Presented by• Alessandro Granato• Emilio Cruciani• Giovanni Colonna• Silvio Biagioni

Deanonymization

Web Security and Privacy course – 2015/2016 – «La Sapienza» University

Presented by• Alessandro GranatoInformation• http://www.slideshare.net/AlessandroGranato/deanonymization-in-tor-web• linkedin.com/in/alessandro-granato-40b03081• a.granato.89@gmail.com

Deanonymization – The Onion Router

Web Security and Privacy course – 2015/2016 – «La Sapienza» University

•What is Anonimity?▫Colloquial use – Web use

•What is Data Anonymization?▫Information Sanitization▫ Security Privacy

•What is De-Anonymization?▫Cross-reference

Introduction

•Tor is a free SW for anonymous communication▫Volunteer relays to conceal user’s location

Introduction – The Onion Router

•Nested “Onion” encryption▫Encrypts Data, Sender IP, Receiver IP▫Through random circuits▫Last Relay!

•Monitoring to guarantee safety•Tor abused by Cybercrime and Terrorists•Monitoring capabilities over anonymizing networks

Governments vs Tor

People directly connected to Tor in 2014:

2.5 Mln

Connected Users

•Tender for companies: “Perform research, code ‘TOR’ (Navy)”•Develop technology to track Tor’s users

Russia vs Tor

Rewards:

4 Mln rubles(~$ 111.000)

•Counter-Attack to deanonymizers in Tor Network•Philipp Winter •Stefan Lindskog •Karlstad University

Spoiled Onions: Exposing Malicious Tor Exit Relays

•Tor circuits are encrypted tunnels •Exit Relays -> Open internet -> Final destination•Traffic usually lacks of end-to-end encryption•Man in the middle by design •Relays run by volunteers!▫Innocent▫Malicious

Spoiled Onions

•Goal: find malicious exit relays▫Develop an exit relay scanner▫Design browser extension patch

Fetch and compare suspicious X.509 certificate standard for a public key infrastructure (PKI) to manage digital certificates

▫Probe exit relays for 4 months

Spoiled Onions: The study

•Python based exit relay scanner•Create custom circuits to exit relays•Circuits probed by modules ▫Estabilish decoy connections

•Objective▫Provoke exit relays to tamper with

these connections▫Reveal them!

Spoiled Onions: ExitMap

•Stem Library▫ Implements Tor control

port▫ Inititiate/close circuits▫Attach streams to circuits

•Fetch network to know online exit relays•Get fed with set of exit relays▫Random permutation

• Initiate circuits over exit relays• Invoke desired probing module that estabilish decoy connection▫__LeaveStreamsUnattached▫__DisablePredictedCircuits

Spoiled Onions: Using ExitMap

•HTTPS module▫Fetches decoy destination’s X.509 certificate -> extract fingerprint▫Compare to expected fingerprint (hard-coded inside)▫If mismatch -> ALERT!

•SSLSTRIP module▫Sslstrip attack: rewrite HTTPS answer as HTTP ▫Silent attack: browsers don’t show alert

You must notice the absence of TLS indicator (green address bar)▫The module verifies if the expected HTTPS link was «downgraded» to HTTP

Spoiled Onions: Probing modules

• In 2014:▫N = 1000 exit relays▫M = 25 malicious exit relays▫2 relays: DNS censorship▫1 relay: misconfigurated▫All the others: MitM attack

Spoiled Onions: Enemies Found!

•Connection with decoy destination•Change decoy’s certificate with their own self-signed version•Certificate is not issued by trusted autority of Tor’s certificate store•Probable Man in the Middle attack!▫User redirected to the about:certerror warning page

Spoiled Onions: Enemies Found! (cont’d)

•Subset of malicious relays run by same group of people▫Same self-signed certificate (Main Autority)▫Same country (Russia)▫Same VPS provider▫Same netblock (176.99.0.0/20)▫Same old version of Tor▫Same destination target: Facebook

Social Networks are often attacked using MitM

Spoiled Onions: Enemies Found! (cont’d)

•ExitMap checks browser event DOMContentLoaded▫Whenever a document is loaded by the browser

•Check URI to find «about:certerror» warning page• If found, there is self-signed certificate• It can be authentic, but not in tor certificate store•Refetch certificate with another circuit•Compares the two fingerprints▫If same = authentic▫If not same = MitM attack

Spoiled Onions: Extension design

•If Man in the Middle attack:▫Show a warning pop-up ▫User can send info about the case

Spoiled Onions: Extension design (cont’d)

• In 2014 there were ~1000 Tor exit relays•Researchers developed a scanner to monitor exit relays for 4

months•M = 25 malicious exit relay discovered•The majority of MitM attacks were coordinated•To avoid user deanonymization ▫Developed ExitMap▫Developed a set of patches for Tor browser which are capable to fetch self-

signed certificates to evaluate their trust-worthiness and advise the user

Spoiled Onions: Conclusion

•Slideshare:▫http://

www.slideshare.net/AlessandroGranato/deanonymization-in-tor-web

•Infosec:▫

http://resources.infosecinstitute.com/hacking-tor-online-anonymity/

•Spoiled Onion paper: ▫http://www.cs.kau.se/philwint/spoiled_onions/techreport.pdf

Useful links

Thank you!

Deanonymization – The Onion Router

Web Security and Privacy course – 2015/2016 – «La Sapienza» University

Questions?