Makes you wonder how safe we really are https://newsoffice.mit.edu/2015/tor-vulnerability-0729
MIT broke TOR
Makes you wonder how safe we really are https://newsoffice.mit.edu/2015/tor-vulnerability-0729
[23 Points] throwituhway789789:
[9 Points] The_fire_bird:
I'm curious for more information. I'll happily accept that they can figure our which clearnet sites you're accessing (although without also compromising the exit, they won't know what you sent).
However I'm unsure of what extent they can snoop on hidden services. So they can identify the traffic pattern that tells them you're accessing a hidden site -- can they figure out which one it is, or just that you're connecting to a hidden service.
One thing remains of note, the article did quite emphatically say that they haven't broken the encryption (they didn't need to), so the contents of your transmission remain unknown.
I'm just curious how much they can figure out, for example, for a regular user accessing hidden services: Can they see that you're connecting to a hidden service, or can they immediately tell that it's Agora? (just an example)
Then on the hidden service host side: Can they see that you're hosting a hidden service, or can they immediately tell that it's Agora?
Personally, not enough info was provided in the article, but I suspect it's the former each time, to such extent that I would guess that even for anonymous clearnet browsing, they still can't figure out where you're connecting to (that would surely involve breaking the encryption), but they can figure out that you're not trying to access hidden services, so will probably treat that as low priority.
[5 Points] PathlessDemon:
Just in time to scare a whole bunch of folks on to HORNET.
I'm sure TorDev's got plans in the works to adjust properly.
[2 Points] seattleprocess:
I lost a lot of respect for MIT after what they did to Aaron Swartz. That ultimately resulted in him being charged with "computer crimes" for doing nothing more than downloading JSTOR articles. He ended up hanging himself once his future began to seem so bleak due to the potential outcome of the trial. Some would argue, MIT has his blood on their hands.
So I wouldn't put it past MIT researchers to hand over their findings to the bad guys before they share them with the Tor developers or general public. Also consider this:
Researchers at MIT and the Qatar Computing Research Institute (QCRI) have now demonstrated a vulnerability in Tor’s design.
Qatar, as in the same Qatar that is one of the wealthiest countries in the world yet has a horrid human rights record towards its workers? The same Qatar that is now in the middle of the World Cup corruption scandal? The same Qatar that treats these workers effectively as property and gives them very poor working conditions, resulting in the deaths of countless construction workers?
I don't think I'd trust them much either.
[1 Points] None:
Makes you really wonder whether they're going to take up a position with a government agency and spill the beans; they undoubtedly have saved information with regards to DarkNet Markets.
[1 Points] 909i09ie99iq:
The researchers’ attack requires that the adversary’s computer serve as the guard on a Tor circuit.
There are a hundred ways to attack someone if the guard node is compromised, you people are idiots if you think this represents a threat against the entire network.
The researchers showed that simply by looking for patterns in the number of packets passing in each direction through a guard, machine-learning algorithms could, with 99 percent accuracy, determine whether the circuit was an ordinary Web-browsing circuit, an introduction-point circuit, or a rendezvous-point circuit. Breaking Tor’s encryption wasn’t necessary.
This is a timing attack, this already exists.
Furthermore, by using a Tor-enabled computer to connect to a range of different hidden services, they showed that a similar analysis of traffic patterns could identify those services with 88 percent accuracy. That means that an adversary who lucked into the position of guard for a computer hosting a hidden service, could, with 88 percent certainty, identify it as the service’s host.
This attack was already detailed regarding deanonymizing the traffic to/from hidden services, claiming it was easy to become a rendevous point for a hidden server and correlate traffic given the attacker controlled a users guard node as well.
Congrats MIT, you reinvented the wheel, golf clap.
To defend against this type of attack, “We recommend that they mask the sequences so that all the sequences look the same,” AlSabah says. “You send dummy packets to make all five types of circuits look similar.”
Yeah good luck with that, the Tor developers are against adding any sort of junk packets lest they slow down the rate at which drugs and childporn flow through the network.
edit: id ask the mods to mark this as fud but they are probably too busy censoring legitimate posts.
[1 Points] None:
[0 Points] pecrophilyak:
there are multiple papers on how to de-anon (to a certain level) services as well as users within the TOR network thru traffic/time correlated analysis and compromised nodes. the lil information you get from the MIT dicks sound like nothing new at all, really. I dont consider it a real risk (no details?) whereas the papers talkin about details of compromised nodes/part of the chain DO sound like a threat. with compromised nodes you still need to analyse traffic, you need to do it regardless of the attack cuz the encryption aint and wont be broken. content itself is always safe. I wanted to provide some links but I'm too fucking lazy. google scholar will help out I guess. all papers are available to the public, no paid content. theres other vulns that one should be aware of cuz its a lot easier to pull an attack via those ways than sophisticated correlation analysis with compromised nodes. like ciscos netflow http://thestack.com/chakravarty-tor-traffic-analysis-141114
[-5 Points] jerry61:
if tor is broken why can i still use it... FUD
But they also offered a solution. Hopefully the wizards at the Tor Project take care of this quickly.