Unmasking hidden Tor service users is too easy, say infosec bods

[Reefa]

Updated..Security researchers speaking at the Hack in the Box conference in Amsterdam this week have demonstrated that users of hidden services on Tor are putting themselves at risk of being identified – if an attacker is willing to put in the time and resources.

The discovery is significant, because browsing hidden services had been thought to be more secure than the more typical practice of using the Tor network to browse the open web anonymously.

Not so, say Filippo Valsorda, a member of CloudFlare's security team, and George Tankersley, an independent researcher. In their presentation, the pair showed that it's surprisingly easy to subvert anonymous access to a hidden server – and thus possibly identify a user of that server – if you're sneaky about it.

That's bad, because hidden services are operated not just by dodgy sites like the Silk Road but also by legitimate sites like Facebook. Tor often hits the headlines for enabling things like online drug souks and other criminal operations, when it can be and is used by journalists, whistleblowers, security researchers, and anyone who values their privacy, to exchange information and surf the web anonymously.

"If you run a hidden service that does not need location hiding, you are unnecessarily exposing your users to this risk," the researchers said. "It would probably be better to let them use Tor on your TLS-enabled clearnet site."

When using Tor to browse the open web anonymously, you log into an entry point server and then your traffic is rerouted and fed out of an exit server, disguising your IP address. The weakness in this approach is that it would technically be possible to run enough rogue entry and exit nodes to link where users hop onto the Tor network to where they hop off. It would require massive resources and for Tor operators not to notice, but it's possible.

Hidden services eliminate this possibility, because all traffic stays within the Tor network itself. There's no exit node to link to an entry node, which is why using hidden services is thought to be more secure.

Hidden services require the use of HSDir (hidden service directory) nodes to operate, two sets of three apiece. These nodes manage connections to the hidden service, and it only takes four days of continuous operation for an HSDir node to be considered "trusted."

The two suggest an attacker could identify users' connections by running rogue HSDir nodes themselves, something that had been though hard but is actually relatively easy and computationally cheap to do. To demonstrate, they set up such nodes and then successfully convinced Facebook's hidden service to accept most of them as its HSDir providers.

"You can substitute a malicious HSDir (which we demonstrated are much easier to become) instead of an exit node in that process," Tankersley told The Reg.

"Since HSDirs can serve that purpose, but are more weakly protected than exit nodes, it is easier to attack hidden service users in this way than people who are just connecting to normal websites through Tor."

"Since this is quite counterintuitive, we thought people should know about it. But you still need control of something on the "entry" side of the connection before you can identify anyone."

There are ways for site operators to protect against this, however. Hidden service providers are advised to be very wary of young HSDir nodes – or even better, to run their own HSDir nodes, which has the benefit of also providing a warning if other HSDir nodes try to attach themselves to the service.

The researchers have released software tools to help spot dodgy HSDir nodes and they say that a proposed change to the Tor software for hidden services could stop this kind of correlation attack. A spokesperson for the Tor Project could not be reached for comment.

In the meantime, caveat empTor. ®

Updated to add

Kate Krauss, Tor's director of communications, told us after the publication of this article: "We exist to safeguard users. If we ever do have an attack that threatens our users, we will publish a blog post about it on our web site and then tweet it @TorProject to make sure that lots of people see it."

http://www.theregister.co.uk/2015/05/30/researchers_claim_tracking_hidden_tor_services_is_easy/

[DLord]

Wow, and I considered Tor to be a trustworthy and secure service! :wtf:

One more reason to not easily trust such services and VPNs.

[steven36]

Using TOR + VPN in layers is still very effective as if they could get your ip though TOR they would have get past both if using a good vpn encrypted with 256-AES bit. its going be 100s of times harder for them figure you out. Using nothing at all you are 100% exposed to hackers and Anti piracy trolls .This article dont have nothing to do with normal users of tor no way its about people who run sites legal and illegal on tor hidden services are not really safe . People use vulnerabilities a lot of times as an excuse to not protect there privacy at all . But just beef up your protection in layers is the best known method if your that worried about it.

[DLord]

Well, can't argue with that.

But consider if one can unmask Tor and trace your IP beyond that, would it be too difficult to get pass a VPN? I'm not mentioning this to discourage people from using privacy tools, but one has to be realistic specially when doing something illegal like you said. After all we cannot give people false sense of security without mentioning that for intelligence agencies and law enforcements it is not that difficult to crack through a VPN and trace an IP to the source, once they bypass TOR. :think:

So like you suggested, one has to beef up his protection in layers, and that is many reliable layers. :bruce: