Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Researchers improve de-anonymization attacks for websites hiding on Tor

Lucian Constantin | July 31, 2015
Researchers have developed a new technique that could allow attackers to determine with a high degree of accuracy which Tor websites users are accessing and where those websites are hosted.

Researchers have developed a new technique that could allow attackers to determine with a high degree of accuracy which Tor websites users are accessing and where those websites are hosted.

The new attack, which improves upon previous traffic fingerprinting techniques, was devised by researchers from the Massachusetts Institute of Technology (MIT) and the Qatar Computing Research Institute (QCRI), who found ways to differentiate between different types of connections in a user's encrypted Tor traffic.

The Tor anonymity network was built to hide from network snoopers which websites or other Internet resources that user is accessing. It does this by wrapping the user's requests in several layers of encryption and routing them through multiple computers that run the Tor software.

Each of those computers, known as nodes or relays, peel off one layer of encryption, before passing on the request to the next node. In this way the final node, called the exit relay, knows the request's destination, but not its original source, while the first node, known as the entry guard, knows the original source, but not the final destination.

It has long been known that if an attacker controls both the entry guard and the exit relay used for a Tor connection, or circuit, he could use traffic correlation techniques to deanonymize the user. However, that's hard to do, because Tor relays are chosen at random for every connection so an attacker would have to control a very large number of entry guards and exit relays to have a good chance of success.

In the past researchers also proposed another type of attack known as website fingerprinting that only requires controlling the entry guard. The premise is that attackers could build a list of websites they want to monitor, then set up a Tor client and access those websites through an entry guard they control in order to observe the differences in traffic patterns and use them to build so-called fingerprints.

Those fingerprints could later be used with some degree of success to tell if other users passing through the same entry guard are accessing one of the monitored websites.

This technique does have significant drawbacks. For example, websites have third-party ads and scripts that change frequently so the fingerprints quickly become unreliable. Also there is a lot of background noise in traffic originating from a Tor client and it's hard to isolate only the circuits that are interesting for analysis.

The new technique developed by the MIT and QCRI researchers solves the second problem, especially as it relates to hidden services -- websites that are only accessible inside the Tor network and not on the larger Internet.

Hidden services are popular with political activists who are under the threat of surveillance in certain countries and who want to operate untraceable online communities, but also with criminals who have used them to set up marketplaces for illegal goods or websites that host illegal pornographic content.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.