-
Notifications
You must be signed in to change notification settings - Fork 401
Impact of the Tor relay early attack
Today, details were released about the attack against Tor users that was to be presented at Black Hat 2014. The security announcement explains that a set of relays were attacking hidden service directory requests between January 30 and July 4, ostensibly for research purposes.
For Tor users, the impact of this attack is:
- If you used a Tor client with one of these 115 relays as a guard, and
- Connected to, or published, a hidden service, and
- The hidden service used one of these relays as a directory, and
- You used the malicious guard to fetch or publish to the malicious directory
If all of these conditions were met, this attacker was able to link your IP address to the hidden service request. For clients, this is similar to seeing a DNS request for a website. For services, it provides reasonable proof of the actual host of a hidden service.
This attack cannot compromise the connection content. No web requests or messaging traffic were exposed.
These tools frequently try to connect to hidden services. This makes it especially likely that any user who had a malicious guard, and ran their client frequently, would be affected.
If a user was affected by all of the conditions above, this attacker could associate the user's IP address with the attempted connection to a contact's address. If publication of the service was impacted, the attacker could associate the user's IP address with their own contact address.
The content of conversations was not compromised. It would not be possible to target any specific user with this attack.
Unlike some tools, these packages keep tor state and selected guard relays persistently. This helps reduce the number of guards the user is exposed to, and as a result reduces their chances of having been impacted by this attack.
Ricochet is not related to TorChat, and uses different designs, but they are similar for the purposes of this attack.
This attack was purportedly carried out by a CERT/Carnegie Mellon researcher, and was to be announced at the Black Hat conference. It's unclear if compromised user information was saved or shared.
This kind of research is usually not done on live networks without informing the people involved. CMU and CERT haven't commented on any steps taken to protect privacy or limit the damage of their attack, or why it was allowed to run for months without any notification to The Tor Project.
As of July 4th, these malicious relays are removed from the network. This attack depends on a large number of malicious relays, so careful monitoring of the network can help prevent similar problems in the future.
An update to tor was released to move towards reducing the number of guard relays a user is exposed to. This is included in Ricochet 1.0.3.
To reduce the chances of a similar attack impacting Ricochet users, and to lower load on the network, Ricochet will stop connection attempts to peers that are clearly offline.
Ricochet will be publishing roadmaps and design proposals soon, outlining ways to increase the security and anonymity of how hidden services are used. Ideas and contributions to this process would be very welcome.
Tor needs help maintaining and researching problems related to hidden services. In particular, the "next generation" hidden service proposal would have reduced the effectiveness of this specific attack.
TorChat should not be used; it is unmaintained and potentially unsafe.