deanonymization in tor web
TRANSCRIPT
![Page 1: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/1.jpg)
Presented by• Alessandro Granato• Emilio Cruciani• Giovanni Colonna• Silvio Biagioni
Deanonymization
Web Security and Privacy course – 2015/2016 – «La Sapienza» University
![Page 2: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/2.jpg)
Presented by• Alessandro GranatoInformation• http://www.slideshare.net/AlessandroGranato/deanonymization-in-tor-web• linkedin.com/in/alessandro-granato-40b03081• [email protected]
Deanonymization – The Onion Router
Web Security and Privacy course – 2015/2016 – «La Sapienza» University
![Page 3: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/3.jpg)
•What is Anonimity?▫Colloquial use – Web use
•What is Data Anonymization?▫Information Sanitization▫ Security Privacy
•What is De-Anonymization?▫Cross-reference
Introduction
![Page 4: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/4.jpg)
•Tor is a free SW for anonymous communication▫Volunteer relays to conceal user’s location
Introduction – The Onion Router
•Nested “Onion” encryption▫Encrypts Data, Sender IP, Receiver IP▫Through random circuits▫Last Relay!
![Page 5: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/5.jpg)
•Monitoring to guarantee safety•Tor abused by Cybercrime and Terrorists•Monitoring capabilities over anonymizing networks
Governments vs Tor
People directly connected to Tor in 2014:
2.5 Mln
Connected Users
![Page 6: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/6.jpg)
•Tender for companies: “Perform research, code ‘TOR’ (Navy)”•Develop technology to track Tor’s users
Russia vs Tor
Rewards:
4 Mln rubles(~$ 111.000)
![Page 7: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/7.jpg)
•Counter-Attack to deanonymizers in Tor Network•Philipp Winter •Stefan Lindskog •Karlstad University
Spoiled Onions: Exposing Malicious Tor Exit Relays
![Page 8: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/8.jpg)
•Tor circuits are encrypted tunnels •Exit Relays -> Open internet -> Final destination•Traffic usually lacks of end-to-end encryption•Man in the middle by design •Relays run by volunteers!▫Innocent▫Malicious
Spoiled Onions
![Page 9: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/9.jpg)
•Goal: find malicious exit relays▫Develop an exit relay scanner▫Design browser extension patch
Fetch and compare suspicious X.509 certificate standard for a public key infrastructure (PKI) to manage digital certificates
▫Probe exit relays for 4 months
Spoiled Onions: The study
![Page 10: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/10.jpg)
•Python based exit relay scanner•Create custom circuits to exit relays•Circuits probed by modules ▫Estabilish decoy connections
•Objective▫Provoke exit relays to tamper with
these connections▫Reveal them!
Spoiled Onions: ExitMap
•Stem Library▫ Implements Tor control
port▫ Inititiate/close circuits▫Attach streams to circuits
![Page 11: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/11.jpg)
•Fetch network to know online exit relays•Get fed with set of exit relays▫Random permutation
• Initiate circuits over exit relays• Invoke desired probing module that estabilish decoy connection▫__LeaveStreamsUnattached▫__DisablePredictedCircuits
Spoiled Onions: Using ExitMap
![Page 12: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/12.jpg)
•HTTPS module▫Fetches decoy destination’s X.509 certificate -> extract fingerprint▫Compare to expected fingerprint (hard-coded inside)▫If mismatch -> ALERT!
•SSLSTRIP module▫Sslstrip attack: rewrite HTTPS answer as HTTP ▫Silent attack: browsers don’t show alert
You must notice the absence of TLS indicator (green address bar)▫The module verifies if the expected HTTPS link was «downgraded» to HTTP
Spoiled Onions: Probing modules
![Page 13: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/13.jpg)
• In 2014:▫N = 1000 exit relays▫M = 25 malicious exit relays▫2 relays: DNS censorship▫1 relay: misconfigurated▫All the others: MitM attack
Spoiled Onions: Enemies Found!
![Page 14: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/14.jpg)
•Connection with decoy destination•Change decoy’s certificate with their own self-signed version•Certificate is not issued by trusted autority of Tor’s certificate store•Probable Man in the Middle attack!▫User redirected to the about:certerror warning page
Spoiled Onions: Enemies Found! (cont’d)
![Page 15: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/15.jpg)
•Subset of malicious relays run by same group of people▫Same self-signed certificate (Main Autority)▫Same country (Russia)▫Same VPS provider▫Same netblock (176.99.0.0/20)▫Same old version of Tor▫Same destination target: Facebook
Social Networks are often attacked using MitM
Spoiled Onions: Enemies Found! (cont’d)
![Page 16: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/16.jpg)
•ExitMap checks browser event DOMContentLoaded▫Whenever a document is loaded by the browser
•Check URI to find «about:certerror» warning page• If found, there is self-signed certificate• It can be authentic, but not in tor certificate store•Refetch certificate with another circuit•Compares the two fingerprints▫If same = authentic▫If not same = MitM attack
Spoiled Onions: Extension design
![Page 17: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/17.jpg)
•If Man in the Middle attack:▫Show a warning pop-up ▫User can send info about the case
Spoiled Onions: Extension design (cont’d)
![Page 18: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/18.jpg)
• In 2014 there were ~1000 Tor exit relays•Researchers developed a scanner to monitor exit relays for 4
months•M = 25 malicious exit relay discovered•The majority of MitM attacks were coordinated•To avoid user deanonymization ▫Developed ExitMap▫Developed a set of patches for Tor browser which are capable to fetch self-
signed certificates to evaluate their trust-worthiness and advise the user
Spoiled Onions: Conclusion
![Page 19: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/19.jpg)
•Slideshare:▫http://
www.slideshare.net/AlessandroGranato/deanonymization-in-tor-web
•Infosec:▫
http://resources.infosecinstitute.com/hacking-tor-online-anonymity/
•Spoiled Onion paper: ▫http://www.cs.kau.se/philwint/spoiled_onions/techreport.pdf
Useful links
![Page 20: Deanonymization in Tor web](https://reader035.vdocuments.net/reader035/viewer/2022070513/588634e91a28aba0188b5471/html5/thumbnails/20.jpg)
Thank you!
Deanonymization – The Onion Router
Web Security and Privacy course – 2015/2016 – «La Sapienza» University
Questions?