Silk Road forums

Discussion => Security => Topic started by: JoeXit on January 28, 2012, 06:21 pm

Title: Tor says: This is experimental software. Do not rely on it..." Wait what?
Post by: JoeXit on January 28, 2012, 06:21 pm
Decided to look at the Advanced section of the Tor message log. First notice there says:
"Tor v0.2.2.35 ... This is experimental software. Do not rely on it for strong anonymity."
What does that mean?

Title: Re: Tor says: This is experimental software. Do not rely on it..." Wait what?
Post by: doublemint on January 28, 2012, 06:31 pm
Which part do you not understand?
Title: Re: Tor says: This is experimental software. Do not rely on it..." Wait what?
Post by: JoeXit on January 28, 2012, 06:39 pm
Thanks for wanting to clear this up. Just a few questions and I'll be on my way:
- Can you please define "Strong anonymity"?
- What level of anonymity should I be expecting from Tor?
- Am I using the wrong version of Tor to come to this forum or to window shop on SR? If so which version should I be using?

Thanks!
Title: Re: Tor says: This is experimental software. Do not rely on it..." Wait what?
Post by: onestopshop on January 28, 2012, 10:02 pm
No such thing as "the wrong version" really...if you don't get the update to prompt then your probably running the most updated one..in which case you don't have to worry a lot..

especially since everyone + SR is using/relying on Tor...
Title: Re: Tor says: This is experimental software. Do not rely on it..." Wait what?
Post by: 1011010 on January 30, 2012, 09:51 pm
Thanks for wanting to clear this up. Just a few questions and I'll be on my way:
- Can you please define "Strong anonymity"?
- What level of anonymity should I be expecting from Tor?
- Am I using the wrong version of Tor to come to this forum or to window shop on SR? If so which version should I be using?

Thanks!

I would define strong anonymity as the ability to resist a global passive adversary. Tor will never be able to do this because it is low latency. Global means that the attacker monitors entirely, passive means they monitor the links between nodes. Some attackers add nodes to the network and spy on traffic as it passes through their nodes, these are called active attackers. Passive attackers spy on communications between nodes, for example by ordering ISP's to log traffic of certain nodes. A global passive attacker monitors the traffic between all nodes, they don't need to own a single node on the network. Protecting from global passive attackers is possible if you delay and reorder traffic, this is called mixing. Tor doesn't mix traffic and offers no protection from a global passive attacker. Tor actually offers very little to no protection from attackers who are much less powerful than global passive.

It is hard to answer your second question because it depends on so many different things. If you got unlucky and one of your entry guards is owned by an attacker who is also monitoring the website you communicate with, either passively or actively in many different ways, then you should expect absolutely no anonymity from Tor. Tor can not give you anonymity if your attacker can watch your traffic enter and exit the network, or reach its final destination in the case of hidden services. Silk Road admin can see your traffic reach its final destination, so if he owns one of your entry guards he can deanonymize you. Assuming that all nodes can be entry guards, which they can not but many of them can, this would mean that there is about a 1 / 800 chance that SR can deanonymize you if he owns a single entry guard, since you select three entry guards. Your entry guards also change about once a month. This also assumes that all nodes which can be entry guards have an equal chance of being selected by your client as entry guards.

The main problem with using Tor is for vendors. Tor assumes from the start that your set size consists of all Tor users. You shouldn't be distinguishable from a Tor user in Egypt if you are in U.S.A. The problem for vendors is they give away their rough geolocation when they ship product. It is actually far more precise of a geolocation than their country too. Now you automatically have reduced your crowd size from "Tor users in the world' to 'Tor users in this rough area'. The first crowd is much much larger than the second crowd. Tor doesn't hide the fact that you use it. If your threat model is one purely of information this is fine, but when you add physical product shipping it isn't fine. The most dangerous attack against vendor anonymity will simply be seeing who all uses Tor and lives near where the vendor ships from. This is actually very easy for even a weak attacker to do. Using bridges is probably a good idea to make it harder for an attacker to fuck you in this way. It also might make it easier for an attacker to fuck you in this way, since if the attacker can determine that you use bridges you are now 'someone who uses Tor near where this vendor ships from, who tries to hide the fact that they are using Tor'. This is a smaller crowd than 'People who use Tor near where this vendor ships from' which is in itself a much smaller crowd than 'People who use Tor'. See since I don't ship product you can only narrow in on me as 'Someone who uses Tor, somewhere in the world'. If I ship to you I instantly become 'Someone who uses Tor, near where this was shipped from'. Tor doesn't take the fact that you are shipping product into account when they say that Tor keeps you anonymous. Of course using Tor is always better than using nothing.

In general the anonymity provided by Tor is tremendously over estimated. As far as low latency anonymity solutions go it is better than anything else, but that isn't really saying much. Mixing is required for strong anonymity, but even the strong anonymity mix networks don't take membership observability into consideration. Tor bridges are more concerned with reachability than membership concealment but they do offer some weak membership concealment. Tor really is far better suited for people who have an entirely digital threat model, but even in those cases it shouldn't be relied on for strong anonymity. It actually doesn't offer strong anonymity at all. It can be relied on for above average weak anonymity, and if you use bridges it can be relied on for weak membership concealment. This sounds bad, but VPN's offer below average to average weak anonymity and no membership concealment.

When it comes to hidden services, Tor can be relied on to prevent random abuse complaints from getting your site shut down. Hidden services are really good at preventing Joe Blow from filing abuse complaints with your service provider. Using hidden services will probably also require the feds to spend a few days to weeks before they locate your server, assuming they decide to put their better people on the job. I heard from one friend that the F.B.I. has a few dozen computer people capable of tracing Tor hidden services, and that they generally are working on more urgent matters than tracing hidden services. I don't know how much faith I put in his estimate but I am fairly certain that if I had twenty thousand or so dollars to put toward it that I could trace any hidden service to its entry guards. I might have trouble to get the actual hidden services IP address, but I also can't use pen register orders so that isn't saying much. I also might be able to trace the hidden service to its IP address, its just harder to get around entry guards than it is to find them. But it isn't that hard, and I am essentially Joe Blow not the FBI.

It really is unfortunate how much blind faith people put into Tor without understanding its weaknesses and limitations. You are far from the only person who one day came to the sudden realization that Tor is only above average shitty anonymity and not a magic device that makes them untraceable from anyone. On the other hand I have not heard of the FBI tracing any of the pedophiles who use Tor via a direct attack on the Tor network, and I know they have tried to a few times. So be happy that Tor has no competent attackers who give a fuck about what you do. Don't piss off the NSA though they are probably pretty close to a global passive adversary. Also don't expect lesser attackers to be idiots, even though they probably are maybe one day they will get some brains.

Title: Re: Tor says: This is experimental software. Do not rely on it..." Wait what?
Post by: randomOVDB#2 on January 31, 2012, 11:22 am
1011010, thanks for your post.

I have two questions.

1. How much less problem do you face if you have a trusted first entry guard (your own for instance) ?
2. What do you think about i2p ?
Title: Re: Tor says: This is experimental software. Do not rely on it..." Wait what?
Post by: 1011010 on February 01, 2012, 12:39 pm
1011010, thanks for your post.

I have two questions.

1. How much less problem do you face if you have a trusted first entry guard (your own for instance) ?
2. What do you think about i2p ?

1. If you have a trusted set of entry guards the anonymity you get from Tor will increase substantially, but it still isn't perfect anonymity.
2. I think that Tor is better than I2P in every way. Enumerating IP addresses of every I2P user is easy to do by design, at least tor requires someone who is capable of monitoring directory authority servers. Also I2P is really not popular at all. If a vendor uses I2P and ship drugs there is a high chance that any attacker can quickly find them, since they are probably the only person using I2P anywhere near where they ship from. I2P only has a few thousand users.
Title: Re: Tor says: This is experimental software. Do not rely on it..." Wait what?
Post by: CaptainSensible on February 01, 2012, 08:19 pm
+1 for 1011010's post.  I'd add that if you want to see the numerous ways you can have your anonymity compromised then read the many Tor related articles that have been published.  It's not an easy or quick task, since there has been so much research both from privacy advocates and from researchers trying to show new and novel ways to unmask Tor users.  If you use Tor and are aware of it's weaknesses then you can take action to reduce your exposure.  For example, if I were truly paranoid I'd make all my Tor connections from another access point, say a coffee shop with a password-protected WiFi network. 

The more you learn about Tor the less casual you become when using it. 
Title: Re: Tor says: This is experimental software. Do not rely on it..." Wait what?
Post by: tordemon on February 02, 2012, 12:08 am
1011010, thanks for your post.

I have two questions.

1. How much less problem do you face if you have a trusted first entry guard (your own for instance) ?
2. What do you think about i2p ?

1. If you have a trusted set of entry guards the anonymity you get from Tor will increase substantially, but it still isn't perfect anonymity.
2. I think that Tor is better than I2P in every way. Enumerating IP addresses of every I2P user is easy to do by design, at least tor requires someone who is capable of monitoring directory authority servers. Also I2P is really not popular at all. If a vendor uses I2P and ship drugs there is a high chance that any attacker can quickly find them, since they are probably the only person using I2P anywhere near where they ship from. I2P only has a few thousand users.
Holy shit 1011010, how did you just come out of nowhere and start posting such horrendously well-informed posts? You should stick around, perhaps write more of the security threads, y'know?