Wouldn't it be relatively easy to profile Tor communications?

Hi All,

I've been looking at Tor a lot and thinking about it quite a bit. I had some thoughts, and I'd like some opinions on this stuff.

Tor is open source. Isn't it possible then, to compile and execute my own Tor client that profiles the source ip, the destination ip and the payload of each packet? Following that, couldn't I trivially deploy hundreds or thousands of relays and then perform analysis on the aggregated profile data that is captured? Finally, couldn't I easily find patterns that equate to a sketch of end to end communications?

The fact that everything that happens on Tor funnels through Tor (500000+ users and 3000+ relay nodes on average) gives a small, focused set of communications to analyze.

At some point, you as a user have an IP address that is known to some node in the Tor network, otherwise there is no transmission of data. Likewise, at some point, a hidden service has an IP address that is known somewhere, otherwise, once again, there is no transmission of data. It still works over TCP/IP after all. Given this, I can imagine that it would be possible to determine that a person at IP X is accessing the hidden version of Tor mail (for example) at IP Y by using (some sophisticated version) of what I am describing above.

Thanks for your time.

 

I don't know what this would accomplish?

You'd profile your connection, which would appear completely garbage information. This wouldn't help you see anyone else's information more clearly.

How would deploying thousands of systems be trivial, let alone analyzing all of that data?

Do you mean tracking endpoints or something? Relays? This is possible, but won't help gain access to any TOR data.

If you control every node (or a large number) in the chain a user has set up for TOR, sure. But that's not going to be easy.

 

See -http://freehaven.net/anonbib/

 

The information would be garbage, but that's not what I'm after. I'm after the endpoints in a set of circuits. I don't want to know what you're looking at, just who you are and where you're going. A computed fingerprint of a packet would be unique enough that it could be matched at different relays. A profile would consist of a source IP, a destination IP and the packet identifier.

Not trivial for an individual, of course, but very much so for law enforcement or other organized groups. Virtual machines on moderately powered hardware could be used.

I deal with so-called 'Big Data' on a daily basis. Very simple algorithms could be used to aggregate and sort this data. The profile sets coming from each relay are structured and discrete.

Agreed. No Tor data would be available. Not really tracking endpoints, but rather, building sketches of which sites a user is going to based on analyzing the aggregated transmission profiles.

Agreed. However, something being difficult doesn't generally stop people who want something done. Controlling any percentage of nodes would be like watching over the air television that is rife with interference. Once in a while, voices may be clear and the picture may be visible. That may be enough to identify which show you are watching.

 

Looks like a fantastic resource, thank you. Any recommendations on articles to start with that would speak directly to my thoughts?

 

Thanks. Although I'm not qualified to recommend particular articles, starting with work from the Tor Project would be good. And you could ask on the tor-talk list. They're quite friendly.

 

If you want to make your Tor communications as difficult to profile as possible, this is what you should do.

Only simultaneously browse one webpage/tab with each Tor Browser Bundle. Never simultaneously browse more than one webpage/tab with each TBB. So if you are browsing wildersecurityforum and youtube with the same TBB, then you are doing it wrong.

Since it is only possible to run one TBB simultaneously, then how is it possible to browse more than one tab/webpage with TBB simultaneously? The answer is by using multiple virtual machines. Each VM will contain only ONE tab/webpage contained within ONE TBB.

To simultaneously browse multiple sites, create a new virtual machine for each tab/site contained within TBB.

This allows you to have a separate tor connection for each tab/site you browse. Making it harder to profile your traffic.

So if you have five webpages/tabs simultaneously opened, you will have five separate virtual machines simultaneously running.

ie.

VM 1 (contains TBB with Wilderssecurity) with Arbitrary IP Address #1
VM2 (contains TBB with Youtube) with Arbitrary IP Address #2
VM3 (contains TBB with Google) with Arbitrary IP Address #3
VM4 (contains TBB with Yahoo) with with Arbitrary IP Address #4
...etc.....

You can do this as many times as you like.

Bottom line: Each VM will contain only one TBB. Each TBB will only contain one tab/webpage. To have multiple tabs/webpages running simultaneously, you need to create a separate VM for each TBB.

Hope this makes sense.

 

That works. And it's pretty easy with Whonix. You need two VMs per session, but the Tor gateway VMs are small. You could also do it with Qubes, using less resources, but I don't trust their Tor gateway yet.

 

woah , dont you think that would be kinda overkill , i dont really see the reason to do so if youd use the vpn > tor >vpn and then tbb method , remember the node you connect to your not the only one that uses that ip, not to mention running your browser sandboxed as everybody does

except for having 100 or more vms open will eat ridiculous amounts of power and waste resources , correct me if im wrong

 

Whatever "anonymity" approach you're using, VPNs or Tor or both, it's risky to visit multiple websites simultaneously. It's especially risky to be simultaneously logged into multiple websites.

 

I trust Joanna, she is a true visionary. Qubes with TOR works fine.

 

not sure wich one to use now , whonix or qubes , heard about qubes over at hacker10 its apparently very good and more secure than whonix since it dont use vmware ,then ive read this


imgbox.com/acgqoMdv

hmmm....joanna seems to know her stuff

wonder if its as easy to set up a vpn >tor >vpn connection with it as it is with whonix, thou quobes cant be run from withing windows i suppose so thats a no go for me

 

thats odd , so the only way is to use seperate vms for every page in seperate browsers even when its the same site , could you further elaborate on this please, whats the risk and why , thanks

 

No, only for separate websites. Opening multiple pages from the same website is safe.

I'll say more later about risks of accessing multiple websites simultaneously. Basically, they can know about each other, in various ways.

 

ill stay tuned

 

Websites can determine whether you're logged into other websites using cross-site request scripting. See -http://blog.whitehatsec.com/i-know-what-websites-you-are-logged-in-to-login-detection-via-csrf/- and -https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information-.

Websites can also determine whether you've ever visited other websites using cache timing tests. This is different from the classic browsing history hole, which has been patched in all modern browsers. As I understand it, blocking this would basically require disabling caching. See -http://lcamtuf.coredump.cx/cachetime/- and -http://oxplot.github.com/visipisi/visipisi.html-.

That's why.

 

following dasfoxes FF tweak thread can easily avoid cross site scripting per addon its called refcontrol and RequestPolicy , cslite and having cookies disabled , only the ones you allow to be added , temporary or session or saved, and for good measure uacontrol for browser spoofing, you can use collusion extension to see what sites are following you latest version working on FF 18, then theres others but these are the basics, not to mention id like our more experienced members here when it comes to browsers please add some opinions to mirimirs post , please, yes that means you too dasfox , afterall youve

been the one tweaking and hardening FF to hell and back, some insight please, since in my opinion mirimirs approach is abit extreme , sandboxing and using said addons plus tweaks should avoid all that without having to setup 100s of vms including browsers for every site not belonging to the same address

http://lcamtuf.coredump.cx/cachetime


Social networks:
Not visited: Facebook [5+]
Not visited: Google Plus [5+]
Not visited: Dogster [5+]
Not visited: MySpace [5+]

Content platforms:
Not visited: Youtube [5+]
Not visited: Hulu [5+]
Not visited: Flickr [5+]
Not visited: JustinBieberMusic.com [5+]
Not visited: Playboy [5+]
Not visited: Wikileaks [5+]

Online media:
Not visited: New York Times [5+]
Not visited: CNN [5+]
Not visited: Reddit [5+]
Not visited: Slashdot [5+]
Not visited: Fox News [5+]
Not visited: AboveTopSecret.com [5+]

Commerce:
Not visited: Diapers.com [5+]
Not visited: Expedia [5+]
Not visited: Amazon (US) [5+]
Not visited: Newegg [5+]
Not visited: eBay [5+]




lols thats a bad example dont even work aparently , its been updated last in 2011 , lmfao, same goes for http://oxplot.github.com/visipisi/visipisi.html

dont even work with FF

 

I agree that browser hardening can protect against many attacks, and maybe even against all known attacks. But web tech is constantly changing, and new features are introduced that may become vulnerabilities. There's lots of money in tracking people. But there's not so much interest in compromising VMs, except for malware developers. So that seems safer to me.

 

damn where the hell is dasfox when you need him , lols , he coudlve added in , well , where gona have to leave the vm and browser per website discussion on ice till someone other than mirimir adds in , jesus , apparently you and me are the only people that live here xD

 

Wrong. There is very much interest in compromising VM's and governments around the world & malware writers are working hard at going hard against VM's. If you didn't know VMware source code was leaked not long ago, so watch this space exploits are coming.

 

OK, I get that. But it is a different threat model: exploits vs pervasive profiling by websites.

And indeed, that is Qubes' strength, as I understand it. But are there user-friendly and peer-reviewed networking modules for OpenVPN and Tor?