Silk Road forums
Discussion => Security => Topic started by: painbow on September 29, 2012, 07:17 am
-
I know that data is encrypted and relayed via proxies on Tor.. but does that prevent my ISP from ever being able to see my internet activities?
What does my ISP whenever I log onto Tor? Do they just see bunch of encrypted data coming from Tor network? or can they still see the sites I go to via Tor?
-
if i understand correctly...your connection to TOR looks like an SSL connection to your ISP unless they do a deep packet filter...this youtube video explains alot: http://www.youtube.com/watch?v=GwMr8Xl7JMQ
-
So I guess the answer is no for the average users?
-
gestaltassault2 is correct.
To your ISP a TOR connection will appear as a mozilla client connecting to an apache server (one of the most common connections that one would see on the internet)
If your ISP did try to analyze your packets they might be able to detect that you are using TOR but they would be unable to see the traffic.
In other words, your ISP wont be able to see what you're doing on TOR if they even detect that you're using TOR at all.
-
gestaltassault2 is correct.
To your ISP a TOR connection will appear as a mozilla client connecting to an apache server (one of the most common connections that one would see on the internet)
If your ISP did try to analyze your packets they might be able to detect that you are using TOR but they would be unable to see the traffic.
In other words, your ISP wont be able to see what you're doing on TOR if they even detect that you're using TOR at all.
Cool. Thank you sir.
Is there a way for the ISP to monitor the activity if they actually decided to put the effort to do so? Like the whole deep pocket filtering thingy?
-
Use bridges.
-
gestaltassault2 is correct.
To your ISP a TOR connection will appear as a mozilla client connecting to an apache server (one of the most common connections that one would see on the internet)
If your ISP did try to analyze your packets they might be able to detect that you are using TOR but they would be unable to see the traffic.
In other words, your ISP wont be able to see what you're doing on TOR if they even detect that you're using TOR at all.
Cool. Thank you sir.
Is there a way for the ISP to monitor the activity if they actually decided to put the effort to do so? Like the whole deep pocket filtering thingy?
As far as I understand TOR there is no (easy) way for your ISP to monitor the activity when using tor. If they really wanted to they _might_ be able to figure out that you're using TOR, but not what your using TOR for.
Some one can be monitoring an exit node but that doesn't mean they know who or where the user is.
-
It is possible for them to see that you are exchanging traffic with the Tor network. However, they cannot see the contents of your traffic. I don't know if they are monitoring traffic to Tor. Probably depends on the country and specific corporation.
A way to around it is to use a bridge. A bridge is a node that is not part of the Tor network. Your traffic will go through the bridge to the Tor network, and traffic from the Tor network will go through the bridge, to you. All encrypted of course.
Then to the ISP it will look like you are communicating with that node, instead of the Tor network. This technique is used a lot in China, where the government is doing it's best to block Tor.
If you are interested in this material, go watch the youtube clip: how governments have tried to block tor.
dkn255hz262ypmii.onion/index.php?topic=38213.0
-
Unless you use a bridge your ISP can determine that you use Tor very easily, if they want to. Your ISP can not see the plaintext of your communications as they are encrypted in multiple layers of AES. They can probably determine to some probability the websites that you are visiting if they run a traffic classifier against the encrypted streams, but the best anyone has done at classifying encrypted Tor traffic is a bit above 50% accuracy (check chaos computer club tor traffic classifier). A classifier that uses hidden markov models might have much better accuracy though, I believe the chaos computer clubs classifier only attempted to identify single encrypted pages rather than entire encrypted websites. Continuously classifying a targets encrypted traffic as they surf through multiple linked pages of a fingerprinted website will probably result in significantly higher accuracy versus trying to determine if a target has loaded single pages on a website as a discrete actions. This is not to say that an attacker will be able to determine the plaintext communications you send through Tor, but it is possible that an attacker who can only observe your entry traffic could determine with high probability that you are surfing a website they have fingerprinted with a traffic classifier. I wouldn't lose much sleep over it though.
-
http://arstechnica.com/tech-policy/2010/12/flaws-in-tor-anonymity-network-spotlighted/
-
Flaws in Tor anonymity network spotlighted
Researchers can get a good idea of what sites Tor users are visiting, as long …
by John Borland, wired.com - Dec 28 2010, 3:32pm UTC
24
At the Chaos Computer Club Congress in Berlin, Germany on Monday, researchers from the University of Regensburg delivered a new warning about the Tor anonymizer network, a system aimed at hiding details of a computer user’s online activity from spying eyes.
The attack doesn’t quite make a surfer’s activity an open book, but offers the ability for someone on the same local network—a Wi-Fi network provider, or an ISP working at law enforcement (or a regime’s) request, for example—to gain a potentially good idea of sites an anonymous surfer is viewing.
“Developers have to be aware of this kind of attack, and develop countermeasures,” said Dominik Herrmann, a Regensburg PhD student studying profiling and fingerprinting attacks. “But that proves to be very difficult.”
The research, performed by a variety of collaborators in Germany working on anonymity measures, represents a warning for privacy-conscious users wary of spying eyes, whether behind Net-unfriendly borders or simply corporate firewalls.
Tor is essentially an online mask, rather than a tool that hides the fact or content of communication itself. The project’s developers are addressing the problem of traffic analysis—essentially the threat that an attacker or observer might be able to tease out a person’s identity, location, profession, social network or other information about the message content by analyzing a message’s unencrypted headers.
To hide this information, the Tor system routes messages around a winding path of volunteer servers across the Net, with each relay point knowing only the address of the previous and next step in the pathway.
Once this circuit has been established, neither an eavesdropper nor a compromised relay will theoretically have the ability to determine both the source and destination of a given piece of communication. According to the Tor project’s latest metrics, the network has drawn between 100,000 and 300,000 users per day over the last several months.
Herrmann and his fellow researchers say there’s a partial flaw in this arrangement, however. A potential eavesdropper on the end user’s own network still has the ability to analyze the patterns of data being returned, and in many cases will be able to develop a reasonable guess about the source of the communication.
An attacker—perhaps an ISP instructed by law enforcement or a government to engage in such surveillance—would first have to develop a list of potential sites that the target might be visiting, or that it was interested in monitoring. It would then run the Tor system itself, testing the way these sites appeared when accessed through Tor, developing a database of “fingerprints” associated with the sites of interest.
Once the target of the surveillance went online, the eavesdropper would capture the packet stream as it crossed the local network and compare the source data with its fingerprint database with the help of pattern recognition software. Any match would be only statistical, giving somewhere between 55 percent and 60 percent certainty, Herrmann said—not enough to provide hard evidence in court, but likely more certainty than many people seeking privacy might be comfortable with.
Different online destinations will carry different susceptibility to fingerprinting, of course. Unusual sites, with characteristics such as very heavy or large graphic use, can be more easily identified, Herrmann said. By the same token, the easiest way for a website to fool such an eavesdropper would be to make its site look as closely as possible like another popular site—mimicking the look of the Google site, for example, one of the most commonly accessed pages on the Web.
Users themselves can guard against this type of fingerprint-based eavesdropping relatively easily, Herrmann noted. Downloading or requesting more than one site at a time through the network will muddy the pattern enough that certainty will be very difficult for the eavesdropper to establish.
The research may not dissuade many from using Tor, which remains one of the most promising approaches for individuals seeking to hide aspects of their identity or online activity. But it may well make them work harder
-
PS: websites loaded through most encrypted VPNs can be fingerprinted with 99% accuracy.
-
How does this fingerprinting work? Is it determined by the size of the packages of encrypted data?
And what are those numbers, 60 and 99% accuracy referring to? The probability that I'm using a certain hidden service, or visiting any website from the clearweb through Tor?
-
How does this fingerprinting work? Is it determined by the size of the packages of encrypted data?
And what are those numbers, 60 and 99% accuracy referring to? The probability that I'm using a certain hidden service, or visiting any website from the clearweb through Tor?
They refer to the accuracy with which an attacker can say that you are visiting a certain website which they have fingerprinted. Size of the encrypted data is a common area where information leaks. Imagine the SR forum and all of its threads. Let's say an attacker has created a fingerprint of the entire forum. They know the size of every page, they know which pages are linked together. They can observe the traffic you get, but it is encrypted so they can not see the plaintext. They can however see that you accessed a page of a specific size. Then they can see that you accessed another page of a specific size. Let's say you follow a thread through from page one to page twenty. The attacker will see the size of each of the pages you have loaded, and then they will see that the sequence of pages you loaded have sizes that match up with the fingerprint they took of a thread on SR. They can perhaps use this information to infer that you are browsing through a thread on SR. The attacker may also be able to determine the sizing characteristics of individual objects on each of the pages you have loaded. They might see that these objects are of sizes that correspond to the sizes of objects you would load in order to browse through the many pages of the thread. I believe that with pipelining this becomes more difficult for the attacker as their ability to identify the sizes of individual objects being loaded is taken away. Hm, a quick google confirms my thoughts:
https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting
Instead, we are deploying an experimental defense in today's Tor Browser Bundle release that is specifically designed to reduce the information available for feature extraction without adding overhead. The defense is to enable HTTP pipelining, and to randomize the pipeline size as well as the order of requests. The source code to the implementation can be viewed on gitweb.
Since normal, non-randomized pipelining is still off by default to this day in Firefox, we are assuming that the published attack results are against serialized request/response behavior, which provides significantly more feature information to the attacker. In particular, we believe a randomized pipeline will eliminate or reduce the utility of the 'Size Marker', 'Number Marker', 'Number of Packets', and 'Occurring Packet Sizes' features on sites that support pipelining, due to the batching of requests and responses of arbitrary sizes. More generally, the randomized pipeline should obscure the request vs response size and request ordering information available to the classifier.
Our hope is that the randomized pipeline defense will therefore increase the duration of observation required to establish certainty that a site is being visited, by lowering the true positive rate and/or raising the false positive rate beyond what the researchers observed.
We do not expect this defense to be foolproof. We create it as a prototype, and request that future research papers do not treat the defense as if it were the final solution against website fingerprinting of Tor traffic. In particular, not all websites support pipelining (in fact, an unknown number may deliberately disable it to reduce load), and even those that do will still leak the initial response size as well as the total response size to the attacker. Pipelining may also be disabled by malicious or simply misconfigured exits.
Unfortunately it is up to the person running the server to enable pipelining as well though, and it is not always possible to do so.
Sorry I am not able to provide more useful information, it has been a while since I researched traffic fingerprinting and possible ways to counter it.
-
Thanks man, interesting read.
At the risk of saying something very naive here, but if this becomes a serious issue, wouldn't there be some easy fixes?
For example, padding the sizes of the chunks of data sent, until they are all of a uniform length. Or frequently changing the contents of a website (for example, us changing our avatars really often).
Or add some random data to the packets, so that the size is no longer a clue towards it's contents. This last option might even be done at the last node of the Tor network, just before the traffic is sent to the end user. That way the Tor network wouldn't be burdened too much with random bits.
Just thinking out loud here. I don't think we'll be at great risk because of this.
-
Thanks for the info guys. Could anyone direct me on how to use bridges with Tor?
Are bridges usually publically available or something I have to search for or even pay?
-
Thanks man, interesting read.
At the risk of saying something very naive here, but if this becomes a serious issue, wouldn't there be some easy fixes?
For example, padding the sizes of the chunks of data sent, until they are all of a uniform length. Or frequently changing the contents of a website (for example, us changing our avatars really often).
Or add some random data to the packets, so that the size is no longer a clue towards it's contents. This last option might even be done at the last node of the Tor network, just before the traffic is sent to the end user. That way the Tor network wouldn't be burdened too much with random bits.
Just thinking out loud here. I don't think we'll be at great risk because of this.
Tor already pads packets to the same size, that is probably a large part to do with why it is not as easily fingerprinted as most VPN's. The total size of the entire stream of packets is not obfuscated though. You could try to add random padding to each page that is loaded in an attempt to obfuscate the total stream size, but I don't know how effective this will be. I think it would be better than nothing though.
Another thing that you need to take into consideration is the ability for an attacker to do bidirectional fingerprinting. If they think they have identified you following a thread through SR, and then see you send 15kb of data at x time, if they see a post of that size on SR in that thread y time after they saw you send traffic, they will be pretty certain that they have identified you. The solution to this would be to pad all posts to the same size and have a random delay assigned to each post prior it to being publicly displayed. However then you are pretty much turning the forum into a cryptographic mix, and I suggest waiting for me to finish my decentralized mix forum prior to attempting to implement it yourself :).
-
Your ISP most definitely knows your using the anonymous web...
What you are doing?!?!?!? They have no clue!
But for sure they are watching this.
I have a friend who works at the same ISP that provides my internet and, I called in one day actually like 12 times until I got him on the phone and started to ask some questions, While he was looking into this he was really checking my usage and what not and he told me you can for sure tell that something is not right when I go on TOR
-
Use bridges.
If I offer to help censored users will it slow me down?? Will it compromise my safety?? got any insight on this??
-
I have a friend who works at the same ISP that provides my internet and, I called in one day actually like 12 times until I got him on the phone and started to ask some questions, While he was looking into this he was really checking my usage and what not and he told me you can for sure tell that something is not right when I go on TOR
What exactly is he seeing that tips him off to there something being not right?
As far as I understand TOR, from a packet sniffers persective all it should look like is (Mozilla Client<-- ("ssl" encrypted data) -->Apache Server)
-
I have a friend who works at the same ISP that provides my internet and, I called in one day actually like 12 times until I got him on the phone and started to ask some questions, While he was looking into this he was really checking my usage and what not and he told me you can for sure tell that something is not right when I go on TOR
What exactly is he seeing that tips him off to there something being not right?
As far as I understand TOR, from a packet sniffers persective all it should look like is (Mozilla Client<-- ("ssl" encrypted data) -->Apache Server)
I'm not sure because I'm no techie... but he said that the websites I was going to looked weird to him,.. like he saw my usage and I guess pages visited and they must look somewhat different from the normal...
I'll see if I can get more info in the next few days.
-
You isp can know what you do on internet, if it's not crypted.
When you use TOR , you are redirected to multiple different IP, it's cool nobody can trace you , but your ISP can see all data if it's not crypted (that's why TOR include HTTS EVERYWHERE plugin (ssl)).
My recomendation (as network engineer irl) , use a good VPN, wich are crypted and doesn't store any log of your connection, and then use TOR.
With a real vpn service , ISP can't know what data is transfered.
They are plenty of topics about security on SR forum ;)
-
I'll see if I can get more info in the next few days.
Please do. I am curious as to what he saw. All he should have seen was your "mozilla" client connecting to a random IP that had a "apache" server. The creators of TOR designed the onion router like this because it is one of the most common TCP/IP connections made every day on the internet
When you use TOR , you are redirected to multiple different IP, it's cool nobody can trace you , but your ISP can see all data if it's not crypted (that's why TOR include HTTS EVERYWHERE plugin (ssl)).
Please correct me if Im wrong, but TOR does not only use SSL. It's my understanding that SSL is just a cover for the more powerful AES encryption that it uses beneath the surface of the connection
-
I'll see if I can get more info in the next few days.
Please do. I am curious as to what he saw. All he should have seen was your "mozilla" client connecting to a random IP that had a "apache" server. The creators of TOR designed the onion router like this because it is one of the most common TCP/IP connections made every day on the internet
When you use TOR , you are redirected to multiple different IP, it's cool nobody can trace you , but your ISP can see all data if it's not crypted (that's why TOR include HTTS EVERYWHERE plugin (ssl)).
Please correct me if Im wrong, but TOR does not only use SSL. It's my understanding that SSL is just a cover for the more powerful AES encryption that it uses beneath the surface of the connection
SSL can use AES for symmetric encryption. Tor uses AES from OpenSSL. Tor traffic is encrypted between you and your entry node, so your ISP can only see encrypted traffic. Tor does not encrypt traffic between your exit node and the website you visit, unless you are visiting a hidden service. So you need to use https to encrypt between the exit node and the non-hidden service website. Circuits to hidden services are encrypted from client to the hidden service though. Even though the traffic is encrypted it can still be fingerprinted though. VPNs also encrypt the traffic between you and the entry node, but so far every VPN I have seen tested can have its encrypted traffic fingerprinted with accuracy that approaches 100%, Tor is more resistant to this sort of attack with the best results so far being 60% accuracy for single pages. Fingerprinting has limitations. The attacker who fingerprints your traffic can not see the plaintext of your communications, but they might be able to infer it. For example, they may be able to determine that you are very likely surfing through a thread on SR, but they can not actually see the plaintext. They might be able to say with 60% certainty that if they could break the encryption the ciphertext would decrypt into a given plaintext though. Traffic classifiers can never reach 100% certainty, but some VPN's have had their encrypted traffic fingerprinted with 99% accuracy. This means that an attacker who can see the encrypted traffic coming to you from the VPN entry node can say with 99% certainty that you are browsing a certain stores website, for example, but if you transmit your credit card number to the stores website the attacker can not determine what you credit card number is through the encryption, but they might be able to say with 99% certainty that you just sent some credit card number to a specific stores website.
-
Use bridges.
If I offer to help censored users will it slow me down?? Will it compromise my safety?? got any insight on this??
blog.torproject.org/blog/risks-serving-whenever-you-surf
-
just use a vpn. buy with a prepaid credit card for a gas station. and if you're gonna do some really illegal shyt, make sure you use a public wifi.
-
just use a vpn. buy with a prepaid credit card for a gas station. and if you're gonna do some really illegal shyt, make sure you use a public wifi.
I don't understand why so many people in this thread keep suggesting that a VPN is used. Your ISP is much more capable of seeing the websites you surf via a VPN than they are via Tor.
-
just use a vpn. buy with a prepaid credit card for a gas station. and if you're gonna do some really illegal shyt, make sure you use a public wifi.
I don't understand why so many people in this thread keep suggesting that a VPN is used. Your ISP is much more capable of seeing the websites you surf via a VPN than they are via Tor.
probably because you can use tor through a vpn, thus adding to the anonymity. crazy huh?
-
just use a vpn. buy with a prepaid credit card for a gas station. and if you're gonna do some really illegal shyt, make sure you use a public wifi.
I don't understand why so many people in this thread keep suggesting that a VPN is used. Your ISP is much more capable of seeing the websites you surf via a VPN than they are via Tor.
probably because you can use tor through a vpn, thus adding to the anonymity. crazy huh?
If an attacker watches your entry and exit traffic you are deanonymized regardless of the number of middle nodes, pretty crazy huh?
-
just use a vpn. buy with a prepaid credit card for a gas station. and if you're gonna do some really illegal shyt, make sure you use a public wifi.
I don't understand why so many people in this thread keep suggesting that a VPN is used. Your ISP is much more capable of seeing the websites you surf via a VPN than they are via Tor.
probably because you can use tor through a vpn, thus adding to the anonymity. crazy huh?
If an attacker watches your entry and exit traffic you are deanonymized regardless of the number of middle nodes, pretty crazy huh?
LOL what? your ISP gets to see encrypted traffic, the VPN gets to see encrypted traffic too. They can do tagging attacks (until there is some kind of authenticity in Tor) and they can do passive fingerprinting attacks and timing attacks (always possible in low latency networks). But you haven't compromised your security/anonymity one bit compared to Tor without VPN. Clown.
-
just use a vpn. buy with a prepaid credit card for a gas station. and if you're gonna do some really illegal shyt, make sure you use a public wifi.
I don't understand why so many people in this thread keep suggesting that a VPN is used. Your ISP is much more capable of seeing the websites you surf via a VPN than they are via Tor.
probably because you can use tor through a vpn, thus adding to the anonymity. crazy huh?
If an attacker watches your entry and exit traffic you are deanonymized regardless of the number of middle nodes, pretty crazy huh?
LOL what? your ISP gets to see encrypted traffic, the VPN gets to see encrypted traffic too. They can do tagging attacks (until there is some kind of authenticity in Tor) and they can do passive fingerprinting attacks and timing attacks (always possible in low latency networks). But you haven't compromised your security/anonymity one bit compared to Tor without VPN. Clown.
I never said that it compromises your anonymity just that it doesn't protect from the attacks that you need to worry about anymore than using Tor by itself does. The only attack adding a VPN before Tor protects from is if the attacker is at the end point and they try to work their way back to you by gathering log files one node at a time. Additionally it protects from membership enumeration, but that is unrelated.
Regardless this topic thus far has been about the ISP's ability to see the plaintext of the data the user is loading, not about the ISP's ability to trace the users connection to its end point. Although related, these are two distinct areas. Adding a VPN prior to Tor will not make it so your encrypted traffic is less vulnerable to cryptanalysis (in either cases the encryption is not going to be broken) or fingerprinting attacks (in either case the attackers ability to fingerprint will be limited by Tor, not the VPN), so in short go fuck yourself.