Persistent adversaries can identify Tor users
Using the Tor network will not you grant perfect anonymity – in fact, a group of researchers from the US Naval Research Laboratory and Georgetown University say that “Tor users are far more susceptible to compromise than indicated by prior work.”
“Tor is known to be insecure against an adversary that can observe a user’s traffic entering and exiting the anonymity network,” the researchers shared in their paper. “Quite simple and efficient techniques can correlate traffic at these separate locations by taking advantage of identifying traffic patterns. As a result, the user and his destination may be identified, completely subverting the protocol’s security goals.”
They pointed out that prior research didn’t take in account indications of how secure a type of behavior is, nor the fact that a single organization often controls several geographically diverse autonomous systems (AS) or Internet exchange points (IXP). “That organization may have malicious intent or undergo coercion, threatening users of all network components under its control,” they suggest.
In order to get to an accurate assessment of the peril Tor users are under when using it, they have developed an analysis framework for evaluating the security of various user behaviors on the live Tor network, a model of a network adversary that includes an accurate system for AS path inference and an analysis of the threat of IXPs and IXP coalitions, and a realistic Tor path simulator.
“Our analysis shows that 80% of all types of users may be de-anonymized by a relatively moderate Tor-relay adversary within six months. Our results also show that against a single AS adversary roughly 100% of users in some common locations are de-anonymized within three months (95% in three months for a single IXP),” they shared.
“Further, we find that an adversary controlling two ASes instead of one reduces the median time to the first client de-anonymization by an order of magnitude: from over three months to only 1 day for a typical web user; and from over three months to roughly one month for a BitTorrent user. This clearly shows the dramatic effect an adversary that controls multiple ASes can have on security.
They tested their theories by mimicking the online behavior of a typical user (Gmail, Google Calendar / Docs, Facebook, and web search activity), an IRC and a BitTorrent user, and ones that use services that use ports with the largest and the second-least amount of exit capacity, and have found out that not only do BitTorrent users degrade performance of the Tor network for other users, but also that against a Tor-relay adversary they get significantly less anonymity protection than typical users.
Of course, such attacks cannot be performed by a low-level attacker.
“Our results do suggest that current users of Tor should carefully consider if it meets their security needs. In particular, users facing persistent adversaries who might run relays or monitor network traffic should be aware of the threat of traffic correlation,” they pointed out. In the meantime, there are things that can be done to improve their defense and to diminish the likelihood of being “unmasked”, explanations of which can be found in the researchers’ paper.