[ad]
It seems finally someone has found a flaw in the way Tor works, a way to beat it and find out who is using the system.
Perhaps an end to the most anonymous system on the Internet?
I got this info fresh from SANS.
One of our readers sent in a very worrying analysis of what appeared to be “traffic modification” (in his words) on the part of the Tor network.
The Tor (“The Onion Router”) network is an anonymizing peer-to-peer network of routers on the Internet which uses various techniques to bounce traffic around the Internet in such a way that traffic analysis becomes difficult if not impossible to perform. Tor is a perfect example of a dual-use technology: it can be used to avoid government-imposed Internet censorship or to protect the identity of a corporate whistleblower but at the same time it is sadly ideal for various nefarious uses.
It seems to point to traffic modification on an exit node, packetstorm in particular.
The key tenet of Tor is that it should protect anonymity and the reader’s analysis pointed not only to traffic modification on the part of a so-called “exit router” (the last hop in a Tor circuit before your packets reach the real destination) but also an attempt at tracking the true origin of the traffic (in a Tor network a hop only knows that the traffic comes from a previous hop but no futher back).
Both William Salusky and myself looked into the data and it seemed to implicate packetstormsecurity.org, an exit router in Denmark and, more curiously, a DNS tunnel to transmit data out (via obviously fake hosts under the t.packetstormsecurity.org domain). This last item was interesting because it replicated data which was apparently being submitted to the host via an HTTP cookie so it seemed that the idea was to have the cookie travel to the unwitting Tor user and be sent back via DNS tunnel to an external host to confirm the real identity of the host. As both of us were busy we looked a little deeper but ultimately we recommended that the reader report this to the Tor authors.
A quote from the actual paper.
Clearly Tor’s designers have done a pretty good job: I couldn’t find any weakness in Tor itself that violate the tenets set out at http://tor.eff.org/ (basically that end-to-end traffic analysis is always possible, but the traffic analysis should [be] difficult to everything but a global Echelon). So instead, I attacked the data which Tor carries the most of: web traffic.
Worrying indeed, you can download the paper here:
“Practical Onion Hacking” by Andrew Christensen
Source: SANS
Brian says
Thanks for this post, I use tor pretty extensively myself and I have to say this is troubleing. The only thing is wouldn’t this “vulnerability” fall into the same category as the already known ActiveX and Flash vulnerabilities for these plugin’s requiring a direct connection with the client and thus circumventing the proxy network?
gerg says
This so called paper only describe methods that are known for more than 10 years and that work with every proxy…
There’s no Tor specific flaws in this document.
The paper title is just a way to make lamers talk and provide “instant celebrity” to his author… nothing new here
If you want some real technical paper on Tor search a pdf document on how to discover the location of an hidden service using statistics based on rendez-vous nodes.
ethernode says
So, if the SANS is serious about this, is tor a giant honeypot? Corporate or occult?
Darknet says
Brian: Yah I guess it would, anything as such can circumvent the anonymity of a proxy, that’s why using something like AnonymOS is preferable.
gerg: Thanks I’ll check that out.
ethernode: I don’t think so this a flaw in any proxy based system, it’s just showing how its relevant to Tor aswell. It’s still the best system there is ATM.
ethernode says
I was talking about the packetstormsecurity.org implications, not about the flaw itself. Following what i understood from the article, that would mean that tor’s anonymity features are fake (because of the “sent back via DNS tunnel to an external host to confirm the real identity of the host”) ? I’m beginning to guess i’m saying shit, but doesn’t this back-tunnel outpass the 1-hop only feature?
Chris says
The problem with this paper is that they expect that the user is only using something like Privoxy for Tor. What if the user is default-routing all his TCP traffic through his own Tor proxy box? The method he uses for demasking won’t work because all the TCP traffic is being routed through Tor anyway.
I don’t see anything groundbreaking about this paper and his methods are easily defeated.
navin says
I agree chris, but fact of the matter is tht most users do use privoxy for Tor and don’t really have the technical knowhow on how to set up a personal box…… tht leaves them in a state where their online security can be compromised