how do tor users interact with onion services
play

How Do Tor Users Interact With Onion Services? Philipp Winter, Annie - PowerPoint PPT Presentation

Jul 08, 2023 •811 likes •1.43k views

How Do Tor Users Interact With Onion Services? Philipp Winter, Annie Edmundson , Laura Roberts, Agnieszka Dutkowska-Zuk, Marshini Chetty, Nick Feamster USENIX Security Symposium 15 August 2018 1 Tor is a Decentralized Anonymity Network The

  1. How Do Tor Users Interact With Onion Services? Philipp Winter, Annie Edmundson , Laura Roberts, Agnieszka Dutkowska-Zuk, Marshini Chetty, Nick Feamster USENIX Security Symposium 15 August 2018 1

  2. Tor is a Decentralized Anonymity Network The Tor network 2

  3. Onion Services Provide Server Anonymity The Tor network 3

  4. How Do Users Interact with Onion Services? ● What are users’ mental models of onion services? ● How do users use and manage onion services? ● What are the challenges of using onion services? 4

  5. Main Findings Despite extra security and privacy properties of onion services, many users are confronted with usability issues ● Discovering the existence of onion services ● Managing and remembering onion domains ● Susceptibility to phishing attacks We can learn from the issues users have encountered to implement design improvements 5

  6. Overview 1. Onion Services Background + Features 2. Methods 3. Results a. Onion Sites Discovery b. Vanity Domains c. Verifying Onion Sites 4. Future Directions & Conclusions 6

  7. http://expyuzz4wqqyqhjn.onion 7

  8. Special-use domain http://expyuzz4wqqyqhjn.onion 8

  9. Truncated, base 32-encoded hash over RSA public key http://expyuzz4wqqyqhjn.onion 9

  10. Not limited to HTTP(S) http://expyuzz4wqqyqhjn.onion 10

  11. Onion Service UI is Designed to be Seamless 11

  12. Onion Service UI is Designed to be Seamless 12

  13. Onion Service UI is Designed to be Seamless 13

  14. Onion Service UI is Designed to be Seamless 14

  15. Onion Services are Self-authenticating The Tor network 3wcwjjnuvjyazeza.onion 3wcwjjnuvjyazeza 15

  16. Onion Services are Self-authenticating The Tor network 3wcwjjnuvjyazeza.onion 3wcwjjnuvjyazeza Public key 16

  17. Onion Services are Self-authenticating The Tor network 3wcwjjnuvjyazeza.onion 3wcwjjnuvjyazeza SHA-1 Public key 17

  18. Onion Services are End-to-end Encrypted The Tor network 3wcwjjnuvjyazeza 18

  19. Onion Services are End-to-end Encrypted The Tor network 3wcwjjnuvjyazeza 19

  20. Both Client and Server are Anonymous The Tor network 3wcwjjnuvjyazeza 20

  21. Both Client and Server are Anonymous I talk to the client The Tor network through relay R2 I have no idea who I’m talking to I talk to the onion service through relay R2 3wcwjjnuvjyazeza 21

  22. While onion services provide anonymity benefits, they are not perfect. ● Susceptible to traffic analysis attacks ● Configuration errors ● Usability issues 22

  23. Overview 1. Onion Services Background + Features 2. Methods 3. Results a. Onion Sites Discovery b. Vanity Domains c. Verifying Onion Sites 4. Future Directions & Conclusions 23

  24. How Do Users Interact with Onion Services? ● What are users’ mental models of onion services? ● How do users use and manage onion services? ● What are the challenges of using onion services? 24

  25. How Do Users Interact with Onion Services? Mixed-method user study Interviews Survey DNS B Root Data 25

  26. How Do Users Interact with Onion Services? Mixed-method user study Interviews Survey DNS B Root Data ● N=17 ● Diverse backgrounds ● Exploratory 26

  27. How Do Users Interact with Onion Services? Mixed-method user study Interviews Survey DNS B Root Data ● N=17 ● N=517 ● Diverse ● 49 questions (mix backgrounds of open-ended and closed-ended) ● Exploratory ● 4 attention checks 27

  28. How Do Users Interact with Onion Services? Mixed-method user study Interviews Survey DNS B Root Data ● N=17 ● N=517 ● ~2 days of data ● Diverse ● 49 questions (mix ● Filtered correctly backgrounds of open-ended and formatted .onion closed-ended domains ● Exploratory ● 4 attention checks ● 15,471 leaked onion domains 28

  29. Overview 1. Onion Services Background + Features 2. Methods 3. Results a. Onion Sites Discovery b. Vanity Domains c. Verifying Onion Sites 4. Future Directions & Conclusions 29

  30. Makeshift Solutions Ease Onion Discovery 30

  31. Makeshift Solutions Ease Onion Discovery 31

  32. Makeshift Solutions Ease Onion Discovery 32

  33. Makeshift Solutions Ease Onion Discovery 33

  34. 34

  35. 35

  36. 36

  37. I wasn't aware that onion site search engines exist. It's been near impossible for me to find them so far. Survey Respondent (S195) 37

  38. Onion Domain Management is Chaotic 38

  39. Onion Domain Management is Chaotic 39

  40. Onion Domains are Difficult to Remember 40

  41. Onion Domains are Difficult to Remember Meaningful prefixes appear to make remembering easier 41

  42. Phonetic pronunciation plays a large part in how I remember onions. Survey Respondent (S46) 42

  43. Vanity Onion Domains propub3r6espa33w.onion nytimes3xbfgragh.onion facebookcorewwwi.onion protonirockerxow.onion 43

  44. Vanity Onion Domains ● Generate onion domains until hash resembles desired string propub3r6espa33w.onion ● The good: nytimes3xbfgragh.onion ○ Hints at onion service content facebookcorewwwi.onion ● The bad: protonirockerxow.onion ○ Breeds false sense of security ○ Economically unfair 44

  45. I only memorize the first part of the domain. Survey Respondent (S96) 45

  46. I understand vanity onion domains are a sign of the weakness of the hash algorithm used by Tor. Survey Respondent (S454) 46

  47. These people who created their onion name using scallion or other tools should notice that other people can make [the] same private key. Survey Respondent (S552) 47

  48. Onion Lookups Suggest Typos or Phishing hydraruzxpnew4af.onion hydraruzxpnew3af.onion 48

  49. Onion Lookups Suggest Typos or Phishing 529 occurrences in hydraruzxpnew4af.onion DNS dataset 2 occurrences in hydraruzxpnew3af.onion DNS dataset 49

  50. Onion Lookups Suggest Typos or Phishing 529 occurrences in hydraruzxpnew4af.onion DNS dataset 2 occurrences in hydraruzxpnew3af.onion DNS dataset Unique, correctly-formatted Jaro-Winkler Weight results by onion domains similarity score frequency 50

  51. Onion Lookups Suggest Typos or Phishing 51

  52. Onion Lookups Suggest Typos or Phishing Russian Market DuckDuckGo The Hidden Wiki 52

  53. Onion Sites are Hard to Verify as Authentic 53

  54. Onion Sites are Hard to Verify as Authentic 54

  55. Onion Sites are Hard to Verify as Authentic 55

  56. Summary of Findings ● Discovering onion services is challenging because they are private by default ● Vanity domains are more memorable but provide a false sense of security ● Users are lacking a way to verify the authenticity of onion domains 56

  57. Overview 1. Onion Services Background + Features 2. Methods 3. Results a. Onion Sites Discovery b. Vanity Domains c. Verifying Onion Sites 4. Future Directions & Conclusions 57

  58. Making Onion Domains More Usable ● Make it easier for site foo.com to announce its onion service ● Allow onion service operators to opt-in to publishing mechanism ● Have Tor Browser help with encrypted bookmarks ● Better documentation and education 58

  59. Conclusion Despite extra security and privacy properties of onion services, many users are confronted with usability issues ● Susceptibility of onion services to phishing attacks ● Discovering the existence of onion services ● Managing and remembering onion domains 59

  60. Conclusion Despite extra security and privacy properties of onion services, many users are confronted with usability issues ● Susceptibility of onion services to phishing attacks ● Discovering the existence of onion services ● Managing and remembering onion domains We can learn from the issues users have encountered to implement design improvements ● Better discovery mechanisms ● Better verification mechanisms 60

  61. Questions? More info at: https://nymity.ch/onion-services/ https://hci.princeton.edu https://citp.princeton.edu/ Sponsored by: 61

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

INTERACT GIS Task 3.6 of the INTERACT Station Managers Forum Introduction to INTERACT GIS

INTERACT GIS Task 3.6 of the INTERACT Station Managers Forum Introduction to INTERACT GIS

INTERACT GIS Task 3.6 of the INTERACT Station Managers Forum Introduction to INTERACT GIS Workshop The current INTERACT GIS team: Britta Lfvenberg: IT-leader at ICT Services and System Development, Ume University, Sweden (UmU ITS) Per

457 views • 13 slides
Slicing the licing the Onion: Onion: Anonymity Without PKI Anonymity Without PKI Sachin Katti

Slicing the licing the Onion: Onion: Anonymity Without PKI Anonymity Without PKI Sachin Katti

Slicing the licing the Onion: Onion: Anonymity Without PKI Anonymity Without PKI Sachin Katti Dina Katabi & Katya Puchala State of the art: Onio Onion Rout n Routing over P2P ing over P2P n Routing over P2P ing over P2P Bob Onion

705 views • 43 slides
The Onion Router (Tor): Onion Encryption Served Three Ways Martijn Stam COINS Winterschool in

The Onion Router (Tor): Onion Encryption Served Three Ways Martijn Stam COINS Winterschool in

The Onion Router (Tor): Onion Encryption Served Three Ways Martijn Stam COINS Winterschool in Finse, May 2019 2 Tor: The Second-Generation Onion Router Dingledine, Mathewson, Syverson (Usenix04) What is Tor Tor is a tool to advance

1.01k views • 88 slides
EZ SYSTEMS DISCOVER EZ PLATFORM AND EZ STUDIO SIMPLIFY THE WAY PEOPLE INTERACT WITH CONTENT At

EZ SYSTEMS DISCOVER EZ PLATFORM AND EZ STUDIO SIMPLIFY THE WAY PEOPLE INTERACT WITH CONTENT At

EZ SYSTEMS DISCOVER EZ PLATFORM AND EZ STUDIO SIMPLIFY THE WAY PEOPLE INTERACT WITH CONTENT At eZ, its all about content, people and how they experience our software and services END USERS Consumer Business TECHNICAL EDITORIAL Developers

436 views • 30 slides
Make-up Lab: Osmosis in an Onion Cell This microscope slide is of red onion cells sitting in

Make-up Lab: Osmosis in an Onion Cell This microscope slide is of red onion cells sitting in

Make-up Lab: Osmosis in an Onion Cell This microscope slide is of red onion cells sitting in a bath of distilled water. It is viewed at medium power (100x). Draw these cells in the first circle on your lab paper. Label the cell walls

391 views • 4 slides
VIEW SYSTEM Roberto Beraldi View Users interact with an application mostly through a

VIEW SYSTEM Roberto Beraldi View Users interact with an application mostly through a

VIEW SYSTEM Roberto Beraldi View Users interact with an application mostly through a Graphical User Interface (GUI) (Other means include: voice, sounds, etc.) GUI is a graphical drawing of one or more graphical objects Wiew s are

1.58k views • 69 slides
1 Services for Mobile Users Services for Mobile Users Mobicast : information dissemination to

1 Services for Mobile Users Services for Mobile Users Mobicast : information dissemination to

Hint on Question 5.2 in HW2 Compute the maximum processor utilization that can be assigned to a Deferrable Server to guarantee the task Sensor Netw ork Services set (periodic tasks). for Mobile Users 1/ 1/ n n +

472 views • 10 slides
Shear-induced onion formation of complex bilayer lamellar phase Nagaoka University of Technology

Shear-induced onion formation of complex bilayer lamellar phase Nagaoka University of Technology

Shear-induced onion formation of complex bilayer lamellar phase Nagaoka University of Technology S. Fujii Shear induced onion phase Cylinder L Onion Buckled L SDS / Dodecane / Pentanol / Water System O. Diat, D. Roux, F. Nallet,

697 views • 17 slides
The First All Natural Onion Topping Made with 100% Real Onions Just the Facts Maam ONION

The First All Natural Onion Topping Made with 100% Real Onions Just the Facts Maam ONION

The First All Natural Onion Topping Made with 100% Real Onions Just the Facts Maam ONION CRUNCH. is the only ALL NATURAL crispy crunch topping in America. Made from 100% real onions they are peeled, washed, cut and battered. Then we use

390 views • 9 slides
Untagging Tor: A Formal Treatment of Onion Encryption Jean Paul Degabriele Martijn Stam 1

Untagging Tor: A Formal Treatment of Onion Encryption Jean Paul Degabriele Martijn Stam 1

Untagging Tor: A Formal Treatment of Onion Encryption Jean Paul Degabriele Martijn Stam 1 Outline of this talk Overview of Tor Tagging Attacks and Their Severity Modelling Onion Encryption Tor Proposal 261 and Security Analysis

731 views • 21 slides
http://expyuzz4wqqyqhjn.onion http://expyuzz4wqqyqhjn.onion http://expyuzz4wqqyqhjn.onion

http://expyuzz4wqqyqhjn.onion http://expyuzz4wqqyqhjn.onion http://expyuzz4wqqyqhjn.onion

http://expyuzz4wqqyqhjn.onion http://expyuzz4wqqyqhjn.onion http://expyuzz4wqqyqhjn.onion http://expyuzz4wqqyqhjn.onion 3wcwjjnuvjyazeza.onion 3wcwjjnu vjyazeza 3wcwjjnuvjyazeza.onion 3wcwjjnu vjyazeza 3wcwjjnuvjyazeza.onion 3wcwjjnu

457 views • 34 slides
INTERACT GIS By Tomas Thierfelder Britta Lfvenberg Anders Printz 1 Elmer Topp-Jrgensen

INTERACT GIS By Tomas Thierfelder Britta Lfvenberg Anders Printz 1 Elmer Topp-Jrgensen

INTERACT SMF IV 27-28 September 2018, Salekhard, Russia INTERACT GIS By Tomas Thierfelder Britta Lfvenberg Anders Printz 1 Elmer Topp-Jrgensen INTERACT GIS WP3, Task 3.6 Agenda 1. Online presentation of the system 2. The launch of

394 views • 11 slides
Tesco Walkers Tesco Finest Co-op Irresistible Cheese & Onion Cheese & Onion Cheese

Tesco Walkers Tesco Finest Co-op Irresistible Cheese & Onion Cheese & Onion Cheese

Tesco Walkers Tesco Finest Co-op Irresistible Cheese & Onion Cheese & Onion Cheese & Onion Cheese & Onion 0.85 1.00 1.65 1.76 150g 150g 150g 150g 100g = 57p 100g = 67p 100g = 1.10 100g = 1.17

533 views • 9 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Authentication Access control vs. authentication We

CS/COE 1520 pitt.edu/~ach54/cs1520 Authentication Access control vs. authentication We

CS/COE 1520 pitt.edu/~ach54/cs1520 Authentication Access control vs. authentication We want to control how users can interact with information E.g., Users should only be able to view their own messages Users can only

465 views • 12 slides
AJAX User Interaction Our goal is to add more interactivity to our site How to have users

AJAX User Interaction Our goal is to add more interactivity to our site How to have users

AJAX User Interaction Our goal is to add more interactivity to our site How to have users interact with each other? Form to submit data Page reloads after submission How does a user get updates when someone submits a form?

469 views • 23 slides
Information design for congested social services Motivation Given that users of social services

Information design for congested social services Motivation Given that users of social services

Information design for congested social services Motivation Given that users of social services have heterogeneous needs, can information design help to target the service to those with high need? In this work: stylized queueing model

271 views • 4 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 16ss 1 / 38 Outline Introduction Trust architecture Protocols Attacks

879 views • 47 slides
Onion Routing Meant to handle issue of people knowing who youre talking to Basic idea

Onion Routing Meant to handle issue of people knowing who youre talking to Basic idea

Onion Routing Meant to handle issue of people knowing who youre talking to Basic idea is to conceal sources and destinations By sending lots of crypo-protected packets between lots of places Each packet goes through multiple

366 views • 20 slides
Outline Tor basics CSci 5271 Tor experiences and challenges Introduction to Computer Security

Outline Tor basics CSci 5271 Tor experiences and challenges Introduction to Computer Security

Outline Tor basics CSci 5271 Tor experiences and challenges Introduction to Computer Security Tor and usability combined lecture Usability and security Stephen McCamant University of Minnesota, Computer Science & Engineering Usable

964 views • 9 slides
CryptDB: Protecting Confidentiality with Encrypted Query Processing Li Xiong Slides credit:

CryptDB: Protecting Confidentiality with Encrypted Query Processing Li Xiong Slides credit:

CS573 Data Privacy and Security CryptDB: Protecting Confidentiality with Encrypted Query Processing Li Xiong Slides credit: Raluca Ada Popa, Catherine M. S. Redfield, Nickolai Zeldovich, and Hari Balakrishnan MIT CSAIL Problem Confidential

576 views • 31 slides
Annou ouncem emen ents This Wednesday: No office hour from me I am travelling to DC for

Annou ouncem emen ents This Wednesday: No office hour from me I am travelling to DC for

Annou ouncem emen ents This Wednesday: No office hour from me I am travelling to DC for CPS PI meeting This Thursday: Guest Lecture on Machine Learning Security One of the hottest security research topics today Some of you

979 views • 30 slides
Package management over Tor PkgsrcCon 2017 alnsn@NetBSD.org What is Tor? Introducing

Package management over Tor PkgsrcCon 2017 alnsn@NetBSD.org What is Tor? Introducing

Package management over Tor PkgsrcCon 2017 alnsn@NetBSD.org What is Tor? Introducing http://pkgsrcbadj4vrrrr.onion Hidden pkgsrc mirror: NetBSD packages for amd64, arm, earm, earmv6hf, earmv7hf, earmv7hfeb, sparc64, mipsel distfiles No

405 views • 13 slides
CRYPTDB:PROTECTING CONFIDENTIALITY WITH ENCRYPTED QUERY PROCESSING Why

CRYPTDB:PROTECTING CONFIDENTIALITY WITH ENCRYPTED QUERY PROCESSING Why

RALUCA ADA POPA, CATHERINE M. S. REDFIELD, NICKOLAI ZELDOVICH, AND HARI BALAKRISHNAN MIT CSAIL CRYPTDB:PROTECTING CONFIDENTIALITY WITH ENCRYPTED QUERY PROCESSING Why

1.45k views • 123 slides
encrypted data Raluca Ada Popa MIT Compromise of confidential data is prevalent Problem setup

encrypted data Raluca Ada Popa MIT Compromise of confidential data is prevalent Problem setup

? xd51db5 xe891a1 X9ce568 X32e1dc xab2356 xdd0135 x453a32 x63ab12 Building systems that compute on encrypted data Raluca Ada Popa MIT Compromise of confidential data is prevalent Problem setup server clients Secret Secret Secret

851 views • 53 slides

More recommend