The Tor Project Our mission is to be the global resource for - PowerPoint PPT Presentation

The Tor Project Our mission is to be the global resource for technology, advocacy, research and education in the ongoing pursuit of freedom of speech, privacy rights online, and censorship circumvention. 1

● O n l i n e A n o n y mi t y – O p e n S o u r c e – O p e n N e t w o r k ● C o mmu n i t y o f r e s e a r c h e r s , d e v e l o p e r s , u s e r s a n d r e l a y o p e r a t o r s . ● U . S . 5 0 1 ( c ) ( 3 ) n o n - p r o fj t o r g a n i z a t i o n 2

Estimated 2,000,000 to 8,000,000 daily Tor users 3

Threat model: what can the attacker do? Alice Anonymity network Bob watch Alice! watch (or be!) Bob! Control part of the network! 4

Anonymity isn't encryption: Encryption just protects contents. “Hi, Bob!” “Hi, Bob!” <gibberish> Alice attacker Bob 5

6

Anonymity serves different interests for different user groups. Anonymity Private citizens “It's privacy!” 7

Anonymity serves different interests for different user groups. Businesses Anonymity “It's network security!” Private citizens “It's privacy!” 8

Anonymity serves different interests for different user groups. “It's traffic-analysis resistance!” Businesses Anonymity Governments “It's network security!” Private citizens “It's privacy!” 9

Anonymity serves different interests for different user groups. “It's reachability!” Human rights “It's traffic-analysis activists resistance!” Businesses Governments Anonymity “It's network security!” Private citizens “It's privacy!” 10

The simplest designs use a single relay to hide connections. Bob1 Alice1 E(Bob3,“X”) “Y” Relay Alice2 “Z” Bob2 E(Bob1, “Y”) “X” ) ” Z “ , 2 b o B ( E Bob3 Alice3 (example: some commercial proxy providers) 11

But a central relay is a single point of failure. Bob1 Alice1 E(Bob3,“X”) “Y” Evil Alice2 Relay “Z” Bob2 E(Bob1, “Y”) “X” ) ” Z “ , 2 b o B ( E Bob3 Alice3 12

... or a single point of bypass. Bob1 Alice1 E(Bob3,“X”) “Y” Irrelevant Alice2 Relay “Z” Bob2 E(Bob1, “Y”) ) “X” ” Z “ , 2 b o B ( E Bob3 Alice3 Timing analysis bridges all connections ⇒ An attractive fat target through relay 13

So, add multiple relays so that no single one can betray Alice. Bob Alice R1 R3 R5 R4 R2 14

Alice makes a session key with R1 ...And then tunnels to R2...and to R3 Bob Alice R1 R3 Bob2 R5 R4 R2 15

16

17

18

19

Tor's safety comes from diversity ● #1: Diversity of relays. The more relays we have and the more diverse they are, the fewer attackers are in a position to do traffic confirmation. (Research problem: measuring diversity over time) ● #2: Diversity of users and reasons to use it. 50000 users in Iran means almost all of them are normal citizens. 20

Transparency for Tor is key ● Open source / free software ● Public design documents and specifications ● Publicly identified developers ● Not a contradiction: privacy is about choice! 21

But what about bad people? ● Remember the millions of daily users. ● Still a two-edged sword? ● Good people need Tor much more than bad guys need it. 22

23

24

25

26

Alice Alice Alice Blocked Alice Alice User R3 Alice Blocked R4 Bob User Alice Alice R2 Blocked User Alice R1 Alice Blocked Alice User Alice Blocked Alice User Alice Alice 28

Pluggable transports 30

Pluggable transports ● Flashproxy (Stanford), websocket ● FTEProxy (Portland St), http via regex ● Stegotorus (SRI/CMU), http ● Skypemorph (Waterloo), Skype video ● uProxy (Google), webrtc ● ScrambleSuit (Karlstad), obfs-based ● Telex (Michigan/Waterloo), traffic divert 31

32

33

35

36

37

38

39

“Still the King of high secure, low latency Internet Anonymity” Contenders for the throne: ● None 40

Alice Alice Alice Blocked Alice Alice User R3 Alice Blocked R4 Bob User Alice Alice R2 Blocked User Alice R1 Alice Blocked Alice User Alice Blocked Alice User Alice Alice 41

42

44

Arms races ● Censorship arms race is bad ● Surveillance arms race is worse – And centralization of the Internet makes it worse still 45

46

O n i o n S e r v i c e 47

Onion service properties ● Self authenticated ● End-to-end encrypted ● Built-in NAT punching ● Limit surface area ● No need to “exit” from Tor 48

49

50

q 51

52

53

S e c u r e D r o p Today, 30+ organizations use SecureDrop https://securedrop.org/directory 54

R i c o c h e t 55

O n i o n S h a r e 56

Tor isn't foolproof ● Opsec mistakes ● Browser metadata fingerprints ● Browser exploits ● Traffic analysis 57

How can you help? ● Run a relay (or a bridge) ● Teach your friends about Tor, and privacy in general ● Help find -- and fix – bugs ● Work on open research problems (petsymposium.org) ● donate.torproject.org 58

R e l a y o p e r a t o r m e e t u p , t o d a y 1 5 : 0 0 t o d a y i n r o o m H . 3 2 4 4 59

o o n i . t o r p r o j e c t . o r g 60

e x p l o r e r . o o n i . t o r p r o j e c t . o r g ● I 61