the tor project - def con con 25/def con 25... · alice1 alice3 irrelevant relay e (b o b 3, “ x...
TRANSCRIPT
![Page 1: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/1.jpg)
1
The Tor Project
Our mission is to be the global resource for
technology, advocacy, research and
education in the ongoing pursuit of freedom
of speech, privacy rights online, and
censorship circumvention.
![Page 2: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/2.jpg)
2
● Online Anonymity– Open Source– Open Network
● Community of researchers, developers, users and relay operators.
● U.S. 501(c)(3) non-pro%t organization
![Page 3: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/3.jpg)
3
Estimated 2,000,000+ daily Tor users
![Page 4: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/4.jpg)
4
Threat model:what can the attacker do?
Alice
Anonymity network Bob
watch (or be!) Bob!
watch Alice!
Control part of the network!
![Page 5: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/5.jpg)
5
Anonymity isn't encryption: Encryption just protects contents.
Alice
Bob
“Hi, Bob!”“Hi, Bob!” <gibberish>
attacker
![Page 6: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/6.jpg)
6
Anonymity serves different interests for different user groups.
Anonymity
Private citizens“It's privacy!”
![Page 7: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/7.jpg)
7
Anonymity serves different interests for different user groups.
Anonymity
Private citizens
Businesses
“It's network security!”
“It's privacy!”
![Page 8: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/8.jpg)
8
Anonymity serves different interests for different user groups.
Anonymity
Private citizens
Governments Businesses
“It's traffic-analysisresistance!”
“It's network security!”
“It's privacy!”
![Page 9: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/9.jpg)
9
Anonymity serves different interests for different user groups.
Anonymity
Private citizens
Governments Businesses
“It's traffic-analysisresistance!”
“It's network security!”
“It's privacy!”
Human rightsactivists
“It's reachability!”
![Page 10: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/10.jpg)
10
The simplest designs use a single relay to hide connections.
Bob2
Bob1
Bob3
Alice2
Alice1
Alice3
Relay
E(Bob3,“X”)
E(Bob1, “Y”)
E(Bob2, “Z”)
“Y”
“Z”
“X”
(example: some commercial proxy providers)
![Page 11: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/11.jpg)
11
But a central relay isa single point of failure.
Bob2
Bob1
Bob3
Alice2
Alice1
Alice3
EvilRelay
E(Bob3,“X”)
E(Bob1, “Y”)
E(Bob2, “Z”)
“Y”
“Z”
“X”
![Page 12: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/12.jpg)
12
... or a single point of bypass.
Bob2
Bob1
Bob3
Alice2
Alice1
Alice3
IrrelevantRelay
E(Bob3,“X”)
E(Bob1, “Y”)
E(Bob2, “Z”)
“Y”
“Z”
“X”
Timing analysis bridges all connections through relay ⇒ An attractive fat target
![Page 13: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/13.jpg)
13
![Page 14: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/14.jpg)
14
![Page 15: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/15.jpg)
15
![Page 16: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/16.jpg)
16
![Page 17: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/17.jpg)
17
Tor's safety comes from diversity
● #1: Diversity of relays. The more relays we have and the more diverse they are, the fewer attackers are in a position to do traffic confirmation. (Research problem: measuring diversity over time)
● #2: Diversity of users and reasons to use it. 50000 users in Iran means almost all of them are normal citizens.
![Page 18: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/18.jpg)
18
Transparency for Tor is key
● Open source / free software● Public design documents and
specifications● Publicly identified developers● Not a contradiction:
privacy is about choice!
![Page 19: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/19.jpg)
19
But what about bad people?
● Remember the millions of daily users.● Still a two-edged sword?● Good people need Tor much more
than bad guys need it.
![Page 20: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/20.jpg)
20
Myth #1
● “I heard the Navy wrote Tor originally, so how can I trust it?”
![Page 21: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/21.jpg)
21
Myth #2
● “I heard the NSA runs half the relays.”
![Page 22: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/22.jpg)
22
Myth #3
● “I heard Tor is slow.”
![Page 23: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/23.jpg)
23
Myth #4
● “I heard Tor gets most of its money from the US government.”
![Page 24: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/24.jpg)
24
Myth #5
● “I heard 80% of Tor is bad people.”
![Page 25: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/25.jpg)
25
Myth #6
● “I shouldn't use Tor, because if I do the NSA will watch me.”
![Page 26: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/26.jpg)
26
Myth #7
● “I heard Tor is broken.”
![Page 27: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/27.jpg)
27
Onion Service
![Page 28: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/28.jpg)
28
Onion service properties
● Self authenticated● End-to-end encrypted● Built-in NAT punching● Limit surface area● No need to “exit” from Tor
![Page 29: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/29.jpg)
29
![Page 30: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/30.jpg)
30
![Page 31: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/31.jpg)
31
q
![Page 32: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/32.jpg)
33
![Page 33: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/33.jpg)
34
SecureDrop
https://securedrop.org/directory
Today, 30+ organizations use SecureDrop
![Page 34: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/34.jpg)
35
Ricochet
![Page 35: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/35.jpg)
36
OnionShare
![Page 36: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/36.jpg)
37
Services and Tools
https://help.riseup.net/en/tor#riseups-tor-hidden-services
All Riseup.net services are available using hidden service
... and many others
Package repository
apt-get install apt-tor-transport
http://vwakviie2ienjx6t.onion/
...
![Page 37: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/37.jpg)
38
Anonymous updates are awesome
● Evil package repository can't target you with a bad update, because they don't know it's you
● Local observer can't learn what you're updating, so they can't target you for being out of date
![Page 38: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/38.jpg)
39
![Page 39: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/39.jpg)
40
![Page 40: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/40.jpg)
41
![Page 41: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/41.jpg)
42
![Page 42: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/42.jpg)
43
![Page 43: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/43.jpg)
44
![Page 44: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/44.jpg)
45
![Page 45: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/45.jpg)
46
HS Directory
Hashring
HSDirn
Desc IDrep0
Desc IDrep1
HSDirn+1
HSDirn+2
HSDirn
HSDirn+1
HSDirn+2
Desc ID = H(onion-address | H(time-period | descriptor-cookie | replica))
![Page 46: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/46.jpg)
47
#1: Old onion keys are weak
● “The first 80 bits of the SHA-1 of the 1024-bit RSA key” :(
● The new system uses ED25519 (i.e. much stronger ECC keys)
![Page 47: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/47.jpg)
48
New keys => longer onion addresses
nzh3fv6jc6jskki3.onion
From 16 characters:
... to 52 characters:
a1uik0w1gmfq3i5ievxdm9ceu27e88g6o7pe0r,dw9jmntwkdsd.onion
(ed25519 public key base32 encoded)
![Page 48: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/48.jpg)
49
The HSDir relays are too predictable
● The six daily HSDirs for a given onion address are predictable into the future
● So a bad guy can run six relays with just the right keys to target a specific future day...to censor or to measure popularity
● People – we don't know who – were doing this attack in practice
![Page 49: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/49.jpg)
50
#2: Global shared random value
● The solution: make the HSDir mapping include a communal random value that everybody agrees about but that nobody can predict
● The directory authorities pick this value each day as part of their consensus voting process
![Page 50: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/50.jpg)
51
HSDirs get to learn onion addresses
● The onion service descriptor (which gets uploaded to the HSDir) includes the public key for the service (so everybody can check the signature)
● So you can run relays and discover otherwise-unpublished onion addresses
● “Threat intelligence” companies have been trying to do just that
![Page 51: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/51.jpg)
52
#3: New crypto hides the address
● The solution: the new cryptosystem has a cool feature where you can sign the onion descriptor with a subkey
● So everybody can check the signature but nobody can learn the main key from the subkey or signature
● Should finally kill the arms race with jerks running relays to gather onions
![Page 52: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/52.jpg)
53
#4: Rendezvous Single Onion Services
Rendezvous Point
Proposal 260
![Page 53: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/53.jpg)
54
OnionBalancehttps://onionbalance.readthedocs.org
![Page 54: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/54.jpg)
55
#5: Guard discovery is a big deal
● Your Tor client uses a single relay (called a Guard) for the first hop in all your paths, to limit exposed surface area
● But there are relatively easy attacks to learn a user's guard, and for onion services that can be especially bad
![Page 55: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/55.jpg)
56
Vanguards (Tor proposal 271)
● Multiple layers of guards protect better against Sybil+compromise attacks
● Path selection is still a huge open research area
![Page 56: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/56.jpg)
57
Deployment timeline
● HSDir side: deployed in Tor 0.3.0
● Relay side: deployed in Tor 0.3.0
● Client side: upcoming in Tor 0.3.2
● Service side: upcoming in Tor 0.3.2
Try it at % git clone https://git.torproject.org/arma/tor.git % git checkout dc25
![Page 57: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/57.jpg)
58
![Page 58: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/58.jpg)
59
Tor isn't foolproof
● Opsec mistakes
● Browser metadata fingerprints
● Browser exploits
● Traffic analysis
![Page 59: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/59.jpg)
60
How can you help?
● Run a relay (or a bridge)
● Teach your friends about Tor, and privacy in general
● Help find -- and fix – bugs
● Work on open research problems (petsymposium.org)
● donate.torproject.org
![Page 60: The Tor Project - DEF CON CON 25/DEF CON 25... · Alice1 Alice3 Irrelevant Relay E (B o b 3, “ X ”) E(Bob1, “Y”) E ( B o b 2, “ Z ” ) “ Y ” “Z” “ X ” Timing](https://reader036.vdocuments.net/reader036/viewer/2022071212/6025828b38a3ac5c3a0b77fa/html5/thumbnails/60.jpg)
61
“Still the King of high secure,low latency Internet Anonymity”
“There are no contenders for the throne”