4

I've just read about the detecting and blocking of Tor traffic by DPI but now I'm curious about analyzing the data you send over Tor and matching it with your true identity by deep-inspecting the data packets that leave your PC/router. (If that means anything)

I don't know much about the technical details of DPI, (which will become pretty obvious with the following questions) but I've heard from a few people with some technical background that it gives its utilizer immense surveillance power. When I asked them about the relationship between DPI and Tor, and the implications of DPI on Tor, they said that they don't know much about Tor to give satisfactory answers to my questions.

So I'm posting my questions here in hopes that someone with sufficient knowledge on both concepts will answer them.

  • Are governments/ISPs able to do it? (The paranoid government in my country [Turkey] pretty much rules ISPs so ISP=government in this case. The government demands all personal information of internet users from ISPs, it doesn't let anyone launch an ISP company otherwise.)

  • Do they need advanced network infrastructure to achieve it or is it a painless procedure? What type of an infrastructure do they need? Is it possible to tell if they're able to do it by, say, looking at the technological or economical development of a country? One person told me that they probably would need supercomputers to analyze every user's traffic.

  • Does deep packet inspection come with "degrees" or is it more like an "all-or-nothing" concept? That is, a government is able to use this surveillance method but not that surveillance method because they don't have the technology, etc.

  • If a government is known to utilize DPI, does that mean Tor is completely useless in that country?

  • What actions could be taken to prevent a government from deep-inspecting one's packets?

I'm open to further reading/resources if no one's willing to write. Thanks in advance.

h088bmIuXaskpzJEe3ld
  • 41
  • 4

2 Answers2

3

Deep Packet Inspection (DPI) is straight forward to do and is all or nothing capable, but sometimes only a subset is inspected for load reasons. However that is an inspection of the frame packets, it does not include a Man in The Middle (MiTM) capability to decrypt the packet contents, the payload is still encrypted.

Traffic Analysis looks at patterns, frequencies, and sizes in an attempt to categorize traffic without actually knowing the content. Tor traffic can be readily identified as Tor by Traffic Analysis, but realistically all the Tor nodes are public information anyway so identifying Tor is easy, but not Tor content. There have been some unverified claims that certain types of traffic can be statistically identified with good probability within Tor, but not the specifics.

Compromising Tor content is not a function of owning a commercial CA, Tor doesn't use them. Without going into a boatload of Tor details, the most common approaches to compromise Tor is to attempt to own enough nodes. A compromised Exit node allows the exit node to see all the normal internet traffic, but these days that should be HTTPS encrypted traffic as well. Currently there has been an ongoing attack by an unknown large entity standing up many exit nodes, at its peak it was nearly 25% of the exit nodes before being partially purged by Tor. Owning enough nodes may provide an attacker with the ability to trace that particular user at that moment.

All of the Tor compromises that have been in the news were not compromises of the Tor network, they were compromises of Browsers, and compromises of Opsec, where users did something outside of Tor protections to self identify.

In short, while Tor is not guaranteed anonymous, it is still the most effective available. That said, the fact that you are using Tor is readily determined. An approach to address this in a given locale is to VPN out of the country and run Tor through the VPN. Note that doing the reverse of running a VPN through Tor would defeat your use of Tor.

user10216038
  • 7,552
  • 2
  • 16
  • 19
  • "That said, the fact that you are using Tor is readily determined. An approach to address this in a given locale is to VPN out of the country and run Tor through the VPN" Thank you for your response. What about bridges? Do they serve the same function? – h088bmIuXaskpzJEe3ld Aug 15 '20 at 07:34
  • @h088bmIuXaskpzJEe3ld - *Bridges* are fundamentally unregistered Tor Relays. The traffic pattern analysis would still be Tor but their IP addresses may not be known for a while. Tor does offer limited obfuscated bridges and pluggable transports have worked on a limited basis. I think first choice would be a high traffic out of country public VPN. Second choice would be an out of country private VPN in most cases but your needs may differ. – user10216038 Aug 15 '20 at 15:12
2

I found this question interesting.

I will try to answer to each question assuming that I consider DPI, in this case, equivalent to SSL/TLS Man in The Middle.
The DPI which only observe some clues in the cleartext parts of a frame (like in the paper you mentioned) are not able to recover the encrypted parts. This way could permit to block some Tor nodes but the privacy stay untouched.

  • A government could do it if it was able to own one of the hundred Certification Authorities (CA) embedded in the OS and the browsers. Maybe, in the large list of CAs, some of them are in Turkey and could let the government access to their private keys to sign rogue certificates on the fly. Then the government need to intercept the traffic at some point (with an ISP or in a place where the cables are managed) to substitute its certificates.
    This way, it can observe encrypted content like VPN or SSL/TLS.
    BUT this way is quite detectable. Someone who travel in turkey could save the displayed certificate of a website and see that it is different from the one from its own country.
  • The technology to perform this DPI is not a high level one. With the participation of the ISP, the cpu involved in the interception is not even the problem of the government except if it puts a black box in the ISP infrastructure (then this blackbox needs to decrypt/observe/reencrypt on the fly without lower the network speed).
    The amount of resources needed to analyze all the traffic intercepted, and the storage capacity are quite very huge but not so so expensive for a government.
  • In this case DPI is all or nothing : you serve your certificate instead of the real one and the victim talk to you instead of the real server. Some kind of crypto attacks over the traffic could be used to retrieve part of the packet without performing a Man in The Middle, but the processing for each packet would be discouraging
  • Even if the government uses a huge DPI system over the national traffic with the participation of some CAs and ISP, without no one noticing this and without no disclosure from a whistleblower (in the ISP or the CA), some protections exist against this threat model as HPKP and Certificate Transparency. But, theoretically, if someone can make a complete DPI (read the encrypted parts) without being visible, yes Tor is useless in this case.
  • One action could be the use of a foreign VPN with a certificate signed by a foreign CA (a CA in Europe, USA, ...). Then, when you mount your VPN tunnel you could check if the root CA received correspond to this CA (if you see a turkish CA instead, there is a problem ^^) at this time you could abort the connection. If the initial connection succeed, the VPN will make all the further connections for you, outside of the influence of the government.

I'm not overskilled in this domain but I don't know any other way of feasible DPI than SSL/TLS Man in The Middle.
And this way is not stealth enough to be widely used without being identified in some days/hours.
So I don't think that Turkey implements it.

Sibwara
  • 1,316
  • 7
  • 19