vulnerabilities in tor past present future
play

Vulnerabilities in Tor: past, present, future Roger Dingledine The - PowerPoint PPT Presentation

Oct 03, 2023 •206 likes •709 views

Vulnerabilities in Tor: past, present, future Roger Dingledine The Tor Project https://www.torproject.org/ 1 Outline Crash course on Tor Solved / solvable problems Tough ongoing issues, practical Tough ongoing issues, research

  1. Vulnerabilities in Tor: past, present, future Roger Dingledine The Tor Project https://www.torproject.org/ 1

  2. Outline ● Crash course on Tor ● Solved / solvable problems ● Tough ongoing issues, practical ● Tough ongoing issues, research ● Future 2

  3. Tor: Big Picture ● Freely available (Open Source), unencumbered. ● Comes with a spec and full documentation: Dresden and Aachen implemented compatible Java Tor clients; researchers use it to study anonymity. ● 1500 active relays, 200000+ active users, >1Gbit/s. ● Official US 501(c)(3) nonprofit. Seven funded developers, dozens more dedicated volunteers. ● Funding from US DoD, Electronic Frontier Foundation, Voice of America, a French NGO, Google, NLnet, ...you? 3

  4. Anonymity serves different interests for different user groups. Anonymity Private citizens “It's privacy!” 4

  5. Anonymity serves different interests for different user groups. Businesses Anonymity “It's network security!” Private citizens “It's privacy!” 5

  6. Anonymity serves different interests for different user groups. “It's traffic-analysis resistance!” Businesses Governments Anonymity “It's network security!” Private citizens “It's privacy!” 6

  7. Anonymity serves different interests for different user groups. “It's reachability! Blocked users “It's traffic-analysis resistance!” Businesses Governments Anonymity “It's network security!” Private citizens “It's privacy!” 7

  8. The simplest designs use a single relay to hide connections. Bob1 Alice1 E(Bob3,“X”) “Y” Relay Alice2 “Z” Bob2 E(Bob1, “Y”) ) “X” ” Z “ , 2 b o B ( E Bob3 Alice3 (example: some commercial proxy providers) 8

  9. But a single relay (or eavesdropper!) is a single point of failure. Bob1 Alice1 E(Bob3,“X”) “Y” Evil Alice2 Relay “Z” Bob2 E(Bob1, “Y”) ) “X” ” Z “ , 2 b o B ( E Bob3 Alice3 9

  10. So, add multiple relays so that no single one can betray Alice. Bob Alice R1 R3 R5 R4 R2 10

  11. A corrupt first hop can tell that Alice is talking, but not to whom. Bob Alice R1 R3 R5 R4 R2 11

  12. A corrupt final hop can tell that somebody is talking to Bob, but not who. Bob Alice R1 R3 R5 R4 R2 12

  13. Alice makes a session key with R1 ...And then tunnels to R2...and to R3 Bob Alice R1 R3 Bob2 R5 R4 R2 13

  14. The basic Tor design uses a simple centralized directory protocol. cache S1 Trusted directory Alice S2 Alice downloads consensus and Trusted directory cache descriptors from anywhere Authorities S3 publish a consensus Servers publish list of all descriptors self-signed descriptors. 14

  15. Outline ● Crash course on Tor ● Solved / solvable problems ● Tough ongoing issues, practical ● Tough ongoing issues, research ● Future 15

  16. 16-bit AES counter mode ● [Fixed in Tor 0.0.6.1, 6 May 2004] ● At the time, OpenSSL didn't have AES. Later, it still didn't have counter mode. ● We were resetting ou r counter after 16 bits. ● Conclusion: a second implementation is a really good idea. 16

  17. 2-byte relay cell length overflow ● [Fixed in Tor 0.1.0.10, 14 June 2005] ● When we moved our cell size from 256 bytes (length can fit in 1 byte) to 512 bytes (length fits in 2 bytes), we forgot to check if the cell claims a length > 512. ● ...which we then write out onto the network 17

  18. Diffie-Hellman handshake bug ● [Fixed in Tor 0.1.0.14, 8 Aug 2005] ● OpenSSL didn't check for trivial keys (like g^0) in DH keys. (Now it does.) ● This meant your entry hop could MitM you and spoof the whole rest of the network . 18

  19. Keep building circuits until you lose ● [Fixed in Tor 0.1.1.11-alpha, 10 Jan 2006] ● Attacker runs a few relays and waits for you to choose them as first and last hop ● (Or runs just one relay and induces your hidden service to build circuits) ● The fix is entry guards : pick a few relays for your first hop and stick with those. 19

  20. Clients would route traffic ● [Fixed in Tor 0.1.1.23, 3 Aug 2006] ● Normally the client connects to the first hop and sends a “create” cell to establish a circuit, then sends “extend” relay cells to make further hops. ● Turns out the entry node could send “create” and “extend” cells back to the client! 20

  21. Pump the network full of Stable / Fast / Guard nodes ● [Fixed in Tor 0.2.0.3-alpha, 27 Jul 2007] ● Tor dir authorities assign Stable flag to the relays with median uptime; Guard to relays with median uptime and med ian bandwidth. ● So start up 1500 relays with 10 years uptime and 1GB/s bandwidth, and suddenly you bump the Guard status off of all the other relays! 21

  22. Cross-protocol HTTP form attack ● [Fixed in Tor 0.1.2.16, 2 Aug 2007] ● Tor runs a Control Port so other apps can connect and help configure, display, etc. ● Binds only to localhost. So we're safe! ● But the user runs a browser, and browsers can be induced to do all sorts of things. ● Now use password / cookie auth by default. But how to share passwords between apps? 22

  23. Exit policies allowed local connect ● [Fixed in Tor 0.1.2.19, 7 Jan 2008] ● The default exit policy refused 127/8, 10/8, 192.168/16, etc etc. ● But you could still reach the public IP address of the relay, from the relay. ● ...which was often a linksys router. 23

  24. Debian RNG flaw ● [Addressed in Tor 0.2.0.26-rc, 13 May 2008] ● 300 out of ~1500 Tor relay identity keys were bad. ● Logged traffic breakable too--if the client was Debian, or if it used only Debian relays! ● Three out of the six v3 dir authority keys were bad. Four would have really sucked. 24

  25. Infinite length circuits ● [Fixed in, uhm, soon] ● Clients can just keep extending their circuit forever. (Tor relays can't figure out what hop in the path they are.) ● First, this is a DoS multiplier. ● Then, it's an anonymity attack! (See later talk by Christian Grothoff, Nate Evans) 25

  26. Outline ● Crash course on Tor ● Solved / solvable problems ● Tough ongoing issues, practical ● Tough ongoing issues, research ● Future 26

  27. Snooping on Exit Relays (1) ● Lots of press last year about people watching traffic coming out of Tor. (Ask your lawyer first...) ● Tor hides your location; it doesn't magically encrypt all traffic on the Intern et. ● Though Tor does protect from your local network. 27

  28. Snooping on Exit Relays (2) ● https as a “premium” feature ● Should Tor refuse to handle requests to port 23, 109, 110, 143, etc by default? ● Torflow / setting plaintext pop/imap “traps” ● Need to educate users? ● Active attacks on e.g. gmail cookies? ● Some research on exit traffic properties is legitimate and useful. How to balance? 28

  29. Who runs the relays? (1) ● At the beginning, you needed to know me to have your relay considered “verified”. ● We've automated much of the “is it broken?” checking. ● Still a tension between having lots of relays and knowing all the relay operators 29

  30. Who runs the relays? (2) ● What if your exit relay is running Windows and uses the latest anti-virus gadget on all the streams it sees? ● What if your exit relay is in China and you're trying to read BBC? ● What if your exit relay is in China and its ISP is doing an SSL MitM attack on it? (What if China 0wns a CA?) 30

  31. Who runs the relays? (3) ● What happens if ten Tor relays show up, all on 149.9.0.0/16, which is near DC? ● “EnforceDistinctSubnets” config option to use one node per /16 in your circuit (Tor 0.1.2.1-alpha, 27 August 2006) ● No more than 2 relays on one IP address (Tor 0.2.0.3-alpha, 29 July 2007) ● How about ASes? IXes? Countries? 31

  32. Tor Browser Bundle traces ● We want to let you use Tor from a USB key without leaving traces on the host ● “WINDOWS/Prefetch” trace ● Windows explorer's “user assist” registry entry ● Vista has many more? 32

  33. Application-level woes (1) ● Javascript refresh attack ● Cookies, History, browser window size, user-agent, language, http auth, ... ● Mostly problems when you toggle from Tor to non-Tor or back ● Mike Perry's new Torbutton 1.2.0 tackles many of these (30 July 2008) 33

  34. Some Firefox privacy bugs remain ● No way to configure/spoof timezones ● “Livemarks” / “Live bookmarks” does a lookup over Tor when Firefox starts. ● Client-side SSL certs are messy to isolate (Firefox happily sends them to the remote website even v ia Tor) ● The TLS ClientHello message in FF2 uses uptime for the “time” variable! 34

  35. Application-level woes (2) ● Some apps are bad at obeying their proxy settings. ● Adobe PDF plugin. Other plugins. Extensions. Especially Windows stuff. 35

  36. Transparent proxying ● Easy to do in Linux / BSD: iptables/pf, getsockopt()/getsockname(), done. ● Put Tor client in a Linux QEMU running inside Windows. Then intercept outgoing traffic from Windows apps. Or, ● Put Tor client and apps inside a Linux QEMU, and launch it from Windows. 36

  37. Filtering connections to Tor ● By blocking the directory authorities ● By blocking all the relay IP addresses in the directory ● By filtering based on Tor's network fingerprint ● By preventing users from finding the Tor software 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Vulnerabilities in Tor: (past,) present, future Roger Dingledine The Tor Project

Vulnerabilities in Tor: (past,) present, future Roger Dingledine The Tor Project

Vulnerabilities in Tor: (past,) present, future Roger Dingledine The Tor Project https://www.torproject.org/ 1 Outline Crash course on Tor Solved / solvable problems Tough ongoing issues, practical Tough ongoing issues,

759 views • 41 slides
VA Psychology Leadership Conference y gy p PAST PRESENT & FUTURE FOR VHA: PAST, PRESENT

VA Psychology Leadership Conference y gy p PAST PRESENT & FUTURE FOR VHA: PAST, PRESENT

VA Psychology Leadership Conference y gy p PAST PRESENT & FUTURE FOR VHA: PAST, PRESENT & FUTURE FOR VHA: THE REALIGNMENT IN CENTRAL OFFICE May 18, 2011 y , George W. Arana, MD Acting Assistant Deputy Under Secretary for Health g p

510 views • 32 slides
The Past, Present and Future of Irish Agriculture Brendan Kearney The Past, Present and Future of

The Past, Present and Future of Irish Agriculture Brendan Kearney The Past, Present and Future of

The Past, Present and Future of Irish Agriculture Brendan Kearney The Past, Present and Future of Irish Agriculture Changing role in the economy Main policy developments and output/ income trends Changing structure and performance

852 views • 17 slides
CUPA - RIO GRANDE CHAPTER ACA (PAST, PRESENT AND FUTURE) Agenda 1. ACA Foundations 2. Past -

CUPA - RIO GRANDE CHAPTER ACA (PAST, PRESENT AND FUTURE) Agenda 1. ACA Foundations 2. Past -

CUPA - RIO GRANDE CHAPTER ACA (PAST, PRESENT AND FUTURE) Agenda 1. ACA Foundations 2. Past - The Early Days 3. Present - Current State 4. Future Whats Next 5. Solutions ACA Compliance Tools 6. Question and Answer Jeff Taylor

373 views • 19 slides
20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About

20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About

About Past Present Future 20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About Introduction Design Concepts Past Userland Present Kernel Self-Protection Toolchain Support Future Userland

803 views • 40 slides
Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing gives rest but the sincere search for truth. -Pascal Greetz from Room 101 Kenneth Geers 1984 # Nineteen Eighty-Four (Orwell) # Govt IW vs own

1.03k views • 77 slides
a review of the evidence Maarten Goos The past, present and future The past (1820-1980):

a review of the evidence Maarten Goos The past, present and future The past (1820-1980):

How the world of work is changing: a review of the evidence Maarten Goos The past, present and future The past (1820-1980): Industrial Revolution results in skill-upgrading and decreasing inequality . The present (after 1980):Computer

337 views • 18 slides
Yhc: Past, Present, Future Neil Mitchell The Past Started by Tom, fork of nhc He

Yhc: Past, Present, Future Neil Mitchell The Past Started by Tom, fork of nhc He

Yhc: Past, Present, Future Neil Mitchell The Past Started by Tom, fork of nhc He didnt tell anyone! Some students found out Me, Andrew, Mike, Bob Started helping seemed fun Never an official York project The

266 views • 5 slides
Past, present and future of CSCL Gerry Stahl 3 Parts of Talk Past:TheRootsofCSCL

Past, present and future of CSCL Gerry Stahl 3 Parts of Talk Past:TheRootsofCSCL

Past, present and future of CSCL Gerry Stahl 3 Parts of Talk Past:TheRootsofCSCL (expandingvision) Present:Alternativeapproaches withinCSCL (multiple analytic voices)

625 views • 33 slides
Future of Philanthropy: Trends to Watch Those who only look to the past or present are

Future of Philanthropy: Trends to Watch Those who only look to the past or present are

Future of Philanthropy: Trends to Watch Those who only look to the past or present are certain to miss the future. -John F. Kennedy Huge Leaps in Health Civil Society Freedoms Challenged Growth of Impact Investing Equity as a Superior

424 views • 16 slides
The Past, Present, and Future of the R Project Kurt Hornik Kurt Hornik useR! 2008 The Past,

The Past, Present, and Future of the R Project Kurt Hornik Kurt Hornik useR! 2008 The Past,

The Past, Present, and Future of the R Project The Past, Present, and Future of the R Project Kurt Hornik Kurt Hornik useR! 2008 The Past, Present, and Future of the R Project Prehistory of R: S v1 19761980 Honeywell GCOS,

649 views • 29 slides
Prometheus Histograms Past, Present, and Future Bjrn Beorn Rabenstein PromCon EU,

Prometheus Histograms Past, Present, and Future Bjrn Beorn Rabenstein PromCon EU,

Prometheus Histograms Past, Present, and Future Bjrn Beorn Rabenstein PromCon EU, Munich 2019-11-08 This is not a Howto. Visit https://prometheus.io/docs/practices/histograms/ instead The Past The Past The Present The

562 views • 35 slides
ISOBUSs Past, Present and Future role in Agricultural Robotics and Automation Benjamin

ISOBUSs Past, Present and Future role in Agricultural Robotics and Automation Benjamin

Introduction Precision Farming TIM AgRA Present Future Conclusion References ISOBUSs Past, Present and Future role in Agricultural Robotics and Automation Benjamin Fernandez Universidad Nacional de Educacin a Distancia (UNED)

960 views • 42 slides
Innovation Parks: Past, Present, Future Applied Solutions Coalition Santa Fe Workshop October,

Innovation Parks: Past, Present, Future Applied Solutions Coalition Santa Fe Workshop October,

Innovation Parks: Past, Present, Future Applied Solutions Coalition Santa Fe Workshop October, 2009 Innovation Parks: Past, Present, Future Applied Solutions Coalition Thematic overview: Past: Fixed asset focus Present: Vertical

352 views • 16 slides
The OIG and Hospice in Nursing Facilities: Past, Present and Future Present and Future Heather

The OIG and Hospice in Nursing Facilities: Past, Present and Future Present and Future Heather

The OIG and Hospice in Nursing Facilities: Past, Present and Future Present and Future Heather P Wilson Ph D Heather P. Wilson, Ph.D. Weatherbee Resources, Inc. Howard Young Esq Howard Young, Esq. Morgan Lewis & Bockius, LLP M March

696 views • 41 slides
LORD DUNMORE DRIVE Past, Present, & Future PW/Traffic Engineering Prepared for Feb. 4, 2018

LORD DUNMORE DRIVE Past, Present, & Future PW/Traffic Engineering Prepared for Feb. 4, 2018

LORD DUNMORE DRIVE Past, Present, & Future PW/Traffic Engineering Prepared for Feb. 4, 2018 Meeting with Fairfield Civic League OUTLINE PAST Look at what has been done I. PRESENT Look at what is currently going on II. FUTURE

678 views • 44 slides
Cryptographic Challenges in and around Tor Nick Mathewson The Tor Project 9 January 2013

Cryptographic Challenges in and around Tor Nick Mathewson The Tor Project 9 January 2013

Cryptographic Challenges in and around Tor Nick Mathewson The Tor Project 9 January 2013 Summary Very quick Tor overview Tor's cryptography, and how it's evolving Various opportunities for more Tor crypto work Disclaimer: This is

601 views • 32 slides
Hybrid Networks: Cellular-Relay Architecture Harish Viswanathan, Sayandev Mukherjee and Ram

Hybrid Networks: Cellular-Relay Architecture Harish Viswanathan, Sayandev Mukherjee and Ram

Hybrid Networks: Cellular-Relay Architecture Harish Viswanathan, Sayandev Mukherjee and Ram Ramjee Bell Labs, Lucent Technologies Murray Hill, NJ Network Architecture for 4G Macro-cell architecture may not have enough capacity and coverage

341 views • 18 slides
Tor61 P P R2 Time Note on Relay Packets A relay does not look inside Relay cells unless

Tor61 P P R2 Time Note on Relay Packets A relay does not look inside Relay cells unless

Tor61 P P R2 Time Note on Relay Packets A relay does not look inside Relay cells unless it is the end of the circuit. Relay Cell Cell Arrives. Control Cell Type? Process Cell Am I the end No Yes of the circuit? Forward to

292 views • 15 slides
The power of How fast is sorting? parallel computation Input: array of numbers. 2 , D. J.

The power of How fast is sorting? parallel computation Input: array of numbers. 2 , D. J.

The power of How fast is sorting? parallel computation Input: array of numbers. 2 , D. J. Bernstein Each number in 1 2 represented in binary. Thanks to: University of Illinois at Chicago Output:

786 views • 67 slides
PWE3 PW/VCCV User Implementa4on Survey Results

PWE3 PW/VCCV User Implementa4on Survey Results

PWE3 PW/VCCV User Implementa4on Survey Results dra<-delregno-pwe3-pw-vccv-impl-survey-results-01 Nick DelRegno IETF 80, Prague

200 views • 19 slides
Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Distance Bounding Protocols Conclusion

666 views • 53 slides
D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 1. New

D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 1. New

D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 1. New CAESAR project: C ompetition for A uthenticated E ncryption: S ecurity, A pplicability, R obustness http://competitions.cr.yp.to NIST has

546 views • 42 slides
Fuel Cell Solutions for the domestic sector in the clean energy transition Antonio AGUILO

Fuel Cell Solutions for the domestic sector in the clean energy transition Antonio AGUILO

Fuel Cell Solutions for the domestic sector in the clean energy transition Antonio AGUILO Project Officer COGEN Annual Conference, The Power of Heat, Panel Debate Session 5 Local energy revolution Brussels, June 6 th 2018 Powered by

184 views • 7 slides

More recommend