wiki:doc/UserThreatModels

Threat Modeling for Tor Users

Some help with figuring out your threat model, which may help you decide how (and whether) to use Tor for your specific application.

Identifying "assets"

The first step would be to identify what you're protecting, and the way to do that is to think about why you're using Tor in the first place. Generally, either--

  1. You're hiding the fact that you're talking to something.
  1. You don't want somebody on "your end" to know that you're talking to service X. For example, you don't want your mom to know you're surfing furry porn, or you don't want your government to know you're in a "subversive" Facebook group. You might be worried about--
  1. Somebody else who uses the same computer
  2. Somebody who grabs the compute or gets access to it after the fact)
  3. Somebody providing network services to you (maybe whoever runs your local building network, maybe an ISP, maybe others).
  1. You don't want site X to know who's visiting. For example, you're idly interested in how bombs are made, but you don't want to end up on the List of people who've looked up bomb making. Or you just don't want to get spam from some site.
  1. You're not necessarily trying to hide that you're using site X or site Y per se, but to hide the fact that the person talking to site X (in some context) is the same as the person talking to site Y (in some other context). For example, you don't like being tracked for targeted advertising.
  1. You're trying to get access to something that somebody is trying to block you from reaching. This means you also have information to hide: almost certainly the fact that you are doing the censored thing, and maybe even the fact that you're doing anything over Tor at all.

Identifying adversaries and capabilities

Once you know what you're protecting, you need to have some idea of whom you're protecting it from. Remember that you may have more than one potential adversary. For each possible adversary...

  1. What information are you basically giving to them for free?

For example, your ISP can see the packets you send with almost no effort, and a Web site can see that a page was visited.

In the case of Tor, be particularly careful if "they" can easily see both the network traffic you are sending and the network traffic being received on the "other end" of Tor. It's easy to connect the two by watching the timing.

  1. What other information might they be able to get with a bit more effort?
  1. What other resources do they have? Who might be willing to cooperate with them?
  1. What do they know about things outside of Tor or the Internet, that they might be able to connect with what they know about what's going on inside of Tor or the Internet?
  1. Do they already have a reason to suspect whatever information you may be trying to hide? It's usually easier to confirm a suspicion, or to narrow down to a single person from a relatively small number of possible suspects, than it is to narrow down from "anybody on the Internet could be doing this".
  1. What are they technically capable of doing?
  1. How much time and money do they have?
  1. How much are they likely to be willing to spend on you? If you're part of a class of similar people, would they be able to amortize their costs over all members of that class, and would they want to do that?
  1. Are there any constraints on their actions? Are the unwilling to do illegal things (relatively common)? Are they unwilling to admit to doing illegal things (very common, and may limit their ability to use information they find on you, which may in turn limit their desire to find it)? What laws apply to them? Can they only operate in one country?

Understanding the anonymity set

In the formal analysis of anonymity, there's a concept of the "anonymity set". That's the set of people who, from an adversary's point of view, could be the person they're trying to track. The idea is kind of oversimplified, because really it's more like each person has a certain probability of being the target, rather than being absolutely included or excluded, but it's still a useful way to view things.

The adversary's task is to get information it can use to narrow down the anonymity set. The adversary is allowed to combine information. If the adversary measures your keystroke timings and decides you're probably left handed, and sees that you're on the "ginger rights" forum and decides you're a redhead, and sees that you're usually on line during European school hours, and sees that one of its candidate IP addresses is at the European School for Left-Handed Redheads, it can take all of that into account.

If you visit a random general-purpose Web site, and your adversary is on the Web site end of the connection, then the anonymity set starts out being pretty close to "anybody on the Internet". If you visit something relatively specialized, the initial anonymity set may be quite a bit smaller.

You want to give the adversary as few ways as possible to narrow the anonymity set... and how much a given piece of information narrows the anonymity set may depend on what other information the adversary already has.

Identifying attacks and mitigations

Then you need to sit down and figure out how, specifically, they might attack you, and what you're doing about each possible attack.

This is the hard part. You really have to understand how Tor works, how networks work, and how computers work. You'll never have a complete list of possible attacks, because people are always inventing new ones. Different attacks are available to different adversaries at different costs.

Here are a few common Tor concerns. This is not necessarily a complete list of things you have to care about. Furthermore, every countermeasure I mention has limitations; they can all be defeated somehow. There is no absolute certainty; you have to deal with relative levels of risk. Understanding the relative levels of risk is what requires you to really know how things work.

Local computer attacks

  1. Could your adversary monitor what you're doing on the computer? Software keyloggers? Random spyware? Hardware keyloggers? Intel AMT? Surveillance camera pointed at the computer? Do they have constant access to the computer, or might they be able to get one-time access?

If they can really watch you constantly, the best countermeasure is to get another computer. You can use something like Tails to avoid pure software monitoring at the OS level or above, but not attacks at the underlying hardware or firmware layers.

  1. Could your adversary get access to the computer after the fact? Could they see traces of files you've downloaded, browser history, etc?

The canonical defense here is Tails... provided you can hide the Tails USB stick, and/or explain why you have it and what's on it.

  1. Could your adversary "raid" you while you're actively using the computer?

Tails provides some protection against this.

Local network attacks

  1. Can your adversary see your local network traffic?

Local network traffic normally discloses the fact that you are using Tor, because you will be sending traffic to members of a well-known set of Tor relays. If you use bridges, it gets harder to identify you as a Tor user... but your local network adversary may still happen to know about the bridge you're using. If you use a "stealth" transport like Meek, it's harder still... but there still may be stuff in the timing or "shape" of your traffic that could identify it as Tor.

  1. Can your adversary interfere with the network?

If the adversary can knock you off the network, it makes collusion and timing attacks easier. Suppose that your adversary also controls web site X and suspects that you're accessing that site. If the adversary knocks you off the network and the access stops, that tends to make the adversary more certain.

Single malicious relays

  1. Exit relays can see your traffic. If it's not encrypted, they can alter it, log usernames, steal passwords, or whatever.

For example, if you visit a Web site with plain HTTP on port 80, even over Tor, the final traffic sent to the site from the exit relay is not encrypted. It can't be, since the final Web server isn't prepared to participate in any encryption. A lot of people's webmail usernames and passwords got exposed that way on one very public occasion, and I'm sure it's happened many other times as well.

Countermeasure: Always use cryptography on top of Tor. For the Web, that means "https", not "http". Actually, do that even if you're not using Tor. Note that this does not apply for ".onion" domains; traffic to Tor hidden services is encrypted end-to-end.

See also "Global and collusion attacks"

Remote attackers

  1. Does your adversary get information directly from your activities?

Obvious example, if you log into Web site using an account, the Web site can instantly connect that with everything else that's been done using that account. If you use the same account once over Tor and once over the clearnet, the site can connect your Tor activities with your clearnet IP address. More subtly, because the site can assume it's the same person every time the account logs in, it may be able to figure out things like your time zone, becuase you're unlikely to log in in the middle of the night.

... and of course if you post information like your location or personal description or interests, that can be combined with other information from the clearnet.

The main countermeasures here are not to disclose things and not to let any one thing you do be linked with any other thing you do... but that may mean you can't do whatever is leading you to use Tor in the first place. At a minimum, you need to have a general idea of what you are and are not disclosing to each potential adversary, and what that might allow them to infer about you.

  1. Can your adversary infect you with malware?

For example, suppose you visit a Web site over Tor, and suppose the site operator, or somebody who's managed to take over the site, wants to identify you. The site can try to exploit browser bugs to run code directly on your computer. Then it can send the adversary any information that's available to that code, which generally means anything available to the browser, which generally includes things like your real IP address.

The same applies if you download, say, a PDF or a video file that manages to exploit a bug in the PDF viewer or the video viewer.

Countermeasures are things like

  1. Running in Whonix (so that malware has to break out of a relatively strong sandbox to get things like your real IP address).
  1. Disabling JavaScript
  1. Viewing downloaded files on completely offline computers
  1. Does your software leak?

The programs you use to communicate over Tor may accidentally send out information you don't want sent. That's especially true if those programs don't normally consider that kind of information to be private.

For example, P2P file sharing clients may very well send your local "real" IP address to the network. Even browsers may do things like this; as an example of that, WebRTC leaks local IP addresses by default.

The mitigations here are to expose as little software to the Internet as possible, to make sure you know what that software is doing and what it's disclosing, and to use things like Whonix to avoid that software having the information to disclose in the first place.

Global and collusion attacks

Any adversary who can watch enough traffic at enough places for long enough can beat Tor. The only countermeasures are to reduce your traffic (possibly to zero) and to eliminate regular patterns (like never visting the same site twice).

The important part here for your threat model is to try to figure out whether you think you're worth the trouble for the sorts of adversaries that might be capable of doing these attacks.

Global adversaries

Imgagine that you're an adversary who can see all Internet traffic except traffic internal to the Tor network (by which I mean the traffic between Tor relays).

Now, imagine that every morning, you see Alice make a Tor connection. And imagine that, exactly one network delay later, a connection always comes out of the Tor network to Bob's Web site. If Alice connects at 8:15, Bob gets a connection at 8:15. If Alice connects at 8:21, Bob gets a connection at 8:21. Once in a while, Alice is sick and doesn't connect; when that happens, there's one less Tor connection than usual to Bob's site. If you DoS Alice, no connection to Bob.

If that goes on for a year, it's really, really obvious that Alice uses Bob's site. You may have to collect, store, and analyze a gargantuan amount of information, but if you do so, you can make the inference. You may or may not be able to make the inference if Alice connects just once, but if she keeps it up, you'll know.

If you can also see the traffic between the relays, all the better for you.

You are what we call a "global passive adversary". Some people think the NSA is one, or is close to being one. Others don't. We're talking about doing a lot of computation on a lot of data. It's probably not feasible. Probably.

Limited views

Even if you're not global, you may be close enough. Suppose that you happen to be both Alice's and Bob's ISP. You will still see the same connections. Alice will connect to some Tor relay, and some other Tor relay will connect back to Bob. If you do the work to do the correlation, you will still deanonymize Alice's connections to Bob. And if they're not encrypted, you'll see what Alice is doing, too.

Or suppose that you're the NSA, but it turns out you're not really a global adversary, because you can't afford to collect or process everything. Nonetheless, if Alice is a known member of Alice Qaeda and Bob is a suspected member of Bobko Haram, you may still collect and analyze their traffic. In that case you'll still figure out that Alice is talking to Bob.

One could even imagine that all Tor traffic might qualify for collection. That's a lot less than all Internet traffic. And you don't necessarily have to collect the content; just the timing could be enough.

Relays again

One way to get a view of a lot of Tor traffic, specifically, is to run Tor relays. If you run multiple Tor relays, you may get lucky: a connection may enter through one of your relays, and exit through another. That may give you enough information to suspect who's talking to whom (and even know what they're doing, if it wasn't encrypted).

Once you have the suspicion, you may be able to confirm it outside of Tor, or you may run enough relays, and be lucky enough, that you see a really strong pattern of activity.

Tor does have one real technical countermeasure here: the entry guard system. Tor tries to use the same entry node for a long time, to reduce the number of chances an adversary has to get lucky and be on both ends of a connection. However it cant be perfect. Guards do change from time to time, and you could always get unlucky and have your adversary be your entry guard.

There was a credible rumor just last week that somebody was trying to set up a ridiculous number of relays and have them marked as eligible to be guards, so there's a real risk of real attacks. Whether such an attacker would be interested in you takes you back to the assets and attackers part of your threat model.

Last modified 10 months ago Last modified on Dec 25, 2019, 4:25:11 AM