Tor Threat Modeling

Tor Threat ModelingEDITOR NOTE: This is a post made by some Anon breaking down some of thoughts and feelings on the Tor Network. This is not an original post nor is the concepts Anon will be mentioning here, but a great breakdown on Tor and it's use cases, security, privacy, and threat modeling. TorThreatModel

>Is Tor anonymous? How does its anonymity work? >[idiot] was caught using Tor, it is unsafe! >Tor is funded by the feds. Funding must mean it's backdoored. >Tor is not a perfect solution, so don't bother protecting yourself. Tor works by using onion routing to proxy your traffic through three (or more) volunteer nodes, with one layer of encryption for each node used in a connection. Every connection uses a set of nodes (circuit) randomly chosen by the user. This is done so that each proxy only knows the address of the machine which sent it a packet and of the machine which it forwards a packet to.Things Tor does not do:

Cause users to act as relays by default/mandate/incentive.

Employ dummy traffic during onion routing (However, there IS dummy traffic in between the client and the guard node to prevent observers from fingerprinting clients as running onion services).

Induce significant latency intentionally.

Mix packets together to be sent out in a different order and/or bundled together.

Things Tor does do:

Pads all packets in the network to 512 bytes. The only time a packet is smaller than this is when it exits the network. Note that since onion service traffic never involves exit nodes, traffic remains padded end-to-end.

Does everything in its power to protect against "traffic analysis" attacks, in which adversaries attempt to discern which parts of the network they need to attack to deanonymize a target.

Also note that Tor:

Has a centralized directory authority (router list). (On the flip side, this does reliably prevent Sybil attacks)

Is not built to defend against confirmation attacks.

Clearly, the intention of Tor, in implementing a low-latency onion routing network, is to be blazing fast while preserving user privacy and anonymity against most adversaries. It excels at this, and to quote the NSA, "[Tor is] the king of high-secure, low-latency anonymity. There are no contenders to the throne in waiting."How can you be deanonymized when using Tor as a normal user (non-relay)?There are various methods to do so, but the most prominent are the following:

Timing attacks / Confirmation attacks

Attacks on traffic exiting the network (MITM techniques)

Protocol data leakage (browser metadata, p2p such as bittorrent, etc)

Operations security is easy if you have a basic level of intelligence, and for web browsing one should avoid usage of anything but the Tor Browser so as to not leak metadata. Ideally one might avoid as many network connections and as much traffic volume as possible.The most powerful method at the disposal of global adversaries is the Confirmation Attack. Such observers as the NSA and its allied spying agencies endeavor to log as many bytes that go through the internet backbone as possible, and they do this primarily by legally compelling ISPs and internet companies to do so, attempting to hack corporations if they can't get logs legally. Using these logs they can attempt to observe where traffic entered the network, and where similar patterns of traffic exited the network, and thus try to confirm a suspicion that two entities are communicating with each other.It will take multiple time intervals to deanonymize you with this technique for a variety of reasons. First, understand the nature of what is required to perform a confirmation attack:

The adversary must be able to monitor both client ... guard traffic and final node ... server traffic.

If the adversary can monitor the traffic of N nodes out of M total nodes, the probability that they will be able to perform a confirmation attack on an arbitrary circuit is (N/M)^2. Control/monitor 50% of the nodes and you can attempt attacks against at most 25% of circuits.

Assuming that an adversary has put themselves in a position to launch a confirmation attack, there are a number of issues that will obstruct them:

Traffic volume. There are a lot of users sending packets into the network and out of the network at the same time with many different and similar patterns, creating a large anonymity set.

Latency. There is not much latency to Tor, but during that latency there is more time for other clients/nodes to send packets and thus add to the traffic volume and total anonymity set.

Traffic padding. All packets that enter the network and are sent between nodes are padded to 512 bytes and are indistinguishable.

Guard nodes. If there were no guards or if guards were rotated quickly then eventually after going through enough circuits it is almost certain (~100%) that a malicious entry node would be chosen, so Tor chooses a guard to be used for 2-3 months. Empiric data about this can be found here- https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters

Onion services. When using one, you create a new circuit and your traffic will go through six relays (two users' circuits talking to each other), and your traffic does not exit the Tor network. This makes deanonymization of the users of onion services extremely difficult and unlikely. An onion service itself is more at risk here if an adversary knows their .onion address because they are long-lived, adversaries can attempt to hack the server, and intentionally flood it with traffic to cause patterns for confirmation attacks.

That said, it will be much harder to trace you if your activity is an IRC connection and not video-streaming or the upload of a 10GB file.To conclude: It will never be possible to deanonymize all Tor users all of the time. There are surely cases in which the multi-billion dollar might of world intelligence agencies will be able to string together various methods of timing attacks, browser and client exploits, opsec failures and old-fashioned social engineering to suspect and confirm links between Tor users and their correspondents. However, it would do well to not think of Tor as a cure-all for online anonymity, to compound its use with various other tools and techniques, and to understand that use of low-latency networks such as Tor to evade global adversaries is akin to driving in a nail with a wrench instead of a hammer- you could do it if you wanted to, but it is not the optimal way.All the same, why not use it? You protect your privacy, drastically reducing the power of governments and corporations to influence human behavior, and can be anonymous if you put in some effort, especially if sticking to communication within the network. There is no reason not to use Tor- perfection is the enemy of the good.TL;DR you want high-latency routing https://en.wikipedia.org/wiki/Mix_network if you want a system to easily resist a global passive adversary, but Tor is nothing to scoff at. Privacy is not a binary on/off switch, but a spectrum of difficulty. Anonymity is defined by the set of people whom you are indistinguishable from.