Tor2016

From DevSummit
Jump to: navigation, search

What happens when you go to a website

  • go to browser
  • put in URL
  • request goes to:
    • internet service provider
    • domain name server
    • actual server

What are threats here?

  • ISP can see traffic (your ip, what ip you're trying to visit)
  • DNS server can see same inormation

What happens w/ Tor

  • request to ISP is encrypted
  • then through a series of relays before it hits an exit node and then passes on to application server at which request is targeted
  • each relay knows the next destination, but nothing more (entry node knows origin but not destination, exit node knows destination but not origin, etc...)
  • exit node makes UDP request to DNS server for application server URL -> IP lookup
  • routes are randomized

What is the purpose of Tor?

  • started as way to hide origin of traffic on internet
  • wasn't focused on topic
  • just focused on origin/identity
  • more computation is off-loaded to client now than when tor invented
  • as a result, running software can find out a lot more about you (info from microphone, etc...)
  • data mining drives development of high percentage of software we use
  • tor didn't originally mitigate against exposed DNS lookups
  •  :. tor has had to evolve a lot to keep up w/ changing technology
  • tor used to be about anonymity
  • has eveolved into best tool for censorship circumvention
  • 2009 iran, 2011 egypt catalyzed this movement
  • usage heavy in bahrain, west bank -> places US doesn't want to help
  • security v. anonymmity
    • security is not about obscurity, anonymity *is*

How does the political terrain impact Tor?

  • funders want to target X country, not Y country
    • BUT the tool can't differentiate between "good" and "bad" actors
    • regardless: "anonymity needs crowds", "you need pigs and perps"
    • by protecting *everyone*, you protect the specific people you care about
    • store data half in N Korea, S Korea (etc...)
  • obscurity network relies in its efficacy on being populated by a complicated network of conflicting antagonists

On Trust

  • does everyone know what a VPN is? (Yes! "virtual private network", routes traffic through a proxy server)
  • a tool that's good for a lot of things is not pluggable/flexible (unix philosophy)
  • VPN isn't flexible
  • VPN is weak because it requires trust
    • chinese activsts ran VPN service on west coast, resold anonymized data of users
    • (and it's basically impossible to anonymize data)
    • if i'm a malicious nation-state, i want to set up VPNs all over the place (they're a great honeypot)
  • Tor requires no trust
    • don't trust any provider who requires you to trust them to be safe
    • trust you are safe because it's impossible to expose you
    • we need to insist on anonymity by design, not by promise

Network Mechanics

  • protocols: TCP, UDP etc..
    • tor is for TCP
    • aims to be low-latency
    • not instantaneous, but quick(ish)
    • 7,000 relays, most run on linux
    • overoncentrated in w. europe & u.s.
    • far too few in heavily wired places like japan, s. korea, malta

What can we do?

  • use tor browser
  • use tor-enabled chat programs (pidgin, tor chat, tor messenger)
  • run a relay node
  • run a bridge node for people in other countries, encourage friends in other countries to run a bridge node for people in US
  • run a hidden service

Attacks

  • correlate traffic by running lots of entry nodes, looking for same IP address
  • timing attacks on when request enters and leaves network
  • tor topography fluctuates on a daily basis, b/c competing actors are make moves/counter moves to control network
  • most countries attacking tor ususally using US-made tech (bluecoat, cisco, juniper)
  • most common state-level attacks:
    • large-scale traffic monitoring
    • futz with certs
    • block ports
    • deep packet inspection
  • deep packet inspection
    • use-case: circumvention
    • censors can't tell what (blocked) site you're trying to visit, but can easily tell you're using tor (by (1) recognizing protocol signature in packets, (2) seeing address of relay node in request)
    • defense: transform traffic to make it look like a normal web traffic
    • "pluggable transports"
    • -> identify nodes and block them
  • detecting guard relay
    • middle relays get switched up a lot, but guard relay (entry) does not
    • so is this guard relay actually trustworthy? relies on reputation system
  • TLS/SSL are weak
    • because their guarantees rely on us trusting certificate authorities
    • most of which aren't very trustworhty
  • how does pluggable transport work? making request to entry node look like normal http traffic)
    • both request origin and guard relay have a shared secret
    • how do we exchange the shared secret? BRIDGES!
    • bridges are out-of-band webpages that are provided in batches when you first want to make a request, or you can write email to request URLs for bridges

Practical things we can do

  • if you're part of an organization, with someone you trust to run a relay, DO IT and route traffic through it
  • if we know people overseas, start setting up bridges w/ IPs & fingerprints for servers so we can help with circumvention when/if heavy censorship
  • hidden services for the rest of us!
    • any service that can be run on TCP can be run as hidden service
    • design principle: for web ditch dynamic web 2.0 -> write static websites
    • for servers go simple & small:
      • tiny httpd
      • simpler the better
      • don't go near javascript, NO CLIENT SIDE LOGIC, FRONTEND FRAMEWORK
      • assume it will be broken, if server is broken, don't compromise users
    • these can be safe repositories for information for organizing
    • some friction (requires tor browser, weird URLs) but it's worth it
  • example use case
    • at-risk people wanted to run an easy-to-use blog
    • so... they embedded wordpress in a hidden service
    • admin backend can only be accessed as an onion service
    • then it spits out static html, which is exposed on the public internet
  • why should we run a tor relay?
    • because it makes tor stronger
    • if we have small group of people who trust each other (an affinity group), then we can have almost absolute trust in this entry node, even better if you publish it so e are
    • configure tor browser to always use this particular entry node, or pluggable transport
    • if you have to introduce trust, don't trust tech, trust people you actually trust
  • what is a safe way to run a relay?
    • hard server in a data center that you can access
    • can get hardware for $100: look at pcengines.ch - alix boards, APU boards, rasberry,
  • is it worth using tor on mobile
    • no, if you think you're getting anonymity (mobile provider tracks where and who you are -- through pings to cell towers, etc...)
    • yes, if it is valuable to make it impossible to correlate browsing history with record of who and where you are

Easter Egg

lookup zooko's triangle!