The developers of the Tor project insist that their network’s privacy-protecting capabilities they are still going strongdespite German reports that local police were able to reveal the anonymity of one user.
The German Federal Criminal Office (BKA) and the Frankfurt General Prosecutor’s Office after network monitoring at least one Tor user could identify. The report cites “timing analysis” as the key to identifying Tor users. “By observing the timing of individual data packets, anonymized connections can be traced back to Tor users, even if the data connections are multiple times encrypted in the Tor network,” the report says, unfortunately without a detailed explanation of how the technique works.
Tor enhanced anonymity provides to the users of its network by routing their traffic through the so-called dark network of its own nodes, so that the true origin of the connection is hidden. Traffic sent to Tor is wrapped in layers of encryption and first reaches an “entry” or “guardian” node. The traffic then bounces through at least three randomly selected servers – also known as relays – before returning to the public networks through an “exit node” or a for .onion service would join. This process hides the source of the connection and makes it difficult to monitor what a particular user is doing online.
Timing analysis looks at long-term usage trends, and this could potentially undermine Tor’s effectiveness by giving observers clues about which users are sending traffic to the network. Essentially, it involves someone adding nodes to the Tor network and recording the timing of incoming and outgoing packets. Over time, these timings can help reveal who is connecting to a particular .onion service. According to Matthias Marx, spokesman for the famous European hacker collective Chaos Computer Club (CCC), the method can work. In his opinion, the available evidence – by journalists documents obtained and other information – “strongly suggest that law enforcement authorities have repeatedly and successfully conducted timing analysis attacks against selected Tor users to deanonymize them” for several years.
The Tor Project, while admitting it hasn’t seen all the documents involved, believes the German police were able to expose a Tor user because he was using outdated software, as opposed to the police using some unknown vulnerability or similar Who. The German report claims that the timing analysis attack was used during an investigation into an individual known as “Andres G,” the alleged operator of the .onion child sexual abuse website Boystown. “G” allegedly used Ricochet, an anonymizing messaging app that transmits data between sender and recipient via Tor. Specifically, they say he used a version of the chat program that couldn’t use a Tor connection to circumvent the timing-based deanonymization method used by police.
According to the report, German authorities obtained the cooperation of operator Telefónica, which provided data on all O2 customers who connected to a known Tor node. Cross-checking this information with observations of Tor timing information allowed authorities to identify “G”, who was arrested, charged and convicted in North Rhine-Westphalia. Tor argued that despite the method, its service was not flawed. According to the organization, “G” used insecure Ricochet, so police were able to figure out what entry or sentinel node he used to send the data through the Tor network. And the police asked Telefónica to list the subscribers who connected to this entry point, and thus were able to infer the identity of the Tor user.
According to the Tor Organization, “G” was likely using an old version of Ricochet that did not include protection against such attacks. project’s maintained fork,” Tor writes. “For timed analysis of traffic, the ingress node must be compromised, and since it is the first in the Tor network, it sees the user’s IP address,” said Bill Budington, chief technologist at EFF. If the entry point cannot be directly compromised, network timings can be obtained to complete monitoring.
Ricochet is a very primitive messenger, but it uses the Tor network
Tor users now fear that the network will be flooded with police-controlled nodes, which would threaten anonymity. But the number of nodes required for this would have to be enormous. The Tor project has acknowledged that it has seen an increase in the deployment of exit nodes – more than 2,000 recently – but the organization says there is no need to worry. “The claim that the network is not healthy is simply not true,” said Tor’s director of public relations, Pavel Zoneff. managed by an intentional actor and does not allow them to join the network. As a result, many bad relays were flagged for removal, which were then banned by directory managers. Many of these probably did not pose a real threat to users,” he said.
Regardless, the project asked for help to understand exactly what the police did. “We need more details about this case,” the team said. “In the absence of facts, it’s difficult for us to provide official guidance or responsible information to the Tor community, relay operators, and users.” For now, the message is: “Don’t panic.”
Source: sg.hu
