I want to find a certain kind of person so I look for people that access a specific hidden service or clearnet url.
Surely eventually I'm going to get a hit where all three nodes in the circuit are my nodes that are logging everything? It will take a long time, and I can't target a specific person, but eventually I can find someone who has all three bounces through tor nodes I control, no?
I ran a bunch of nodes for a couple years and that's optimistic by perhaps an order of magnitude. No $5 a month VPS provides enough bandwidth to sustain the monthly traffic of a Tor node, and nodes need to be continuously online and serving traffic for about 2-3 months[1] before they will be promoted to guard relays. Throttling traffic to stay in your bandwidth allocation will just get you marked as a slow node and limit the number of connections you get. Sustaining just 1 Mbps will blow your monthly transfer allocation on the cheap tiers of both Digital Ocean or Linode.
The attacker could try to create a handful of accounts on hundreds of platforms in as many countries as possible, assuming one verify that the platforms accepts tor and do not share underlying providers and data centers. The cost would then be the average price of said providers, which is going to be a fair bit more than the cheapest providers out there. Managing and spreading them out is also going to cost a lot of man hours. Also the secops need to be fairly on the point and need to be maintained quite strictly across all the providers.
I ask because I know of stories of law enforcement sending inquiries to owners of, say, exit nodes requiring certain information about given traffic. I don't know if this happens for middle-nodes (or whatever they're called).
Moreover, are there any issues with associating a node to, you know, your name and billing information?
I don't know much about this, and although I could look it up, I think that my questions - and your respective answers or those of others - might do some public service of information sharing here.
Edit: there's a youtuber called "Mental Outlaw" that published a while ago some videos about setting up and operating TOR nodes. He sometimes gives inaccurate information regarding more theoretical topics, so I don't follow him much. But I think he can be trusted for this practical topics.
You can buy a vps with xmr if you're worried about privacy from law enforcement.
https://www.serverhunter.com/#query=stock%3A%28in_stock+OR+u...
Russia, china and usa all dont like each other much so are probably not sharing notes (in theory).
Basically, a variation of the prisoner's dilemma.
Also, those nukes we have pointed at each other are a pretty healthy hint.
That said, any bandwidth anyone wants to contribute to mitigate such attacks is always appreciated, even if it's more useful for performance reasons in practice. ;)
Sometimes I set it up as a bridge (hidden entry node) instead.
The word "eventually" is doing a lot of heavy lifting here. Let's say you actually manage to add 1000 servers to the tor network somehow without getting detected. The network currently sits at just under 8000 nodes. For simplicity, lets also ignore that there are different types of nodes and geographical considerations and instead just ask what is the probability that someone randomly chooses three nodes that you own. The answer is less than 0.14%. If that someone decided to use 4 nodes to be extra-safe, that number goes down to 0.015%. And it decreases exponentially for every additional relay he adds. Combine this with the fact that tor nodes are actively monitored and regularly vetted for malicious behaviour[1], and these attacks become increasingly difficult. Could someone like the NSA with limitless resources do it? Quite probably, sure. But could you or any other random guy do it? Almost certainly not.
[1] https://gitlab.torproject.org/tpo/network-health/team/-/wiki...
Edit: For all the cynics and doomsayers here, consider this: Tor has been around for a long time, but there has never been an uptick in arrests that could be correlated to cracking the core anonymity service. If you look closely at the actual high profile cases where people got busted despite using tor, these people always made other mistakes that led authorities to them.
It baffles me that Tor Browser doesn't provide an easy way to blacklist relays in those countries.
[0] Here, you can do the math yourself: https://metrics.torproject.org/rs.html#aggregate/all
[1] https://en.wikipedia.org/wiki/Five_Eyes#Fourteen_Eyes
> Edit: For all the cynics and doomsayers here, consider this: Tor has been around for a long time, but there has never been an uptick in arrests that could be correlated to cracking the core anonymity service. If you look closely at the actual high profile cases where people got busted despite using tor, these people always made other mistakes that led authorities to them.
Maybe someone, somewhere, has decided that allowing petty criminals to get away with their crimes is worth maintaining the illusion that Tor is truly private.
It's also worth noting that it's significantly easier to find the mistakes someone has made that could lead to their identity if you already know their identity.
It provides a channel for operatives to exfiltrate data out of non-NATO countries very easily.
I'm not convinced this is the case. For example China's gfw has been very effective at blocking TOR traffic, and any TOR connection in other countries is like announcing to the government that you are suspicious.
The parent said “non-NATO countries”… there are 162 of those that are not China.
(It’s also a little silly to specify “non-NATO” since U.S. intelligence services have to exfiltrate data from NATO countries too…)
To get data out of China, the U.S. undoubtedly has special systems, which are worth the special investment because it’s China.
Furthermore, the great firewall is quite advanced, they use machine learning techniques to detect patterns, so even if it is TLS on port 443, they may be able to detect it after they have gathered enough traffic. There are workarounds of course, but it is not as simple as just using a TLS tunnel.
Slight correction: The US benefits from TOR being private to _everyone but the US_
In fact, A major power wins by creating a mote just big enough that only they can cross.
> the US Navy
For Tor to be effective for hiding spies it has to be used by the public. Even if it's only nefarious actors (say spies + drug dealers + terrorists) it adds noise that the adversary needs to sort through.
What I fucking hate about many of these conspiracies is how silly it is once you ever work with or for any government entities. You can't get two police agencies in neighboring cities to communicate with one another. The bureaucrats are fucking slow as shit and egotistical as fuck.
It's important to remember that the government and even a single agency (like the NSA) is just as chaotic, disconnected, and full of competing entities as any big tech company has (if not worse). Yeah, most of the NSA is focused offense, but there's groups working on defense. Those groups are 100% at odds. This is true for the 18 intelligence agencies. They have different objectives and many times they are at odds with one another and you bet each one wants to be getting credit for anything.
The US involvement should warrant suspicion and with any technology like Tor you should always be paranoid. But it's not proof. Because guess what, the US wants people in other countries to use high levels of encryption to hide from their authoritarian governments while the US can promote democracy movements and help put a friendly leader into a position of power. AT THE SAME TIME they also want to spy on their own people (and there are plenty of people in the gov that don't want this). Inconsistency is the default because it's a bunch of different people with different objectives. So the US gov both wants Tor to be secure and broken at the same time.
You calculated the probability that a specific person randomly chooses three nodes of the 1,000.
But that's not the scenario you're responding to.
>> I can't target a specific person, but eventually I can find someone who has all three bounces through tor nodes I control
Tor estimates that 2.5 million people use the network per day.
Let's assume that in a month, 10 million people use it.
Let's also assume that 80% of monthly users are not committing crimes, while the 20% who are criminals make an average of four Tor connections per month.
With those assumptions we could expect a malicious operator who controls 1,000 nodes could capture the sessions of 10,940 criminals in a given month.
Spending less than fifty cents per suspect is less than trivial.
Let’s say to do that, and now you have found 10k people accessing pirate bay in countries where it is blocked.
Also you captured someone who lives in Siberia and watches illegal porn, now what?
Many of these will not be actionable, like not criminals you would have interest in.
100,000 activists who haven't been caught yet switch to Tor for anonymity.
For $60,000, the regime monitors Tor for a year, identifies 6,500 activists, and marches them off to the camps.
And by discrediting Tor the regime pushes the other 93,500 activists even farther underground, constraining their ability to recruit, limiting their ability to coordinate with each other, and reducing what they can publish about what's happening to their country.
To what audience? It isn't quite what you're getting at in your post but this is worth saying: graffiti, zines, contact with journalists, radio operations like pirate radio, all of it is much more established and less uncertain in risk profile than being online. Crucially it may also be more effective.
What does that mean? The way I understand it you would be getting traffic correlations -- which means an IP that requested traffic from another IP and got that traffic back in a certain time period. What does that tell you, exactly, about the criminal? If you aren't looking for a specific person, how would you even know they are doing crimes?
The billionaire owner of the site supports the strongman leader and provides IP addresses for those who post wrongthink on his platform.
Now the regime can link social media activity of anonymous activists to their real IP addresses, devices and locations.
During WW2, the British cracked the German codes. They would create pretexts for "discovering" where German ships would be, so that the Germans wouldn't suspect that they cracked their codes.
It's impossible for us to know if the US government have cracked Tor, because the world would look identical to us whether they had or hadn't. If the only evidence they have is via Tor, and the individual is a small fry, they will prefer they get away with it rather than let people know that Tor has been cracked.
I just assume the NSA are spending their budgets on something, although maybe it is stuff like side channel attacks.
The NSA sharing data with the DEA becomes a "routine traffic stop" that finds the drugs. The court would not allow the NSA evidence or anything found as a result, but through parallel construction, the officer lies in court that it was a "routine stop", and judicial review never occurs.
Says who? The intelligent community entity that busted them? If they're using a tool to discover X or Y they're not to let anyone know that.
For example, I live in the NYC area. A couple of times per year there's a drug bust on the New Jersey Turnpike of a car headed to NYC. The story is always a "random" police stop ends up in a drug bust.
Random? My arse. Of the thousands of cars on the NJTP the cops just happened to pick the one loaded with drugs? A couple times a year? I don't buy it. But what are they going to say? They have someone on the inside that tipped them off? That's not going to happen.
The intelligence community doesn't deal in truth and facts. It deals in misinformation and that the ends justify the means. What they're doing and what they say they're doing are unlikely the same.
Using those same network-health dashboards as DDoS target lists, to temporarily degrade/shut down the whole network except for your own nodes.
Also, big nodes route more Tor circuits each. Costs more to run them, and they intentionally don't function as exit nodes (to avoid the "obvious" attack) — but just having a bunch of these big nodes in the network handling only middle hops, biases the rest of the network away from handling middle hops, toward handling end hops. Which means that if you then run a ton of tiny nodes...
Yes, this is obviously the sort of adversary we would be discussing.
> , lets also ignore that there are different types of nodes
causing your number to be an underestimate
> The answer is less than 0.14%.
So almost certainly thousands of people
OP explicitly asked about himself, not some government organisation.
>causing your number to be an underestimate
Not necessarily. It might even be an overestimate if the attacker fails to supply enough nodes of the right kind.
>So almost certainly thousands of people
We're talking about a targeted attack. Of course the statistics game works better when you don't target specific people and just fish randomly. But there are probably more cost effective methods as well.
From OP: " I can't target a specific person, but eventually I can find someone who has all three bounces through tor nodes I control, no"
> Not necessarily. It might even be an overestimate if the attacker fails to supply enough nodes of the right kind.
Assuming they match the existing distribution of nodes, they will only have better results.
Pay people on Fiverr to set them up for you at different ISPs so that all the setup information is different. You can use crypto to pay if you want anonimity (this is actually the main reason I used to use bitcoin - I'd pay ISPs in Iceland to run TOR exit nodes for me without linking them to my identity).
This isn't a difficult problem. A single individual with a good job could do it.
And sure, each connection only has a very small chance of being found, but aggregate it over a year or two and you could catch half of the users of a site if they connected with a new circuit one time per day.
I honestly can't see why a nation state or two hasn't already done this.
With insignificant data caps. To get the data needed I believe you're looking at a couple hundred a month, to start.
Not speaking to the effectiveness of the detection (it's hard!), but there's information available, for example:
https://blog.torproject.org/malicious-relays-health-tor-netw...
https://gitlab.torproject.org/tpo/network-health/team/-/wiki...
https://gitlab.torproject.org/tpo/network-health/team/-/wiki...
A lot of "hacker" mentality projects involve putting a tremendous amount of effort into something with questionable utility.
People climb mountains because they're there.
If you're not worried about a fairly well-resourced government agency uncovering whatever network activity you believe needs to be anonymized, why would you be using Tor at all?
Because your ex-spouse wants to murder you.
Because you just escaped Scientology, or another cult.
Because you're a criminal. The NSA doesn't handle that.
Because you're a journalist talking to sources in the industry you're investigating.
Because you want to avoid creepy targeted ads.
Because you live in a country that blocks many legitimate websites.
Because you are looking for information about abortion and live in countries like Iran or US
Using victims' devices and communications in order to locate, and then harass, trap, or attack them, is commonplace for stalkers.
Those are situations that people deal with, but suggesting they use Tor is not going to help them. (Apart from some very specific situations)
And of those people, how many people have ever even heard of Tor, let alone know how to use it?
I concede that tor is probably not a useful tool in general for these people. I meant to point out only that one needn't be paranoid to fear one's spouse.
Stalkers want to make it impossible to live a normal life. They try to make it impossible to go to work or school, to use phones, email, messaging services, etc. Already knew my contact info, and got new ones by asking mutual friends. Called the the landline and cell and work phone and hung up or heavy-breathed into the phone hundreds of times a day. Telco won't help with this or admit who's doing it w/o a subpoena, which I couldn't realistically get. They tried to get various online accounts, including employer provided, to be flooded/brigaded/spamed/banned.
You don't have to be a leet haxor to do social engineering, sim swapping, and other crying on the phone to customer service type of attacks on other people's accounts. You just have to be pissed off and risk tolerant.
Not saying tor is a good-fit solution to these problems, just saying that "Because your ex-spouse wants to murder you", and also you have a day-to-day practical necessity to find a secure, hard to block way to communicate on, or access, the internet is not actually an exotic problem.
Heck - FBI is allowed to do the same damn thing with the data they're given by the NSA. Y'know, the whole "backdoor search loophole" which amounts to laundering authorities across agencies to get access to data they wouldn't otherwise be permitted to have.
Assuming tor always was or became broken and is exploitable by law enforcement, authorities would try to maintain a false believe of tor's integrity so as to crack high profile cases for as long as possible.
Within this scenario, it is plausible to assume that authorities can decipher and discover information that can be used as the official pretextual charge / minor reason ("they made the mistake to use their public email address on the dark net forum") in order to not spill the beans on the actual means (here, tor being broken).
They’re financed by the US Government after all…
That is to say, if I started an onion server on one side of the world, then connected to it from somewhere else, my connection to it would be anonymous and encrypted to any external entity.
Also, according to their latest blog post on their finances, while it is true they have money from the US Government, that was only ~50% of their income (I think that was 2023). For the FUD part of that comment, see the "U.S. Government Support" section of https://blog.torproject.org/transparency-openness-and-our-20...
2/ Police can use parallel construction. Although, given enough time (in theory) parallel construction is eventually exposed.
Parallel construction has existed for decades. It's even in "The Wire". It has never been tested in court, probably because it is nearly impossible to discover outside of being the agents that implement it.
Parallel construction wasn't tested, but the means of them catching criminals this way was tested in court.
[0] - https://www.gps.gov/news/2012/01/supremecourt/
[1] - if the device got power from the vehicle, it would be considered "break and entering" and thus would require a warrant.
Yeah, the stated reason is always something else. But this just reminds me of "parallel construction" - what if they were found in on way and then (to hide the source) the claim was that they were found in another way?
If it was effective, would there have been a down tick in arrests at some point?
Or if the arrest rate stayed the same, would that suggest it never “worked” to begin with?
It’s like the movie trope of the detective who finds out the truth via some questionable means which isn’t admissible in court. When you know the truth you can push harder and call every bluff until you get admissible evidence.
Is this per circuit? So if someone switches circuits every X hours, the chance of being caught after a year is actually quite high?
And even catching 0.14% of pedophiles would probably be worth it to the FBI or whatever, nevermind Iran catching dissidents or whatever.
My point is that is seems very cheap to do this (I as a random staff engineer could do it myself) and catch some people. A nation state could easily catch a much higher percentage if they increased the number of logging nodes slowly and carefully and deliberately did things like use many isps and update the servers gradually etc.
There's 1000 red marbles added to a jar with 8000 blue marbles (9000 total). Take three marbles from the jar randomly, one at a time. The odds of getting three red marbles is ~0.14%. That's all.
Tor nodes are not randomly picked marbles. The Tor network is not a jar.
Apparently in germany they caught a pedo like that. Watching certain nodes and the sizes of files that are sent between them to identify the admin of a pedophile image sharing forum. Took them 1 1/2 years to identify the specific person, but they got him.
Considering this I would imagine it's pretty safe for the average user since they have to specifically target you for a long time, however it seems like with enough effort it's possible to identify someone even without Clearnet slip-ups like it was the case with Silkroad.
Once they have your address they will just storm your house and catch you on the computer, then you are done for.
I'd call tor broken against any adversary with a little technical skill and willingness to spend $5000.
I'm 80% sure Tor is designed as a US supported project to focus those needing anonymity into a service only governments with global security apparatus (who can grab a good chunk of internet traffic) can access.
If most Tor users ran exit nodes and most people used Tor, it would effectively make internet traffic anonymous. But without those network effects, it is vulnerable by design to deanonymization attacks by state actors.
I had the impression, with onion services they are a thing of the past.
Seemed like onion services were created to solve the security issues that exit nodes bring, so I assumed people stopped using them and started running onion services instead.
If you want basic anonymity while researching someone powerful or accessing information, it's extremely unlikely anyone is going to go the lengths people are bringing up here as a way to compromise Tor. The intersection of expertise, funding and time required is too great for such a low value target.
If you're an international terrorist leader wanted in multiple countries, a prolific criminal, or enemy #1 of an authoritarian state though? Those who can go to those lengths absolutely will go to those lengths.
Doesn't a solid VPN service also satisfy this exact need? Tor seems to occupy a narrow niche in which you have to care much more about privacy than the average person, but not at a nation state level. I think that is how it got associated with that 2nd tier of internet crime like buying drugs on the dark web or sharing CSAM. The truly sophisticated internet criminals probably know better and the people who only really care about anonymizing themselves are probably doing something simpler.
Finding a solid one is the hard part. With tor, you kind of know what you are buying. The risks are in the open. With VPN maybe the operator is selling your data to advertizers. Maybe they are keeping logs. You kind of have to just trust them and have no way to verify.
Take for example, John Draper who discovered in the 60's that a Captain Crunch whistle toy could be used to make free phone calls on the telephone systems. Or the discovery of Side Channel attacks by an engineer at Bell Telephone company who noticed that a Bell Telephone model 131-B2 would produce distinct spikes for each key pressed on the oscilloscope across the room. Therefore not requiring nation station level expense to break the encryption used by Navy and Army's encryption systems. Or during the Afghan war, the US was deploying armored vehicles that they assumed would provide good protection, and would be expensive to attack by the enemy. Turned out they could make IEDs from inverted copper cheaply and within locals kitchens. That proved very successful. Or the kid who discovered he could bypass the mint screensaver by smashing random keys on the keyboard (https://github.com/linuxmint/cinnamon-screensaver/issues/354). The list of these types of cheap attacks are throughout history.
Hiring people on something like fiverr could take care of most of the manual part.
My point is that if I could do it, a nation state cracking down on dissidents could likely do it too.
If you're looking for static assets, why would you need to see the whole chain? Wouldn't a connection to a known website (page) have a similar fingerprint even if you wrap it in 3 layers of encryption? Does Tor coalesce HTTP queries or something to avoid having someone fingerprint connections based on the number of HTTP requests and the relative latency of each request?
I've always assumed that, if a global adversary attack works, you'd only need to watch one side if you're looking for connections to known static content.
I don't know much beyond the high level idea of how Tor works, so I could be totally wrong.
If I was browsing one of those sites for an hour and you were my guard, do you think you could make a good guess which site I'm visiting?
I'm asking why that concept doesn't scale up. Why wouldn't it work with machine learning tools that are used to detect anomalous patterns in corporate networks if you reverse them to detect expected patterns.
My understanding (that may be totally wrong) is that there is some padding added to requests so as to not be able to correlate exact packet sizes.
Not really. I'm thinking more along the lines of a total page load. I probably don't understand it well enough, but consider something like connecting to facebook.com. It takes 46 HTTP requests.
Say (this is made up) 35 of those are async and contain 2MB of data total, the 36th is consistently a slow blocking request, 37-42 are synchronous requests of 17KB, 4KB, 10KB, 23KB, 2KB, 7KB, and 43-46 are async (after 42) sending back 100KB total.
If that synchronous block ends up being 6 synchronous TCP connections, I feel like that's a pretty distinct pattern if there isn't a lot of padding, especially if you can combine it with a rule that says it needs to be preceded by a burst of about 35 connections that transfer 2MB in total and succeeded by a burst of 4 connections that transfer 100KB combined.
I've always assumed there's the potential to fingerprint connections like that, regardless of whether or not they're encrypted. For regular HTTPS traffic, if you built a visual of the above for a few different sites, you could probably make a good guess which one people are visiting just by looking at it.
Dynamic content getting mixed in might be enough obfuscation, but for things like hidden services I think you'd be better off if everything got coalesced and chunked into a uniform size so that all guards and relays see is a stream of (ex:) 100KB blocks. Then you could let the side building the circuit demand an arbitrary amount of padding from each relay.
Again, I probably just don't understand how it works, so don't read too much into my reply.
Eventually the guard has to send the whole payload to me, right? Wouldn't that look similar every time if there's no obfuscation?
seems like it would also be challenging to hold up in actual legal proceedings
It’s the most popular so it gets the most attention: from academics, criminals, law enforcement, journalists, …
So latency issues permitting, you would expect the default number of relays to increase over time to accommodate increases in attacker sophistication. I don't think many would mind waiting for a page to load for a minute if it increased privacy by 100x or 1000x.
Or if you were arguing for increasing the number of relays in a circuit, that doesn’t increase security. It’s like one of the OG tor research papers deciding on 3. Bad guy just needs the first and the last. Middle irrelevant.
The reason that there are so few relays and exit nodes is that everyone that runs an exit node believes, for very good reason, that they'll be opening themselves up to subpoenas and arrest for operating one. You know who never has to worry about getting arrested? Surveillance agencies tasked with running exit nodes.
Consider the two classes of relay and exit operators:
1. People who operate relays and exit nodes long term, spending money to do so with no possibility or expectation of receiving money in return, and opening themselves up to legal liability for doing so, whose only tangible benefit comes from the gratification of contributing to an anonymous online network
2. Government agencies who operate relays and exit nodes long term, spending government allocated money to operate servers, with no material risk to the agencies and whose tangible benefit comes from deanonymizing anonymous users. Crucially, the agencies are specifically tasked with deanonymizing these users.
Now, I guess the question is whether or not you think the people in group 1 have more members and more material resources than the agencies in group 2. Do you believe that there are more people willing to spend money to run the risk of having equipment seized and arrest for no gain other than philosophical gratification than there are government computers running cost and risk free, deanonymizing traffic (which is their job to do)?
Because of timing attacks? There are ways to mitigate timing attacks if you are patient (but I think clearnet webservers are not very patient and my drop your connection)
And yeah mitigation gets you into a huge body of research that’s inconclusive on practical usability. Eg so much overhead that it’s too slow and 10 people can use a 1000 relay network and still get just 1 Mbps goodput each. Contrived example.
People need to actually be able to use the network, and the more people the better for the individual.
There’s minor things tor does, but more should somehow be done. Somehow…
...while being practical.
One could argue that there is i2p. But i2p is slow, a little bit harder to use, and from what I can remember, doesn't allow you to easily browse the clearnet (regular websites).
One should be able to make these quite reasonable determinations about how easy it’d be to capture and identify Tor traffic without a bunch of whataboutism and “it’s still really good though, ok!” replies which seek to unjustifiably minimise valid concerns because one feels the need to…go on and bat for the project that they feel some association with, or something.
The self-congratulatory cultiness of it only makes me quite suspicious of those making these comments, and if anything further dissuades me from ever committing any time or resources to the project.
It sounds reasonable to anyone who hasn't read the papers, to anyone that has these comments are so wrong that you can't even start explaining what's going wrong without a papers worth of explanation that the people don't read.
People that have such a sophisticated and resourced team actively hunting them down, likely know about it, and are using many additional layers of security on top of TOR. Even just for personal use out of curiosity to "see what the darkweb is," I used 1-2 additional methods on top of TOR.
Curious: what did you do and what were you hoping to mitigate?
Also since you aren't targetting specific people, rather specific interests, it'd be easier to setup an irresistible site serving content of the vice of interest. It can even be a thin wrapper on existing sites. Do you only need to control entry nodes in that case? You'll return user-identifying data in headers or steganographically encoded in images and since you control the entry node you can decrypt it. It doesn't work for a normal (unaffiliated) entry node but since your entry node is in collusion with the server I think this works.
And more info here: https://lists.torproject.org/pipermail/tor-relays/2024-Septe...
Edit: The NDR alleges a timing attack (no further explanation) that allows "to identify so-called ‘entry servers’" Very little information is actually available on the nature of the attack. The NDR claims this method has already lead to an arrest.
e.g.
Port 873 (native rsync) bulk traffic, low priority
Port 3128 (squid mitm ssl-bump proxy) high priorityIf anyone tries to convince you Tor is not safe, ask yourself: cui bono?
https://www.schneier.com/blog/archives/2013/10/how_the_nsa_a... https://blog.torproject.org/yes-we-know-about-guardian-artic...
Cloudflare is a US-based company that does MITM attacks on all traffic of the websites that it protects. It's part of how their DDoS mitigation works.
Many people still use large US-based mail providers such as Outlook or Gmail.
Many large services use AWS, GCP or Azure. Perhaps there are ways for the NSA to access customers' virtual storage or MITM attack traffic between app backends and the load balancer where TLS is not used.
There's also significant aggregation of traffic at handfuls of service providers amongst service categories, all generally HTTP(s) type services too ... Mail, CDN, Video, Voice, Chat, Social, etc. Each of these are still likely to employ Load Balancing & WAF.
Most WAF/Load Balancing providers have documentation about when/where to perform decrypt in your architecture.
How many Cloudflare sites are just using the Cloudflare wildcard cert?
From there, plenty of 3 letter agency space to start whiteboarding how they might continue to evolve their attack chain.
Of course, in principle, a cloud provider could tap in anywhere you're using their services – ELB (load balancer), S3, etc. I presume they could even provide backdoors into EC2 instances if they were willing to take the reputational risk. But even if you assume the NSA or whoever is able to tap into internal network links within a data center, that alone wouldn't necessarily accomplish much (depending on the target).
A nationwide invisible firewall, with man in the middle decryption and permanent storage of all unencrypted data. All run by the major backbones and ISPs.
How would that work?
In a way it is the perfect solution from a Govt perspective. Other countries have systems at this scale and larger. China for example.
You might be thinking of DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT).
There's also DNSCurve.
From what I remember, only DoT uses ECH
https://media.ccc.de/v/chaoscolloquium-1-dns-privacy-securit...
After the core team disbanded there was a full security audit which uncovered some very minor issues.
People never really trusted Veracrypt though. Quite interesting how that turned out.
Where modern research effort goes is into protecting against "they HAD your physical machine and they gave it back to you" or "they got your machine while it was on/running" - these are much more difficult problems to solve, and are where TEE, TPM, Secure Boot, memory encryption, DMA hardening, etc. come into play.
Can you expand on this? It was my understanding that Veracrypt is the new de-facto standard.
Veracrypt is a curiousity, not beloved the way truecrypt was.
I’d love to see hard numbers for this, just my outside impression.
In fact, when trying to find old forums that I was part of during that era, I failed; and found only this: https://discuss.privacyguides.net/t/why-people-still-believe...
Safer or unsafer than ISP or VPN, is the question.
(I presume safe means private here)
It could be for insidious reasons, or because the speaker legitimately believes it. "If anyone tries to convince you you shouldn't use Rot13 as an encryption scheme, ask yourself- cui bono?" Silly example, but the point is, just about *everything* could be explained equally by either evil lies or honest warnings.
The only thing I see is seeing which IP addresses are using Tor, when, and how much traffic exchanged, but mostly it will be a bunch of reused residential IPs? If you know who you are looking for anyway better to work with their ISP?
With the exit nodes, you know which IP addresses are being looked up. You might get an exit node IP when investigating a crime say. Raid that person, but can you find anything more?
This isn't an argument, but a question.
Does Tor Browser Bundle currently ship with Ublock Origin installed and on by default?
I'm concerned with what let's call Gorhill's Web-- that is, the experience glued together by gorhill's Ublock Origin that is viewed by the vast majority of HN commenters on a day to day basis.
What you're describing is the Web-based Wasteland that is experienced by the vast majority of non-technical users who view the web without an ad blocker.
Encouraging Wasteland users to use TBB may well be an overall improvement for them. But there are more and more popular parts of the web that are practically unusable without an ad blocker-- e.g., fake download buttons, myriad other ad-based shenanigans, multiple ads squeezed into short pieces youtube content that ruins the music, etc. And there's an older segment of the population who at I cannot in good conscience move away from Gorhill's Web.
If Tor uptake somehow spikes to the point that some services can no longer get away with discriminating against exit nodes, then great! But in the meantime, I and many others have solid reasons for encouraging more and more Ublock Origin use among a wide variety of users.
And as you point out, there are technical reasons why the ad blocker lists are at odds with TBB design goals. Thus, I find the top poster's "cui bono" comment low effort and unhelpful.
Edit: clarification
Immoral is as subjective as it gets and is therefore an awful yardstick.
There definitely are legit use cases for it and in an ideal world, I think all traffic should go over onion routing by default to protect them.
But in reality today besides a handful of idealists (like me some years ago), and legitimate users, like protestors under oppressive regimes - I would assume the biggest group with a concrete interest to hide would be indeed pedophiles and other dark net members and therefore use it.
Tor is a privacy tool. Much of what we do in our lives is on the internet, and privacy is important. Tor helps people enjoy privacy in a medium that they are increasingly dependant on.
https://www.urbandictionary.com/define.php?term=scare+quotes
this is a helpful answer, downvoting it would be extremely bad form
Use Tor with extreme caution.
How applicable do people think this information is now 9-10 years later?
DEF CON 22 - Adrian Crenshaw- Dropping Docs on Darknets: How People Got Caught https://www.youtube.com/watch?v=eQ2OZKitRwc
But at planetary scale would Tor scale in an environmentally friendly way?
Not that I think the Fed's would blow their cover to hunt down people buying drugs but still seems stupid to trust.
The list of all relays is public knowledge by design. There’s contact information attached to relays. The big operators are known individuals and organizations. They contribute. Interact.
Which ones are actually the governments doing bad things against their citizens? It’s hard to tell? Then why do you make such claims?
Relays that observably do bad things are removed from the network all the time. Are those ones the government? Tor seemingly has a reasonable handle on the situation if that’s the case.
If the fed is doing correlation attacks, why would they run relays at all? “Just” tap the IXPs near major hubs of relays. Or heck, get data from the taps you already had. Silent and more widespread.
Pushing people away from tor potentially makes it even easier to deanonymize them, depending on the adversary model assumed.
Thanks for pointing this out. Seems obvious in retrospect but I don't really recall seeing a lot of evidence for this despite seeing the claim quite commonly. That said, the use of "rarely" makes me wonder what evidence has been presented in such rare instances. Just curious. (Of course it's also fine if the phrasing was just communication style.)
Beyond a principled stance re communications, I can’t think of a reason to use it. If you’re planning to resist some regime that controls telecom infrastructure, the fact that you’re using it is both uncommon and notable.
I know because I work there. AMA (edit: about tor. Because people say a lot about it without actually knowing much. But now I should put my phone down so… too late!)
To protect our most sensitive communications and vulnerable communities , Tor usage should be normalized so it is common and not notable.
Edit: I finally found it![0] I had to go to Donate, Donation FAQ, "Can I donate my time?" , "Learn more about joining the Tor community.", and then "Relay Operations" -> "Grow the Tor network" at the bottom right. I would really hope there's a more direct path than this...
https://community.torproject.org/relay/
Thanks for considering to run a relay.
I got to travel to Canada, Mexico, and Europe (from the US) for tor meetings and privacy-enhancing technology conferences.
More or less every single cell that goes through the tor network today is prioritized and scheduled by the cell scheduler I wrote.
For your AMA, if you want: How's the job? What keeps you working there? How's patriotism these days?
At least for the teams I have been on and my view of leadership, there is very little political talk.
But patriotism isn’t politics… lol. The higher you get the more “hoo rah America!” is a part of the motivational speech or report or whatever. Down here in the streets it’s just another job. Pride in the country isn’t much of a driver. At least for me.
These two statements make little sense together. It was originally developed by the Navy. Okay. So why would they design it from the get-go with such a fatal flaw that would risk their own adversaries gathering "actionable intelligence" from it?
I'd like to stress if we're talking about the Navy's involvement, then you're questioning the design of the whole thing from the very beginning, not just the current implementation.
Given that a lot of law enforcement doesn't even bother with the low hanging crimes, the chance of them prosecuting anyone using Tor is extremely low unless you get big enough or go far enough to warrant the attention.
Edit: Never does, exit nodes are not part of the circuit, thanks to commenter below.
If “deanonymize” strictly means perform a timing attack using info you have from the beginning and end of the circuit, then by definition you’re correct.
But if you visit an identifying set of websites and/or ignore TLS errors or … they can still deanonymize you.
What do we want Tor for except as a hope that Russian citizens might be able to get to the BBC site?
I am asking honestly - and would prefer not to be told my own government is on the verge of a mass pogrum so we had better take precautions.
If everything is SSL secured, then we don't have to explain why any specific thing is SSL secured. The same reason can be applied to use of TOR.
Even for top level comments, HN’s algorithm for ranking is pretty useful for assigning “worth”
Ordering by score DESC only gives you relative point information, not absolute. Theres additional signal if the top comment has 100 points vs only having 3 (and the bottom post also having 100 vs 1).
I think everyone wants “privacy by default”, they just don’t make the connection between this hypothetical and real life. In real life you’re still spied but nobody confronts you directly.
Using Tor this way doesn’t anonymize me—on Facebook at least, I’m logged in under my own account—but it limits the profile Meta builds on me to the union of what it directly observes on Facebook and what it can purchase through data brokers. Ever since I started doing this, I’ve noticed a huge drop in relevance in my Facebook ads, so apparently it’s working. When the ads become suddenly relevant again (which has happened a few times), it exposes an information leak: usually a credit card purchase that Meta must have obtained from either my bank or the shop vendor and tied to my identity.
Using a VPN could theoretically provide the same benefit, but in practice Facebook tended to temporarily lock my account when using a VPN and Reddit blocks VPN traffic completely. So I stick to the onion services, which are run by the websites themselves and so are less likely to be treated as malicious traffic.
If you use these platforms, I recommend bookmarking their onion sites in Tor Browser and using it as your primary interface to them for a while. Then, if you don’t find it too inconvenient, start blocking the non‐onion versions of the sites on your network.
https://old.reddittorjg6rue252oqsxryoxengawnmo46qy4kyii5wtqn...
https://www.facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg...
(P.S.: You shouldn’t trust the links I just posted; I could have posted fake ones! I recommend double‐checking against https://github.com/alecmuffett/real-world-onion-sites which links to proofs of onion site ownership under their usual domain names.)
We've come to accept (as a normal mainstream thing) end to end encryption in several popular messaging apps (which seems to be largely thanks to WhatsApp?), but the same idea applied to web browsing is still considered fringe for some reason. That distinction seems arbitrary to me, like just a cultural thing?
It might be a UX thing though. WhatsApp is pleasant. Trying to use the internet normally over Tor is horrendous (mostly thanks to Cloudflare either blocking you outright, or sending you to captcha hell).
Couldn’t a national security organization just modify a node to route traffic to other nodes it controls instead of uncontrolled nodes?
>A guard discovery attack allows attackers to determine the guard relay of a Tor client. The hidden service protocol provides an attack vector for a guard discovery attack since anyone can force an HS to construct a 3-hop circuit to a relay, and repeat this process until one of the adversary's middle relays eventually ends up chosen in a circuit. These attacks are also possible to perform against clients, by causing an application to make repeated connections to multiple unique onion services.
He got caught not by the FBI breaking Tor, but just by network analysis of university network traffic logs showing a very narrow list of on-campus people using Tor at the time the threat was communicated. He quickly confessed when interviewed.
https://www.washingtonpost.com/blogs/the-switch/files/2013/1...
Just another factor to consider when using Tor - who's network you're on.
If you are an enemy of the United States you probably aren’t but that’s a high bar
But there is also an element of resources. Even if you're sowing distrust in, say, the Comorian government, I don't think they have the resources to go after you unless you are truly destabilizing and not just annoying.
Some specific state actors operate TOR entry and exit routers and can perform analysis which is different to others who just have access to the infra beneath TOR and can infer things from traffic analysis somewhat differently.
I have never been in a situation where my life and liberty depended on a decision about a mechanism like TOR. I can believe it is contextually safe for some people and also believe it's a giant red flag to a lead pipe and locked room for others.
https://support.torproject.org/about/why-is-it-called-tor/
>Note: even though it originally came from an acronym, Tor is not spelled "TOR". Only the first letter is capitalized. In fact, we can usually spot people who haven't read any of our website (and have instead learned everything they know about Tor from news articles) by the fact that they spell it wrong.
I will be waiting patiently for people to admit that they do very illegal things over Tor.
The Guardian: https://www.guardian2zotagl6tmjucg3lrhxdk4dw3lhbqnkvvkywawy3...
New York Times: https://www.nytimesn7cgmftshazwhfgzm37qxb44r64ytbb2dj3x62d2l...
BBC: https://www.bbcweb3hytmzhn5d532owbu6oqadra5z3ar726vq5kgwwn6a...
...We are writing this blog post in response to an investigative news story looking into the de-anonymization of an Onion Service used by a Tor user using an old version of the long-retired application Ricochet by way of a targeted law-enforcement attack.
...From the limited information The Tor Project has, we believe that one user of the long-retired application Ricochet was fully de-anonymized through a guard discovery attack. This was possible, at the time, because the user was using a version of the software that neither had Vanguards-lite, nor the vanguards addon, which were introduced to protect users from this type of attack. This protection exists in Ricochet-Refresh, a maintained fork of the long-retired project Ricochet, since version 3.0.12 released in June of 2022.
But the things that do inspire confidence:
Tor is updated against vulnerabilities pre-emptively, years before the vulnerability is known to be leveraged
Tor Project happens to be investigating the attack vector of the specific tor client, which is years outdated
They should have just said “we fixed that vulnerability in 2022”
with a separate article about the old software
I don't want them to try to sell me something. If they were making bold claims as you suggest I would be more concerned.
While it has been fixed for years it was not a case of using old software from what I am reading.