Silk Road forums
Discussion => Security => Topic started by: Heyenezz on January 20, 2012, 07:30 am
-
If someone were to use a Tor bridge, would the person operating the bridge be able to view your Tor traffic or know what sites you were visiting or what you were doing?
I might need to use Tor bridges when going back to college.
Thanks for any help!
-
If someone were to use a Tor bridge, would the person operating the bridge be able to view your Tor traffic or know what sites you were visiting or what you were doing?
No more so than when using normal Tor relays, which is to say extremely unlikely. Tor bridges function the same as any other Tor relay save for the fact that their IP address isn't as public. You might consider changing your bridge(s) often to help defend from longer-term profiling (correlation) attacks, however.
-
If someone were to use a Tor bridge, would the person operating the bridge be able to view your Tor traffic or know what sites you were visiting or what you were doing?
I might need to use Tor bridges when going back to college.
Thanks for any help!
As I understand it, an attacker operating a Tor relay (and this includes bridges) can use sophisticated monitoring techniques to see what sites you're visiting, but they can't decipher the content of your communication. So an attacker monitoring your web traffic could see, for example, that you went to www.safe-mail.com, but couldn't see what you're doing there. That could change because people are always trying new hacks that might allow them to monitor Tor traffic.
But here's a strategy to use if you want to be sure the bridge you're connecting to is safe: run your own bridge. On another computer on a different network (say a friend's PC or a PC at work or school), set up the Tor software to function as a bridge. Then copy the bridge IP address and port used to connect, which will be entered in the Settings -> Network tab of Vidalia on the PC you use to connect to the Tor network. The bridge is your first hop connection to Tor, and if you are the one controlling that first hop you can feel a little safer using Tor.
-
If someone were to use a Tor bridge, would the person operating the bridge be able to view your Tor traffic or know what sites you were visiting or what you were doing?
I might need to use Tor bridges when going back to college.
Thanks for any help!
I would not rely on anything anyone on this forum says about TOR (this includes myself too ofc). I suggest you find some papers written on bridges, especially ones written by Roger Dingledine, the lead developer of TOR. Although it doesn't apply to your specific question, this paper is a good starting point: http://www-users.cs.umn.edu/~hopper/surf_and_serve.pdf
-
QTC allow me to point out that the network is actually named Tor and that it is no longer an acronym for the onion router. Tor is actually not technically an onion router either, although it is very frequently called one. These points are mostly unimportant trivia.
Bridges are imo very important for vendors to be using. When you load Tor your client directly bootstraps at one of about eight directory authority servers. These servers are run by people that the Tor devs trust (and they need to trust them because if four of them are pwnt by the same attacker at any given time, and the attacker also has access to a (fairly) large amount of bandwidth, they can deanonymize large percentages of the Tor network as well as intercept large percentages of exit traffic. It is worth noting that they could not do this without being detected in a fairly short period of time). It is probably not that hard for an attacker to monitor some of the directory authority servers, the federal police of a country can almost certainly monitor all connections to and from any directory authority server in their country. I think several are in USA and Germany. Monitoring connections to and from directory authority servers allows an attacker to enumerate Tor client IP addresses, an attacker who can Monitor all directory authority servers can enumerate the IP address of every single non-bridged Tor client.
When you use bridges they act as directory guards as well as entry guards. Unlike Tor directory authority nodes and normal entry guards, there is not an easily available list of all bridge node IP addresses (although some of the Tor devs have access to this information, as well as hackers who can pwn bridge distribution servers or mechanisms) and most attackers can only enumerate some percentage of bridge nodes (I think China blocked something like 85% of them last time I checked). Also, there are several hundred bridge nodes (maybe even over a thousand now) so it is much harder to monitor all of them than 8 directory authority servers, even if you could enumerate all of their IP addresses.
Why do you not want your IP address to be identified as connecting to the Tor network? This is mainly a problem for vendors and for those who use fake ID boxes to maintain anonymity. There are really not that many Tor users in the grand scheme of things, versus the total world population. Also Tor users are fairly widely dispersed through out the world. In any given fifty mile radius there are not likely to be many Tor users. Since vendors must leak rough geolocation intelligence when they ship, an attacker who can place an order from a vendor (and make a one hundred mile radius around where it was shipped from) and can also enumerate Tor client IP addresses, can then intersect these two datasets together to narrow in on 'people who are likely the vendor'. The two datasets are A. Lives within a one hundred mile radius of where the package was shipped from and B. Is a user of the Tor network. The resulting crowd from this attack is not likely to be substantially large, particularly in more rural areas with less population density. It may even be the dreaded crowd size of one.
This sort of attack is generally called an observability or membership revealment attack (as it relates to enumerating Tor client IP addresses). The other part is called an intersection attack (taking two or more datasets and removing items that do not appear in both to make a third dataset, as a technique for narrowing in on a target that is associated with a few data points of a known or estimated uniqueness).
Bridges also increase security from a number of other attacks. They also reduce anonymity from a number of other attacks. One thing to worry about is an attacker who can identify bridged connections. If you use bridges in a country that doesn't restrict access to the Tor network, particularly from a residential location, the chances of you trying to protect from the previously mentioned sort of attack are high. In this case using a bridge would be worse than not using a bridge, since in addition to being identified as a Tor user you are identified as a Tor user who is worried about this sort of attack. Anyway, if you are worried about the very serious attack I mentioned I suggest that you use bridges. Also, bridge use probably slightly reduces your protection from a few sorts of attack, however it also increases protection from a few sorts of attack, and it also adds *any protection at all* against numerous other attacks.
-
As I understand it, an attacker operating a Tor relay (and this includes bridges) can use sophisticated monitoring techniques to see what sites you're visiting, but they can't decipher the content of your communication. So an attacker monitoring your web traffic could see, for example, that you went to www.safe-mail.com, but couldn't see what you're doing there. That could change because people are always trying new hacks that might allow them to monitor Tor traffic.
Very true, nice to see someone who knows a bit about Tor. Website fingerprinting attacks analyze patterns in encrypted traffic, looking for preidentified fingerprints associated with certain websites. This sort of attack may be used to identify encrypted Tor traffic with 60% accuracy. This doesn't mean the attacker can tell the difference between your upload of the word dog and the other posters upload of the word cat to some forum, it just means that they can with about 60% accuracy determine that you sent something to that forum. Of course this assumes they are only doing website fingerprinting attack and are monitoring traffic at your entry guard / infrastructure, if they do other things they can of course learn other things. Also I don't think the traffic classifier that CCC used against Tor (getting the 60% accuracy results) used hidden markov modeling (which takes into account not only the fingerprint of a single page, but the multiple possible fingerprints created by browsing through networks of interlinked pages), if it did the accuracy would probably be substantially higher.
But here's a strategy to use if you want to be sure the bridge you're connecting to is safe: run your own bridge.
Using a private (or public via the bridge distribution mechanisms) bridge node that you run yourself is a great way to majorly increase the anonymity offered by the Tor network. For one, you will never be traced by an active attack unless whoever your attacker is takes control of your bridge node somehow (and knows how to target it in the first place).
On another computer on a different network (say a friend's PC or a PC at work or school), set up the Tor software to function as a bridge. Then copy the bridge IP address and port used to connect, which will be entered in the Settings -> Network tab of Vidalia on the PC you use to connect to the Tor network. The bridge is your first hop connection to Tor, and if you are the one controlling that first hop you can feel a little safer using Tor.
If you control the first hop you can feel a hell of a lot safer about using Tor.
-
QTC allow me to point out that the network is actually named Tor and that it is no longer an acronym for the onion router. Tor is actually not technically an onion router either, although it is very frequently called one. These points are mostly unimportant trivia.
Bridges are imo very important for vendors to be using. When you load Tor your client directly bootstraps at one of about eight directory authority servers. These servers are run by people that the Tor devs trust (and they need to trust them because if four of them are pwnt by the same attacker at any given time, and the attacker also has access to a (fairly) large amount of bandwidth, they can deanonymize large percentages of the Tor network as well as intercept large percentages of exit traffic. It is worth noting that they could not do this without being detected in a fairly short period of time). It is probably not that hard for an attacker to monitor some of the directory authority servers, the federal police of a country can almost certainly monitor all connections to and from any directory authority server in their country. I think several are in USA and Germany. Monitoring connections to and from directory authority servers allows an attacker to enumerate Tor client IP addresses, an attacker who can Monitor all directory authority servers can enumerate the IP address of every single non-bridged Tor client.
When you use bridges they act as directory guards as well as entry guards. Unlike Tor directory authority nodes and normal entry guards, there is not an easily available list of all bridge node IP addresses (although some of the Tor devs have access to this information, as well as hackers who can pwn bridge distribution servers or mechanisms) and most attackers can only enumerate some percentage of bridge nodes (I think China blocked something like 85% of them last time I checked). Also, there are several hundred bridge nodes (maybe even over a thousand now) so it is much harder to monitor all of them than 8 directory authority servers, even if you could enumerate all of their IP addresses.
Why do you not want your IP address to be identified as connecting to the Tor network? This is mainly a problem for vendors and for those who use fake ID boxes to maintain anonymity. There are really not that many Tor users in the grand scheme of things, versus the total world population. Also Tor users are fairly widely dispersed through out the world. In any given fifty mile radius there are not likely to be many Tor users. Since vendors must leak rough geolocation intelligence when they ship, an attacker who can place an order from a vendor (and make a one hundred mile radius around where it was shipped from) and can also enumerate Tor client IP addresses, can then intersect these two datasets together to narrow in on 'people who are likely the vendor'. The two datasets are A. Lives within a one hundred mile radius of where the package was shipped from and B. Is a user of the Tor network. The resulting crowd from this attack is not likely to be substantially large, particularly in more rural areas with less population density. It may even be the dreaded crowd size of one.
This sort of attack is generally called an observability or membership revealment attack (as it relates to enumerating Tor client IP addresses). The other part is called an intersection attack (taking two or more datasets and removing items that do not appear in both to make a third dataset, as a technique for narrowing in on a target that is associated with a few data points of a known or estimated uniqueness).
Bridges also increase security from a number of other attacks. They also reduce anonymity from a number of other attacks. One thing to worry about is an attacker who can identify bridged connections. If you use bridges in a country that doesn't restrict access to the Tor network, particularly from a residential location, the chances of you trying to protect from the previously mentioned sort of attack are high. In this case using a bridge would be worse than not using a bridge, since in addition to being identified as a Tor user you are identified as a Tor user who is worried about this sort of attack. Anyway, if you are worried about the very serious attack I mentioned I suggest that you use bridges. Also, bridge use probably slightly reduces your protection from a few sorts of attack, however it also increases protection from a few sorts of attack, and it also adds *any protection at all* against numerous other attacks.
I understand it's complicated, but let's say you were only concerned with reducing your overall probability of your identity being uncovered.
**All else being equal**, would you use bridges or wouldn't you?
Thanks for any help.
-
As I understand it, an attacker operating a Tor relay (and this includes bridges) can use sophisticated monitoring techniques to see what sites you're visiting, but they can't decipher the content of your communication. So an attacker monitoring your web traffic could see, for example, that you went to www.safe-mail.com, but couldn't see what you're doing there. That could change because people are always trying new hacks that might allow them to monitor Tor traffic.
That is only the case for exit relays, not any of the other hops in the circuit, and only valid for normal websites (i.e. not hidden services).
-
I understand it's complicated, but let's say you were only concerned with reducing your overall probability of your identity being uncovered.
**All else being equal**, would you use bridges or wouldn't you?
Thanks for any help.
I think this is something that reasonable people can disagree upon (unlike for example the use of pke which if anybody tells you you should forgo you can write them off as a fucking idiot). If you are a vendor, I would definitely use bridges, and try to set up a bridge on another network that you have a computer on and use that bridge on your main box. For buyers, you may be vulnerable to the membership revealement attack kmfkewm described in their last paragraph but ultimately I believe that it's a stretch to think gleaning that sort of info could lead anywhere useful (you could be a drug vendor, cp trader, or simply paranoid, that information is pretty useless on its own). The bottom line is that imho you should use bridges and try to set up a bridge of your own for your use.
-
I understand it's complicated, but let's say you were only concerned with reducing your overall probability of your identity being uncovered.
**All else being equal**, would you use bridges or wouldn't you?
Thanks for any help.
I think this is something that reasonable people can disagree upon (unlike for example the use of pke which if anybody tells you you should forgo you can write them off as a fucking idiot). If you are a vendor, I would definitely use bridges, and try to set up a bridge on another network that you have a computer on and use that bridge on your main box. For buyers, you may be vulnerable to the membership revealement attack kmfkewm described in their last paragraph but ultimately I believe that it's a stretch to think gleaning that sort of info could lead anywhere useful (you could be a drug vendor, cp trader, or simply paranoid, that information is pretty useless on its own). The bottom line is that imho you should use bridges and try to set up a bridge of your own for your use.
The attack doesn't really work on customers unless they are using fake ID boxes I guess. Because the vendor already knows exactly where they are shipping the product to. If you get product shipped to a box and use interception detection technology, it might be better for you to use bridges. After all if there is only one Tor user in your area and it is you, they can probably put two and two together.