10mo ago

Tor says it’s "still safe" amid reports of police deanonymizing users

www.bleepingcomputer.com

Just a moment...

Cybersecurity @sh.itjust.works

Kid @sh.itjust.works

10mo ago

Tor says it’s "still safe" amid reports of police deanonymizing users

www.bleepingcomputer.com /news/security/tor-says-its-still-safe-amid-reports-of-police-deanonymizing-users/

90 comments

This attack has been known for years now. And tor is simply not able to defend against it without a complete redesign.
- Yes, sorry i worded it incorrectly you can try to make it harder but timing attacks are still possible.
  Nope, just a summary that this is just old news. There is nothing new in the article.
- Redesign being I2P
  
  I2p has issues that can more easily lead to deanonymization attacks. It says it on the FAQ
  
  Nope, I2P is still vulnerable to timing attacks. https://en.m.wikipedia.org/wiki/Garlic_routing
The TOR network itself is safe - at least assuming the TLAs don't control at least half of the nodes, which is far from impossible. But let's assume...
The weak point comes from the browser: that's how the fuzz deanonymizes users. The only safe browser to use on TOR is the TOR browser, and that's the problem: it disables so many unsafe functionalities that it's essentially unusable on a lot of websites. So people use regular browsers over TOR, the browser leaks identifying data and that's how they get caught.
- My understanding is that Tor Browser works fine, there's just some dumb website owners that block Tor traffic by IP address.
  
  And ... guess what ... www.bleepingcomputer.com, the source of the story, is one of those.
- I mean, the advice I've heard for one who's threat model is "the feds are actively trying to identify me" is to have a dedicated burner computer that you do all of your illegal activities on and no other activities. Then of course on top of that avoid saving secrets onto the device and type them in manually every time (ephemeral distros like Tails are good for that)
- Do you think it's better to use a VPN if you aren't using TOR Browser?
  
  All VPNs do is change who has your browsing data: your ISP or the VPN operator. You may or may not trust either of them not to keep records, in either case you have no way of verifying this.
As I read, they used timing analysis which should be preventable by using an anonymous VPN to connect to tor and streaming something over the VPN connection at the same time. Some of them support multi-hop, like mullvad, which will further complicate the timing analysis because of the aggregated traffic.
- How do you get an anonymous VPN? I see mullvad has a pay in cash option. Is that how?
  
  You literally put the money + a piece of paper with your account number into an envelope and mail it to them
  
  Yes exactly and some providers also accept crypto.
  
  Mullvad accepts monero, that's probably the most convenient way to pay for it anonymously.
First, randomize your mac, shutdown anything that can "dial home" (updates, sync, logged in apps, etc) then connect to internet then anonymous VPN, then connect to the tor network, use an anonymized browser with NO java enabled, never download anything -copy paste text, and screen cap images-, if your network drops the popo's are trying to do a "reconnect" attack to see if they can get an unprotected connection to the material you were looking at. Use a livedisk on USB and you likely won't get bios level attacks, as live disks make it harder to access your bios. Source: a boring ass individual that just wants the gov off their jock strap, suck it Joe my FBI agent, you know what you did.
- This looks like it was a timing analysis attack. Basically, they’re trying to figure out which user did something specific. They match the timing of the event with the traffic from the user, and now they know which user did the thing.
  It can be fuzzed by streaming something at the same time, because now your traffic is way harder to time analyze when you have a semi-constant stream of data running. But streaming something over Tor is an exercise in patience, (and it’s not something the typical user will just always have running in the background) so timing analysis attacks are gaining popularity.
- a boring ass individual that just wants the gov off their jock strap, suck it Joe my FBI agent, you know what you did.
  I also prefer my feds to earn their keep, I pay them good money for it.
If I understand correctly, stream isolation will route different connections through different circuits. If you're doing two different things of a sensitive nature, open different browsers and applications, use random user-induced delays in your actions/responses and PGP-encrypt everything. And listen to what the TOR project says about the mitigations. I have some reading to do myself I guess
- whonix docs is very good to learn about this stuff
  
  Heh, whonix docs for privacy have become the arch wiki for Linux
- PGP? That's for email and isn't great
  
  That's for encrypting text, regardless of the medium. Explain "not very good"?
I have considered Tor safe for illicit activities for at least half a decade. Luckily, there's no need for me to be on there. But this is bad news for people living in places where speech is heavily regulated plus journalists and would-be whistle-blowers.
What else you going to use?
- I wish more people would try out I2P as a result. AFAIK, garlic routing makes this kind of attack impossible.
  
  AFAIK it only makes it harder not impossible.
  
  Insane 2lown Posse?
  
  We use it but it doesn't have the same protections or reliability as Tor
  
  I've tried to use it, but have not managed to get it to work. Which is a bummer.
  I should probably try again now that I have a new computer. My old computer was so old that a lot of stuff wasn't working correctly.
What are you going to use instead?
Tor is the best tool you just need to know how to use it
I think the only still secure network is i2p. In there you don't have the exit node

90 comments