84

It has been known in the security community that a tool as versatile as Tor is likely the target of intense interest from intelligence agencies. While the FBI has admitted responsibility for a Tor malware attack, the involvement of SIGINT organizations has not been confirmed.

Any doubt was removed in early October, 2013 with The Guardian's release of "Tor Stinks," an NSA presentation (vintage June 2012) outlining current and proposed strategies for exploiting the network.

Some salient points:

  • Fundamentally, Tor is secure
  • ...however, de-anonymization is possible in certain circumstances
  • "Dumb users" will always be vulnerable (designated internally as "EPICFAIL")
  • NSA/GCHQ operate Tor nodes
  • Traffic analysis, in various forms, appears to be the tool of choice

After reviewing the literature, what changes should Tor users implement to ensure -- to the greatest degree technically feasible -- their continuing security?

nitrl
  • 3,003
  • 4
  • 20
  • 23
  • 1
    Use only for political activism... Would be a best practice to lower your threat surface. Don't follow the Silk Road to cause reason for criminal investigation. – Fiasco Labs Oct 05 '13 at 03:33
  • I thought about answering this, but there are too many variables. Some security enhancements require cunning use of VMs and NATs to hide a computer's IP from *itself* if the Tor Browser leaks; some other enhancements require an overhaul of the Tor protocol to resist traffic analysis. Common sense information hygiene and compartmentalisation is about the only generic advice I could give you. That and don't be a criminal. – LateralFractal Oct 05 '13 at 08:06
  • 2
    All of the Tor Project's existing recommendations still apply, as far as I know. The problem is that most Tor users miss at least one of them. I have my own list, which I'll post later. – Michael Hampton Oct 07 '13 at 18:25
  • Addendum: Schneier analysis of exploits- https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html – nitrl Oct 18 '13 at 02:37
  • 1
    As I read this, malware and exploits are the tools of choice against Tor users. Traffic analysis has reportedly not been very successful. But of course, the presentations may be intentionally misleading. – mirimir Dec 14 '13 at 01:24
  • Don't use Tor unless you want the NSA to think you need checking up on! – Ian Ringrose Feb 01 '14 at 16:14
  • If you can rule out the case that your adversary is mighty enough and willing to tap on the line from your location to your ISP or your ISP's being somehow coerced to cooperate with your adversary, then I believe that Tor would indeed work quite fine. Otherwise, since your emails initially carry your IP-address, your identity would be clearly revealed through the said kind of tapping and a way-out would be to attempt to use a foreign IP-address, e.g. one of a call-shop, to send your emails, if you could exclude your being under surveillance while doing so. – Mok-Kong Shen May 01 '16 at 13:52

2 Answers2

110

As a very long time Tor user, the most surprising part of the NSA documents for me was how little progress they have made against Tor. Despite its known weaknesses, it's still the best thing we have, provided it's used properly and you make no mistakes.

Since you want security of "the greatest degree technically feasible", I'm going to assume that your threat is a well-funded government with significant visibility or control of the Internet, as it is for many Tor users (despite the warnings that Tor alone is not sufficient to protect you from such an actor).

Consider whether you truly need this level of protection. If having your activity discovered does not put your life or liberty at risk, then you probably do not need to go to all of this trouble. But if it does, then you absolutely must be vigilant if you wish to remain alive and free.

I won't repeat Tor Project's own warnings here, but I will note that they are only a beginning, and are not adequate to protect you from such threats. When it comes to advanced persistent threats such as state actors, you are almost certainly not paranoid enough.


Your Computer

To date the NSA's and FBI's primary attacks on Tor have been MITM attacks (NSA) and hidden service web server compromises and malware delivery (FBI) which either sent tracking data from the Tor user's computer, compromised it, or both. Thus you need a reasonably secure system from which you can use Tor and reduce your risk of being tracked or compromised.

  1. Don't use Windows. Just don't. This also means don't use the Tor Browser Bundle on Windows. Vulnerabilities in the software in TBB figure prominently in both the NSA slides and FBI's recent takedown of Freedom Hosting. It has also been shown that malicious Tor exit nodes are binary patching unsigned Windows packages in order to distribute malware. Whatever operating system you use, install only signed packages obtained over a secure connection.

  2. If you can't construct your own workstation capable of running Linux and carefully configured to run the latest available versions of Tor, a proxy such as Privoxy, and the Tor Browser, with all outgoing clearnet access firewalled, consider using Tails or Whonix instead, where most of this work is done for you. It's absolutely critical that outgoing access be firewalled so that third party applications or malware cannot accidentally or intentionally leak data about your location. If you must use something other than Tails or Whonix, then only use the Tor Browser (and only for as long as it takes to download one of the above). Other browsers can leak your actual IP address even when using Tor, through various methods which the Tor Browser disables.

  3. If you are using persistent storage of any kind, ensure that it is encrypted. Current versions of LUKS are reasonably safe, and major Linux distributions will offer to set it up for you during their installation. TrueCrypt is not currently known to be safe. BitLocker might be safe, though you still shouldn't be running Windows. Even if you are in a country where rubber hosing is legal, such as the UK, encrypting your data protects you from a variety of other threats.

  4. Remember that your computer must be kept up to date. Whether you use Tails or build your own workstation from scratch or with Whonix, update frequently to ensure you are protected from the latest security vulnerabilities. Ideally you should update each time you begin a session, or at least daily. Tails will notify you at startup if an update is available.

  5. Be very reluctant to compromise on JavaScript, Flash and Java. Disable them all by default. The FBI has used tools which exploit all three in order to identify Tor users. If a site requires any of these, visit somewhere else. Enable scripting only as a last resort, only temporarily, and only to the minimum extent necessary to gain functionality of a web site that you have no alternative for.

  6. Viciously drop cookies and local data that sites send you. Neither TBB nor Tails do this well enough for my tastes; consider using an addon such as Self-Destructing Cookies to keep your cookies to a minimum. Of zero.

  7. Your workstation must be a laptop; it must be portable enough to be carried with you and quickly disposed of or destroyed.

  8. Don't use Google to search the Internet. A good alternative is Startpage; this is the default search engine for TBB, Tails and Whonix. Another good option is DuckDuckGo.


Your Environment

Tor contains weaknesses which can only be mitigated through actions in the physical world. An attacker who can view both your local Internet connection, and the connection of the site you are visiting, can use statistical analysis to correlate them.

  1. Never use Tor from home, or near home. Never work on anything sensitive enough to require Tor from home, even if you remain offline. Computers have a funny habit of liking to be connected... This also applies to anywhere you are staying temporarily, such as a hotel. Never performing these activities at home helps to ensure that they cannot be tied to those locations. (Note that this applies to people facing advanced persistent threats. Running Tor from home is reasonable and useful for others, especially people who aren't doing anything themselves but wish to help by running an exit node, relay or bridge.)

  2. Limit the amount of time you spend using Tor at any single location. While these correlation attacks do take some time, they can in theory be completed in as little as a day. (And if you are already under surveillance, it can be done instantly; this is done to confirm or refute that a person under suspicion is the right person.) While the jackboots are very unlikely to show up the same day you fire up Tor at Starbucks, they might show up the next day. I recommend for the truly concerned to never use Tor more than 24 hours at any single physical location; after that, consider it burned and go elsewhere. This will help you even if the jackboots show up six months later; it's much easier to remember a regular customer than someone who showed up one day and never came back. This does mean you will have to travel farther afield, especially if you don't live in a large city, but it will help to preserve your ability to travel freely.

  3. Avoid being electronically tracked. Pay cash for fuel for your car or for public transit. For instance, on the London Underground, use a separate Travelcard purchased with cash instead of your regular Oyster card or contactless payment. Pay cash for everything else, too; avoid using your normal credit and debit cards, even at ATMs. If you need cash when going out, use an ATM close to home that you already frequently use. If you drive, try to avoid number plate readers by avoiding major bridges, tunnels, motorways, toll roads and primary arterial roads and traveling on secondary roads. If the information is publicly available, learn where these readers are installed in your area.

  4. When you go out to perform these activities, leave your mobile phone turned on and at home. If you need to make and receive phone calls, purchase an anonymous prepaid phone for the purpose. This is difficult in some countries, but it can be done if you are creative enough. Pay cash; never use a debit or credit card to buy the phone or top-ups. Never insert its battery or turn it on if you are within 10 miles (16 km) of your home, nor use a phone from which the battery cannot be removed. Never place a SIM card previously used in one phone into another phone, as this will irrevocably link the phones. Never give its number or even admit its existence to anyone who knows you by your real identity. This may need to include your family members.


Your Mindset

Many Tor users get caught because they made a mistake, such as using their real email address in association with their activities, or allowing a hostile adversary to reach a high level of trust. You must avoid this as much as possible, and the only way to do so is with careful mental discipline.

  1. Think of your Tor activity as pseudonymous, and create in your mind a virtual identity to correspond with the activity. This virtual person does not know you and will never meet you, and wouldn't even like you if he knew you. He must be kept strictly mentally separated. Consider using multiple pseudonyms, but if you do, you must be extraordinarily vigilant to ensure that you do not reveal details which could correlate them.

  2. If you must use public Internet services, create completely new accounts for this pseudonym. Never mix them; for instance do not browse Facebook with your real email address after having used Twitter with your pseudonym's email on the same computer. Wait until you get home.

  3. By the same token, never perform actions related to your pseudonymous activity without using Tor, unless you have no other choice (e.g. to sign up for a service which blocks signup via Tor). Take extra precautions regarding your identity and location if you must do this.


Hidden Services

These have been big in the news, with the takedown of high-profile hidden services such as Silk Road and Freedom Hosting in 2013, and Silk Road 2.0 and dozens of other services in 2014.

The bad news is, hidden services are much weaker than they could or should be. The Tor Project has not been able to devote much development to hidden services due to the lack of funding and developer interest (if you're able to do so, consider contributing in one of these ways).

Further, it is suspected that the FBI is using traffic confirmation attacks to locate hidden services en masse, and an early 2014 attack on the Tor network was actually an FBI operation.

The good news is, the NSA doesn't seem to have done much with them (though the NSA slides mention a GCHQ program named ONIONBREATH which focuses on hidden services, nothing else is yet known about it).

Since hidden services must often run under someone else's physical control, they are vulnerable to being compromised via that other party. Thus it's even more important to protect the anonymity of the service, as once it is compromised in this manner, it's pretty much game over.

The advice given above is sufficient if you are merely visiting a hidden service. If you need to run a hidden service, do all of the above, and in addition do the following. Note that these tasks require an experienced system administrator who is also experienced with Tor; performing them without the relevant experience will be difficult or impossible, or may result in your arrest. The operator of both the original Silk Road and Silk Road 2.0 were developers who, like most developers, were inexperienced in IT operations.

  1. Do not run a hidden service in a virtual machine unless you also control the physical host. Designs in which Tor and a service run in firewalled virtual machines on a firewalled physical host are OK, provided it is the physical host which you are in control of, and you are not merely leasing cloud space. It is trivial for a cloud provider to take an image of your virtual machine's RAM, which contains all of your encryption keys and many other secrets. This attack is far more difficult on a physical machine.

  2. Another design for a Tor hidden service consists of two physical hosts, leased from two different providers though they may be in the same datacenter. On the first physical host, a single virtual machine runs with Tor. Both the host and VM are firewalled to prevent outgoing traffic other than Tor traffic and traffic to the second physical host. The second physical host will then contain a VM with the actual hidden service. Again, these will be firewalled in both directions. The connection between them should be secured with a VPN which is not known to be insecure, such as OpenVPN. If it is suspected that either of the two hosts may be compromised, the service may be immediately moved (by copying the virtual machine images) and both servers decommissioned.

    Both of these designs can be implemented fairly easily with Whonix.

  3. Hosts leased from third parties are convenient but especially vulnerable to attacks where the service provider takes a copy of the hard drives. If the server is virtual, or it is physical but uses RAID storage, this can be done without taking the server offline. Again, do not lease cloud space, and carefully monitor the hardware of the physical host. If the RAID array shows as degraded, or if the server is inexplicably down for more than a few moments, the server should be considered compromised, since there is no way to distinguish between a simple hardware failure and a compromise of this nature.

  4. Ensure that your hosting provider offers 24x7 access to a remote console (in the hosting industry this is often called a KVM though it's usually implemented via IPMI) which can also install the operating system. Use temporary passwords/passphrases during the installation, and change them all after you have Tor up and running (see below). Use only such a tool which is accessible via a secured (https) connection, such as Dell iDRAC or HP iLO. If possible, change the SSL certificate on the iDRAC/iLO to one you generate yourself, as the default certificates and private keys are well known.

    The remote console also allows you to run a fully encrypted physical host, reducing the risk of data loss through physical compromise; however, in this case the passphrase must be changed every time you reboot the system (even this does not mitigate all possible attacks, but it does buy you time).

    If the system was rebooted without your knowledge or explicit intent, consider it compromised and do not attempt to decrypt it in this manner. Silk Road 2.0 apparently failed to encrypt its hard drives, and also failed to move service when it went down in May 2014, when it was taken offline by law enforcement to be copied.

  5. Your initial setup of the hosts which will run the service must be in part over clearnet (via a Tor exit node), albeit via ssh and https; however, to reiterate, they must not be done from home or from a location you have ever visited before. As we have seen, it is not sufficient to simply use a VPN. This may cause you issues with actually signing up for the service due to fraud protection that such providers may use. How to deal with this is outside the scope of this answer, though.

  6. Once you have Tor up and running, never connect to any of the servers or virtual machines via clearnet again. Configure hidden services which connect via ssh to each host and each of the virtual machines, and always use them. If you run multiple servers, do not allow them to talk to each other over the clearnet; have them access each other via unique Tor hidden services. If you must connect via clearnet to resolve a problem, again, do so from a location you will never visit again. Pretty much any situation which would require you to connect via clearnet indicates a possible compromise; consider abandoning it and moving service instead.

  7. Hidden services must be moved occasionally, even if compromise is not suspected. A 2013 paper described an attack which can locate a hidden service in just a few months for around $10,000 in cloud compute charges, which is well within the budget of even some individuals. As noted earlier, a similar attack took place in early 2014 and may have been involved in the November 2014 compromise of dozens of hidden services. How often is best to physically move the hidden service is an open question; it may be anywhere from a few days to a few weeks. My best guess right now is that the sweet spot will be somewhere between 30 to 60 days. While this is an extremely inconvenient timeframe, it is much less inconvenient than a prison cell. Note that it will take approximately an hour for the Tor network to recognize the new location of a moved hidden service.


Conclusion

Anonymity is hard. Technology alone, no matter how good it is, will never be enough. It requires a clear mind and careful attention to detail, as well as real-world actions to mitigate weaknesses that cannot be addressed through technology alone. As has been so frequently mentioned, the attackers can be bumbling fools who only have sheer luck to rely on, but you only have to make one mistake to be ruined.

The guidelines I have given above are intended to make it harder, more time-consuming and more expensive for attackers to locate you or your service, and whenever possible to give you warning that you or your service may be under attack.

We call them "advanced persistent threats" because, in part, they are persistent. As the US attorney Preet Bharara said announcing the Silk Road 2.0 raid, "We don't get tired." They won't give up, and you must not.


Further reading

  • Chatting in Secret While We're All Being Watched Mostly good advice from one of the journalists who communicated with Edward Snowden. The only part I can really disagree with is the possibility of using your existing operating system or smartphone for communication. As we've seen already, this cannot be done safely, and you must prepare a computer with something like Whonix or Tails.
  • Selected Papers in Anonymity An extensive collection of anonymity-related research, some of which has been presented here. Go through this to get a feel for just how difficult remaining anonymous really is.
Michael Hampton
  • 3,877
  • 1
  • 22
  • 32
  • 21
    The key thing to take away here is that if you are trying to hide something, it's not a matter of hiding your IP address. It's a matter of completely and totally isolating your "main" identity from the identity that is doing what you want to hide. For this, TOR is merely a (effective) tool which must be combined with several others. It remains effective, as always, for its part of the solution: making it hard and expensive to discover your location at any given time. – Falcon Momot Oct 08 '13 at 03:56
  • 6
    Absolutely superb answer. Anonymity is not just *hard* - theoretically-secure (`1/N`) anonymity is *incredibly bandwidth expensive*; hence the trade-offs and warnings that Michael has described. – LateralFractal Oct 16 '13 at 06:40
  • 4
    The only thing not covered that I can currently think of is state run video cameras. Some areas (ie: the UK) are absolutely covered with them. If they can identify a few locations which have video coverage where a known account has been accessed then they might be able to piece together who was there. Other than that this was a great introduction to just how paranoid someone needs to be in order to even attempt to be anonymous. – NotMe May 29 '14 at 00:42
  • 1
    @ChrisLively How to deal with pervasive video surveillance would make a whole question and answer in itself. And this one is running out of space... – Michael Hampton May 29 '14 at 01:31
  • I wonder if @MichaelHampton is a real identity :) – Umair A. Aug 06 '14 at 14:24
  • @Neutralizer Well, before I went into IT, I was a funk guitarist. No, wait, _punk_ guitarist. Then I did some pitching for the Braves... – Michael Hampton Aug 07 '14 at 03:27
  • @Demi It depends. What is your threat model? This post assumes that an advanced persistent threat, generally a nation state, will be launching targeted attacks at the Tor user. It is written that way because the OP asked for exactly that. If you face different threats, then you might get away with not doing all of this, but exactly what you don't need to do varies depending on the threats you face. – Michael Hampton Oct 02 '18 at 03:42
  • How much of this is needed if one does NOT consider high-level adversaries to be part of the threat model? I suspect that some use Tor for much, much more mundane purposes, perhaps to prevent companies from tracking them in light of recent data breaches. Such users are unlikely to be anywhere near as paranoid, and might not be capable of it. – Demi Oct 02 '18 at 03:43
20

I think it's important here not to overstate the capabilities of the various Three Letter Agencies with regards to identifying Tor users. The very first slide notes that they "...will never be able to de-anonymize all Tor users all the time". This means that the fundamentals of Tor are sound.

The slide then goes on to note that "...with manual analysis we can de-anonymize a very small fraction of Tor users..." (emphasis theirs), followed by a list of methods.

A quick look at the "laundry list" as it's called doesn't indicate anything new. No vulnerabilities in the protocol, no attacks against TLS. All the attacks mentioned are well-known. In my opinion, these are the major ones:

1) EPICFAIL (aka mistakes made by the User). These include things like posting your actual email address on a message board while using Tor (this is one of the mistakes cited in the takedown of the Silk Road site). Solution: Requires constant vigilance from the user!

2) Timing attacks, traffic analysis, malicious exit nodes. Solution: Not much that an individual user can do. The community as a whole can help by contributing to the Tor network - by using Tor, running relays, exits, and donating. More Tor users makes it harder to identify any individual users. Running "authentic" relays and exits means attackers need more malicious nodes to be effective.

3) Residual/side channel attacks. These include things like malicious Java apps, cookies that exist post-Tor use, and other attacks that leverage standard browser behavior (or browser exploits) to leave or detect traces of what a user did while using Tor. Solution: Disable Java and Javascript (and perhaps other browser plugins like Flash), and never use your usual computer on Tor. Use something like Tails, and/or obliterate all traces of the Tor system after each use (e.g. DBAN).

Yes, this is a lot of effort, and entails giving up huge amounts of convenience in favor of gaining security. Tor users of interest are defending against very well-resourced adversaries. Defenders need to succeed at blocking every attack. Attackers only need to get lucky once. Well-resourced attackers can afford to try many different types of attacks, over a long period of time.

The only defense is constant, expensive vigilance.

scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
  • 3
    Timing attacks and traffic analysis are *confirmation* attacks, used to verify a suspected match between a user and a server access. Even for the three-letter agencies, running a timing attack against the entire world is too much effort, so you can gain some protection by not doing anything that would cause them to suspect you are the user accessing a specific server. – Mark Feb 01 '14 at 11:31