The Tor network is the world’s most popular system for protecting Internet users’ anonymity and it needs a fix.
For more than a decade, people living under repressive regimes have used Tor (which stands for The Onion Router) to conceal their Web-browsing habits from electronic surveillance, and websites hosting content deemed subversive have used it to hide the locations of their servers. Today there are up to 2.5 million daily Tor users.
There is a vulnerability in Tor’s design, said researchers at MIT and the Qatar Computing Research Institute (QCRI).
At the Usenix Security Symposium, they showed an adversary could infer a hidden server’s location, or the source of the information reaching a given Tor user, by analyzing the traffic patterns of encrypted data passing through a single computer in the all-volunteer Tor network.
While they did find issues, they also proposed some defenses. Tor project officials said they are evaluating the changes for possible inclusion in future versions of the Tor software.
“Anonymity is considered a big part of freedom of speech now,” said Albert Kwon, an MIT graduate student in electrical engineering and computer science and one of the paper’s first authors. “The Internet Engineering Task Force is trying to develop a human-rights standard for the Internet, and as part of their definition of freedom of expression, they include anonymity. If you’re fully anonymous, you can say what you want about an authoritarian government without facing persecution.”
The Onion Affect
Sitting atop the ordinary Internet, the Tor network consists of Internet-connected computers on which users have installed the Tor software. If a Tor user wants to, say, anonymously view the front page of The New York Times, his or her computer will wrap a Web request in several layers of encryption and send it to another Tor-enabled computer, which is selected at random. That computer — known as the guard — will peel off the first layer of encryption and forward the request to another randomly selected computer in the network. That computer peels off the next layer of encryption, and so on.
The last computer in the chain, called the exit, peels off the final layer of encryption, exposing the request’s true destination: The Times. The guard knows the Internet address of the sender, and the exit knows the Internet address of the destination site, but no computer in the chain knows both. This routing scheme, with its successive layers of encryption, is onion routing, and it gives the network its name: “Tor.”
In addition to anonymous Internet browsing, however, Tor also offers what it calls hidden services.
A hidden service protects the anonymity of not just the browser, but the destination site, too.
A case in point could be if someone in Iran wishes to host a site archiving news reports from Western media but doesn’t want it on the public Internet. Using the Tor software, the host’s computer identifies Tor routers it will use as “introduction points” for anyone wishing to access its content. It broadcasts the addresses of those introduction points to the network, without revealing its own location.
If another Tor user wants to browse the hidden site, both his or her computer and the host’s computer build Tor-secured links to the introduction point, creating what the Tor project calls a “circuit.” Using the circuit, the browser and host identify yet another router in the Tor network, known as a rendezvous point, and build a second circuit through it. The location of the rendezvous point, unlike that of the introduction point, stays private.
Kwon devised an attack on this system with joint first author Mashael AlSabah, an assistant professor of computer science at Qatar University, a researcher at QCRI, and, this year, a visiting scientist at MIT; Srini Devadas, the Edwin Sibley Webster Professor in MIT’s Department of Electrical Engineering and Computer Science; David Lazar, another graduate student in electrical engineering and computer science; and QCRI’s Marc Dacier.
The researchers’ attack requires the bad guy’s computer serve as the guard on a Tor circuit. Since guards end up selected at random, if an adversary connects enough computers to the Tor network, the odds are high that, at least on some occasions, one or another of them would be well-positioned to snoop.
During the establishment of a circuit, computers on the Tor network have to pass quite a bit of data back and forth. The researchers showed simply by looking for patterns in the number of packets passing in each direction through a guard, machine-learning algorithms could, with 99 percent accuracy, determine whether the circuit was an ordinary Web-browsing circuit, an introduction-point circuit, or a rendezvous-point circuit. Breaking Tor’s encryption wasn’t necessary.
Furthermore, by using a Tor-enabled computer to connect to a range of different hidden services, they showed a similar analysis of traffic patterns could identify those services with 88 percent accuracy. That means an adversary who lucked into the position of guard for a computer hosting a hidden service, could, with 88 percent certainty, identify it as the service’s host.
Similarly, a spy who lucked into the position of guard for a user could, with 88 percent accuracy, tell which sites the user was accessing.
To defend against this type of attack, “We recommend that they mask the sequences so that all the sequences look the same,” AlSabah said. “You send dummy packets to make all five types of circuits look similar.”