1

Suppose I have a user account on a remote server run by a friend.

I create a SOCKS tunnel on my computer that forwards connections from a local port to the remote server: ssh -N -D 12345 john@10.1.1.5 (i.e. all local connections to localhost:12345 gets forwarded to the 10.1.1.5 server).

I configure the connection settings on the Tor browser to connect to the Tor network through a proxy: the SOCKS proxy on localhost:12345 that I just created.

The question: what are the security implications of this scheme? What can the remote server (10.1.1.5) see when I browse the web through the Tor browser?

Presumably, the remote server will be able to log connections and determine the sizes of the HTTP requests made through the Tor browser, but will it be able to determine the specific websites visited, or eavesdrop on POST requests?

Flux
  • 593
  • 4
  • 10

1 Answers1

2

The specific details for your proxy setup are irrelevant. It doesn't matter if it's done through SSH port forwarding or OpenVPN or IPSec or GRE. What matters is whether or not someone who can monitor the connection between your local Tor process and the Tor network can glean any useful information. The answer is no, they really can't get much. The connection is encrypted so the plaintext contents of the communication, in addition to the destination, are all opaque to the proxy. Yes, it is possible to analyze packet sizes and timing, but it is difficult and largely a theoretical risk. It is made more difficult due to some basic padding done by Tor (all transmissions occur in chunks of 514 bytes, never less). The two primary types of attacks are traffic correlation attacks and website fingerprinting attacks:

  • Traffic correlation attacks involve a malicious ISP, guard, or proxy that you are using to connect to the Tor network collaborating with a malicious or monitored website or exit node. In theory, the packet timings can reveal that you have connected to the website. This is not so easy in practice because there are a huge number of people using the Tor network, so it becomes difficult to tell whether or not a correlation of packet timings is just coincidence. An adversary who is able to passively monitor all connections globally may be able to mount this attack.

  • Website fingerprinting attacks exploit he fact that websites do not all behave identically in terms of amount of data sent. If YouTube and Stack Exchange were the only websites in the world, then it would be trivial to tell, based on packet sizes alone, which of the websites you visited even if the connection is encrypted. However there are more than two websites, and determining which website you visited amongst billions of websites and hundreds or thousands of pages per website is quite impractical. Even still, Tor Project is working on solutions to that.

forest
  • 64,616
  • 20
  • 206
  • 257
  • Is there a difference between HTTP and HTTPS connections in terms of what the proxy server can see? Are HTTP connections opaque to the proxy server too? – Flux Jun 15 '19 at 08:16
  • @Flux Yes, HTTP connections are opaque to the proxy, although not the exit node. Your connection to the Tor network encrypts everything from the time it leaves your browser until the point when it reaches the exit node. The proxy can't even tell if you're using HTTP or HTTPS, much less the contents of the request. – forest Jun 15 '19 at 08:17