There’s been a good deal of discussion in the online security community over the last 48 hours about vulnerabilities and attacks on the Tor anonymization service. This discussion is in reaction to a paper published by the University of Colorado about a theoretical attack on the Tor network, which got amplified on Slashdot on Sunday afternoon. I woke up yesterday to a mailbox full of questions about whether I still recommended Tor as a tool for anonymous blogging and backchannel chat from security researchers over “blogstorm” resulting from the paper.
Which means that, by the time I actually read the paper – Tuesday morning – I feel like I’m way behind the curve. Maybe that’s the price I pay for actually reading the paper… :-)
The paper, “Low-Resource Routing Attacks Against Anonymous Systems”, by Kevin Bauer, Damon McCoy, Dirk Grunwald, Tadayoshi Kohno and Douglas Sicker is not a report documenting an attack that’s taken place on the Tor network. It’s what’s called an “attack paper” – an outline of a possible vulnerability in the tool designed to help the authors of Tor prevent real-world attacks. This isn’t the first attack paper designed to find possible weaknesses in Tor – there are several known attacks that could compromise the anonymity of Tor, but most require substantial computing resources.
The “new” attack – which builds on a known attack – is intriguing because it could possibly be mounted with a much smaller set of technical resources. Again, no one is contending that such an attack has been mounted, and Tor’s creators – in their response to the blogstorm – offer reassurances that it would be pretty obvious to them if such an attack occurred.
Here’s how the attack works:
Tor provides anonymity by creating a chain of routers between you and the website you’re accessing. You contact a router (the entry node), it contacts a second router (a mix node) and that router contacts a final router (the exit node) which contacts the website. Anyone monitoring your computer sees you access that entry node but can’t follow your connection (because of encryption) through to the exit node or the website you’re accessing. Anyone monitoring the website you access can trace you back to the exit node, but no further.
A known problem with Tor is that it’s possible to know what computers are accessing what sites if you’ve got control of both the entry and the exit node of a connection. If the computer at 220.127.116.11 sends out a POST request at at 12:34:50 (as seen at the entry node) and ethanzuckerman.com sees a comment posted at 12:34:51 (as seen from the exit node), you can make a guess that 18.104.22.168 posted the comment. Correlate requests over a period of time and you can make some good guesses about what sites a user is accessing.
This known attack hasn’t been considered a major problem because it would be so difficult for an attacker to implement – you’d need to establish a lot of rogue Tor servers and register them with the Tor directory server to have a statistically significant chance of having control of both the entry and exit node. What’s novel in this new paper is that the authors have found a way of raising the chances of having control of both the entry and exit nodes.
They exploit the fact that networks like Tor want to route traffic through high-bandwidth nodes rather than bandwidth-constrained nodes. (This makes sense – if you’re surfing the net through Tor, you want to be sharing a big university data pipe, not sharing someone’s home cable modem.) If our attacker creates rogue Tor nodes that claim that they’ve got lots of bandwidth, the network is more likely to route traffic through those nodes.
In a laboratory setting, the paper authors introduced 6 rogue nodes to a network of 60 legitimate Tor nodes. In that lab setting, in a network where one in eleven nodes was compromised and advertising themselves as high bandwidth nodes, the researchers were able to establish what client was contacting what server in 46% of cases. Obviously, that’s a striking result – what’s more striking is the idea that an attacker might achieve this with a bunch of computers connected by cable modems, pretending to be high-bandwidth Tor nodes. This raises the spectre of virus-infected zombie computers running rogue Tor nodes and reporting back to a central server the information that you’re using Tor to surf NakedLlamas.com.
The good news is that this isn’t happening. To quote from the Tor developers’ blog:
We are aware of these kinds of potential attacks — but such a bandwidth overstatement attack, to be successful, would leave fingerprints all over the Tor directories. We have never seen such an attack “in the wild,” and we think it no more likely that this paper would make such an attack easier or more likely than it was a few years ago when another version of it was documented.
I’m not sure I agree with the last statement – it seems like a useful research breakthrough to point out that a node that misrepresents bandwidth requirements makes it possible to apply this attack more efficiently. But, reading between the lines, it sounds like Tor’s maintainers are a) controlling how many new Tor nodes are added to the directory servers and b) monitoring which servers are used most heavily, which would mean they’d have a very good chance of detecting such an attack were it taking place and heading it off.
It’s important to note that the authors of the paper have released a FAQ which states quite clearly that they don’t think their attack is a reason to stop using Tor:
ABSOLUTELY NOT! Despite our findings, Tor is the most secure and usable privacy enhancing system available. We believe that the system is safe for end-users; however, the system is experimental and the developers make no guarantees about the degree of privacy that it can provide. Let us re-iterate: Concerned users should NOT stop using Tor.
So let me reiterate that further:
– Tor is not perfect, but papers like this help make the system stronger. A paper like this allows the designers to make modifications to the system (likely to the bandwidth prioritization mechanism) to make the system stronger.
– No anonymizing system is perfect. Tor has been very good about making reasonable claims for their tools, something that not all anonymizing tools do.
– The strategies I outlined in my document on anonymous blogging with WordPress and Tor still give a high level of certainty to bloggers that they can write online while disguising their identity. This isn’t a guarantee of perfect security, but I feel comfortable recommending the strategy to my friends in repressive nations.
There’s more to say about how people make decisions about security risks and about how to discuss security risks openly without generating panic, but that’s beyond the scope of this blog post. Hope to have time to write something about that later this week.