Opened 6 years ago

Last modified 9 months ago

#6473 assigned defect

bandwidth related anonymity set reduction

Reported by: proper Owned by: arma
Priority: Medium Milestone:
Component: Metrics/Analysis Version:
Severity: Normal Keywords: nickm-cares, research-ideas
Cc: proper, metrics-team Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Attack:

  • The target hosts a hidden service.
  • A linguist determines, the target is living in country X.
  • Or it's a blog about things in country X.
  • Thus, the assumption that the target's hidden service is running in country X has a high probability to be true.
  • Easy to research (example): the fastest A Mbps line is only available in a very few parts of the country. Maybe only in one city. Most people have B Mbps and a few one still an old contract with the slow C Mbps.
  • The adversary buys lots of servers in different countries, installs Tor on those servers and uses Tor as a client.
  • The adversary can build now lots of circuits from geographical diverse places and probes the server by connecting to it's hidden service. The adversary can now accumulate how much down/upload speed the hidden service can provide.
  • Thus, the adversary knows now something more about his target and if A Mbps is only available in a few places he has nailed down the amount of suspects.

Another unrelated open question:

  • Preliminary consideration: Unless stream isolation is used, exit relays can correlate different activity from one user.
  • Can exit nodes differentiate "This is the user who keeps on reading some.site with a A Mbps line vs this is the user who keeps reading some.site with a C Mbps line line?"?

Child Tickets

Change History (8)

comment:1 Changed 6 years ago by proper

Owner: set to arma
Status: newassigned

Giving this trustfully into Roger's hands to decide to encourage research, to delay this, to let this rot in trac or to close the ticket.

comment:2 Changed 16 months ago by nickm

Keywords: nickm-cares added

comment:3 Changed 14 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:4 Changed 10 months ago by irl

Cc: metrics-team added

Adding metrics-team to cc

comment:5 Changed 10 months ago by arma

Answer 1: I still like my suggestion from
https://blog.torproject.org/trip-report-tor-trainings-dutch-and-belgian-police
about how to set up an onion service for this sort of situation:
"If I wanted to run a hidden service website that had a nation-state adversary, I would a) run a good solid webserver like nginx; b) run it in a VM, in a way that the VM couldn't learn its location — "no looking up its IP", but also more subtle things like "no looking up nameservers", "no looking up reachable wireless access points", etc; and then c) put that VM in a VPS running in a country that hates my adversary. That way even if somebody breaks into the webserver and breaks out of the VM, they're still faced with a frustratingly long bureaucratic step."

In particular, if you are living in country X or your site is about country X, consider not running your onion service is country X.

Answer 2: for papers related to your attack, check out these two:
https://www.freehaven.net/anonbib/#esorics10-bandwidth
https://www.freehaven.net/anonbib/#ccs2011-stealthy

comment:6 Changed 10 months ago by arma

Does nickm-cares mean nickm wants something to happen in particular with this ticket?

I've been discussing with irl about how open-ended research tickets like this aren't really well suited for trac.

comment:7 Changed 10 months ago by karsten

I'm not nickm, but when I asked him last year how much he'd mind us closing tickets in Metrics/Analysis, he added the keyword "nickm-cares" to a few tickets that he thought shouldn't be closed yet. He was fine with these tickets being moved out of the Metrics component, though. In any case, this is not something we were planning to work on soon.

comment:8 Changed 9 months ago by irl

Keywords: research-ideas added
Note: See TracTickets for help on using tickets.