Unmasking hidden Tor service users is too easy, say infosec bods

"Updated Security researchers speaking at the Hack in the Box conference in Amsterdam this week have demonstrated that users of hidden services on Tor are putting themselves at risk of being identified - if an attacker is willing to put in the time and resources.

The discovery is significant, because browsing hidden services had been thought to be more secure than the more typical practice of using the Tor network to browse the open web anonymously.

Not so, say Filippo Valsorda, a member of CloudFlare's security team, and George Tankersley, an independent researcher. In their presentation, the pair showed that it's surprisingly easy to subvert anonymous access to a hidden server - and thus possibly identify a user of that server - if you're sneaky about it.

That's bad, because hidden services are operated not just by dodgy sites like the Silk Road but also by legitimate sites like Facebook. Tor often hits the headlines for enabling things like online drug souks and other criminal operations, when it can be and is used by journalists, whistleblowers, security researchers, and anyone who values their privacy, to exchange information and surf the web anonymously."

http://www.theregister.co.uk/2015/05/30/researchers_claim_tracking_hidden_tor_services_is_easy/


Comments


[17 Points] IsThatPurple:

time and resources

awww, that's the magic keywords! Depends who you are then. If you are a low volume, small buyer, no goverment will spend their resources to go after you. If you are a bulk buyer/reseller or vendor, then you need to keep your shits tight. If you didn't know that till now, then you're in the wrong game.


[3 Points] Jay-__:

"Since this is quite counterintuitive, we thought people should know about it. But you still need control of something on the "entry" side of the connection before you can identify anyone."

&

There are ways for site operators to protect against this, however.

Hidden service providers are advised to be very wary of young HSDir nodes – or even better, to run their own HSDir nodes, which has the benefit of also providing a warning if other HSDir nodes try to attach themselves to the service.


[2 Points] roidragequit:

I finished up a paper on this subject not too long ago, unfortunately I can't publish it since a private party stepped in and bought our tech


[2 Points] william_junior:

This has been brought up a couple of times now but I still feel they're being vague on the details. Ok, they can force themselves into the HSDir role, like - what was it, 4 out of 6 nodes?

Then I seem to recall from their presentation that an HSDir gets a ping from a client for every sixth connection. So it's not exactly that they could correlate individual connection packets there like an exit node could. One ping in six connections seems rather little to correlate much from.

And especially so when the targeted hidden service is busy. They can't really even distinguish individual circuits there, right? Not sure about that right now though.

Either way, up to this point it's looking a tad blown out of proportion to me.


[1 Points] custyyyy:

hopefully those of us buying small scale stuff are in the clear. and vendors.hopefully they save their resources for real criminals!


[1 Points] kdkkkdkdkdo2:

If you are relying on tor never selecting bad exit/hsdirs to maintain anonymity you are doing it wrong.

Tors anonymity hinges entirely on your entry guard and other measures of entering the network.


[1 Points] auto587643:

Sounds like this may catch a badly set up hidden site, but a more skilled, better designed site would probably have something in place to protect themselves from such an attack.

These people gotta realize that there's no such thing as a "magic bullet" in tech-related stuff. This technique may take down a shit market or two, but soon market mods will adapt and put up new security features, immunizing themselves from this.