This attack has been known for years now. And tor is simply not able to defend against it without a complete redesign.
The potential for timing attacks has been known since the beginning of Tor. In other words, more than a decade. But that doesn’t mean you can’t defend against it. One way to defend against it is by having more nodes. Another way is to write clients that take into account the potential for timing attacks. Both of these were specifically mentioned in the article.
Based on what was in the article and what’s in the history books, I’m not sure how to interpret your comment in a constructive way. Is there anything more specific you meant, that isn’t contradicted by what’s in the article?
Yes, sorry i worded it incorrectly you can try to make it harder but timing attacks are still possible.
Nope, just a summary that this is just old news. There is nothing new in the article.
The TOR network itself is safe - at least assuming the TLAs don’t control at least half of the nodes, which is far from impossible. But let’s assume…
The weak point comes from the browser: that’s how the fuzz deanonymizes users. The only safe browser to use on TOR is the TOR browser, and that’s the problem: it disables so many unsafe functionalities that it’s essentially unusable on a lot of websites. So people use regular browsers over TOR, the browser leaks identifying data and that’s how they get caught.
My understanding is that Tor Browser works fine, there’s just some dumb website owners that block Tor traffic by IP address.
And … guess what … www.bleepingcomputer.com, the source of the story, is one of those.
Maybe email them and let them know about the misconfiguration
Let them know that tor users can’t read their article about Tor
CRhode
Done!
I mean, the advice I’ve heard for one who’s threat model is “the feds are actively trying to identify me” is to have a dedicated burner computer that you do all of your illegal activities on and no other activities. Then of course on top of that avoid saving secrets onto the device and type them in manually every time (ephemeral distros like Tails are good for that)
Do you think it’s better to use a VPN if you aren’t using TOR Browser?
All VPNs do is change who has your browsing data: your ISP or the VPN operator. You may or may not trust either of them not to keep records, in either case you have no way of verifying this.
ISPs definitely keep records. At least some VPNs claim that they don’t, and that their networks are set up in such a way that they can’t. Some organizations claim to validate the claims of the VPNs, but it’s unclear if they’re trustworthy.
So your choice is to use something that definitely keeps logs, or to use a company that at least says that they don’t/can’t.
That’s exactly the reasoning I did for choosing a VPN. I know that VPNs are falsely advertised as “anonymous black magic” but better Proton or Mullvad than my ISP which definitely sells data to advertisers
Yes, and there’s also the fact that some VPNs such as Mullvad let you be anonymous so even if Mullvad were keeping logs, if you pay privately they have no way of knowing whose logs they are (unless the content itself of your internet history reveals your identity). Meanwhile your ISP definitely knows who you are, and absolutely will collaborate with the police if asked to.
You can pay anonymously, but if you regularly connect from your home IP address, it hardly matters.
I think the point here is to deny ISP data to sell.
Yeah I use mullvad for mostly that reason myself.
The VPN company themselves may not keep logs. However, they might be a little black box somewhere in the data center…
As Proton made evident, VPNs can be legally compelled to start keeping logs on specific accounts as the result of a court order. So if you’re gonna do something incriminating, then I guess you should create a new account each time.
That’s true but it also depends what attack vector you’re trying to defeat. If someone is doing a timing attack and you’re running through a VPN, it might be harder to work for them, depending on where they sit.
Yeah, VPN at the very least adds another hoop they have to jump through.
I mean, you could set up your own VPN on a VPS and ensure it doesn’t keep logs. You could also get a VPS in a different legal jurisdiction from where you’re at.
Depending on what you’re doing, that probably wouldn’t be a significant hinderance to law enforcement. Child sexual abuse, drug trafficking, etc., all tends to get lots of interagency cooperation, regardless of political issues.
And that’s a very good thing too.
It depends on whether you believe that people should be allowed to use narcotics or not. I tend to believe that people should be able to make that choice for themselves–as it’s their own body–and ordering narcotics online decreases violence in the drug trade since there’s no longer obvious fights over territories, etc.
The same interagency cooperation that makes it easier to track down one groups of people and punish them also makes it easier to track down other groups of people that you might agree with.
As I read, they used timing analysis which should be preventable by using an anonymous VPN to connect to tor and streaming something over the VPN connection at the same time. Some of them support multi-hop, like mullvad, which will further complicate the timing analysis because of the aggregated traffic.
How do you get an anonymous VPN? I see mullvad has a pay in cash option. Is that how?
Mullvad accepts monero, that’s probably the most convenient way to pay for it anonymously.
I forgot about that.
Yes exactly and some providers also accept crypto.
First, randomize your mac, shutdown anything that can “dial home” (updates, sync, logged in apps, etc) then connect to internet then anonymous VPN, then connect to the tor network, use an anonymized browser with NO java enabled, never download anything -copy paste text, and screen cap images-, if your network drops the popo’s are trying to do a “reconnect” attack to see if they can get an unprotected connection to the material you were looking at. Use a livedisk on USB and you likely won’t get bios level attacks, as live disks make it harder to access your bios. Source: a boring ass individual that just wants the gov off their jock strap, suck it Joe my FBI agent, you know what you did.
This looks like it was a timing analysis attack. Basically, they’re trying to figure out which user did something specific. They match the timing of the event with the traffic from the user, and now they know which user did the thing.
It can be fuzzed by streaming something at the same time, because now your traffic is way harder to time analyze when you have a semi-constant stream of data running. But streaming something over Tor is an exercise in patience, (and it’s not something the typical user will just always have running in the background) so timing analysis attacks are gaining popularity.
a boring ass individual that just wants the gov off their jock strap, suck it Joe my FBI agent, you know what you did.
I also prefer my feds to earn their keep, I pay them good money for it.
If I understand correctly, stream isolation will route different connections through different circuits. If you’re doing two different things of a sensitive nature, open different browsers and applications, use random user-induced delays in your actions/responses and PGP-encrypt everything. And listen to what the TOR project says about the mitigations. I have some reading to do myself I guess
whonix docs is very good to learn about this stuff
Heh, whonix docs for privacy have become the arch wiki for Linux
PGP? That’s for email and isn’t great
That’s for encrypting text, regardless of the medium. Explain “not very good”?
Well it’s not very good, it’s just pretty good.
Possiblylinux127 seemed like he had founds faults in PGP’s encryption which got me interested
Oh, I was just interested in making a pun based on the name. 😂
To be perfectly honest I was under the impression that we had collectively bailed on PGP in favor of GPG, but based on the Wikipedia article it seems like PGP is still getting updates so maybe that’s not the case?
PGP is the protocol, GPG is the implementation. People tend to use GPG because it is FOSS.
Thank you for distilling that down, cleared up all of the confusion I had. Cheers.
It uses the same public key unless you manually change it. You don’t get the rolling keys provided by other systems
I don’t think I understand what you’re implying. Are you arguing that PGP implements less secure operations because it doesn’t have perfect forward secrecy? As far as I know there’s not much out there in terms of encryption schemes for data at rest which includes PFS. Even AGE didn’t have it last time I checked. If you know about something that does provide PFS for data at rest, let me know
https://en.m.wikipedia.org/wiki/Signal_Protocol
https://en.m.wikipedia.org/wiki/Double_Ratchet_Algorithm
https://en.m.wikipedia.org/wiki/Elliptic-curve_Diffie–Hellman
The signal protocol works on double ratchet that works on Diffie Hellman
This is a good read. I think it’s a good solution if it can be implemented properly. Are there applications you know of that allow you to personally (manually) encrypt text and communicate with another person like GPG does?
You should not be doing manual communications as that opens the door for human error and is time consuming. Also these cryptography protocols are far to complex to easily be used for text.
I have considered Tor safe for illicit activities for at least half a decade. Luckily, there’s no need for me to be on there. But this is bad news for people living in places where speech is heavily regulated plus journalists and would-be whistle-blowers.
What else you going to use?
I wish more people would try out I2P as a result. AFAIK, garlic routing makes this kind of attack impossible.
Insane 2lown Posse?
AFAIK it only makes it harder not impossible.
At least they can’t utili’e the applied tactic to host their own node.
We use it but it doesn’t have the same protections or reliability as Tor
Really? Care to explain?
Check the FAQ
Also it lacks the more advanced features of Tor
Please mention the “advanced features” it lacks compared to TOR. I have read the FAQ
You can’t use snowflakes and it can’t pretend to be https
Use OpenVPN configured to look like HTTPS if you really need it. I2P is meant to be its own network, not a gateway to the clearnet. I still do not see how it has less measures in place for privacy and anonymity.
I’ve tried to use it, but have not managed to get it to work. Which is a bummer.
I should probably try again now that I have a new computer. My old computer was so old that a lot of stuff wasn’t working correctly.
Remember that you need to let the server run for a bit, so it can establish , the routes.
I have a service constantly running on my server. When I want to browse, I tunnel the ports to my laptop.
What are you going to use instead?
Tor is the best tool you just need to know how to use it
I think the only still secure network is i2p. In there you don’t have the exit node