakes, (2) Browser metadata fingerprints /
> proxy
> bypass bugs, (3) Browser / webserver exploits, and (4) Traffic
> analysis.
> 
> See e.g. the original story about Farmer's Market:
> https://blog.torproject.org/trip-report-october-fbi-conference
> where at first people worried about a vulnerability in Tor, but then
> it
> turned out that the operators had been identified and located far
> before
> they even switched to using Tor.
> 
> To make this thread more productive and more concrete: can you point
> us
> to these "documents made public for the court case"? Even if they're
> in
> Svenska, they would still be useful to look at. The ones talking
> about
> probabilities of IP address I mean.

These documents are available at 
https://minfil.com/bbu3q0Y4ne/FUP_B_13010-18_zip

Page 103 in the file 'Stockholms TR B 13010-18 Aktbil 202.pdf' contains
a short PM about the tracing. 

It is a vast set of documents, but as far I've been able to tell
identifying the VPS-servers behind the onion-addresses was the first
step.