back to article Unmasking hidden Tor service users is too easy, say infosec bods

Security researchers speaking at the Hack in the Box conference in Amsterdam this week have demonstrated that users of hidden services on Tor are putting themselves at risk of being identified – if an attacker is willing to put in the time and resources. The discovery is significant, because browsing hidden services had been …

  1. Steve Knox

    "legitimate sites like Facebook."

    HA!

    1. Ole Juul

      Re: "legitimate sites like Facebook."

      Despite the fact that it's sometimes used by journalists, whistleblowers, and security researchers.

  2. Geoff Campbell
    Black Helicopters

    Anonymous network developed by the US government compromised.

    Um, anyone surprised by this? Anyone?

    GJC

    1. Rol

      Re: Anonymous network developed by the US government compromised.

      So the NSA know every line of code in the Tor program, indeed some of it might have been their own handy work.

      The NSA also knows every node in the system, indeed many of those nodes are kindly supplied by themselves.

      The nodes they don't own will no doubt have been targeted with one of their many rootkits and hence is effectively owned by them.

      I have never believed any of the hidden, secret, anonymity offering routes into the web to be effective against such a determined player as the NSA or GCHQ for that matter, but for the sake of national security I'll state my preferred hat can also get the best out of a roast chicken, so all you antisocial types carry on regardless.

      1. Anonymous Coward
        Holmes

        Re: Anonymous network developed by the US government compromised.

        What the one or the many can invent, the one or the many can circumvent. That's not even a hard truth to discover as it's happened again, and again ad infinitum. At best your new widget presents a challenge if for a while. The positives to take away are you make 'em sweat (with our tax dollars unfortunately) and we get some wacking neat advances in maths.

    2. Daniel B.
      Boffin

      Re: Anonymous network developed by the US government compromised.

      Less surprised these days. Would've been surprised if this had been discovered before the Snowden affair and the Silk Road and Freedom Hosting shutdown. And even then, I was still wary on blindly trusting that hidden services are going to be 100% untraceable...

  3. Anonymous Coward
    Anonymous Coward

    excellent researech, overexcited headline

    What was shown is that a state level actor such as the NSA, _if_ they can correlate traffic for a significant number of users (not so likely, search "base rate fallacy") _and_ they can control HSdirs for a targeted hidden service, can identify users who have accessed the hidden service (but not see what they are doing). The research is quite good and appears to have demonstrated a valid weakness as well as proposing mitigations.

    As a practical matter, any five-eyes-grade agency that has active use of such a capability would be selective in applying it due to the precious value and fragility. Along the lines of breaking VPN forward-secrecy decryption using zetabyte pre-computation tables for 1024-bit group 2 DH primes. Asset is compartmentalized and line-analysts told to "not ask, not think about" how such feats are accomplished.

    One can figure out whether or not they should worry about being targeted by this sort of attack, where 99.999% of the time the answer is "no".

  4. Mark 65

    Curious

    There are ways for site operators to protect against this, however. Hidden service providers are advised to be very wary of young HSDir nodes – or even better, to run their own HSDir nodes, which has the benefit of also providing a warning if other HSDir nodes try to attach themselves to the service.

    I'm not sure I'd like the idea of Facebook running its own HSDIR nodes as, given their compliance in Prism, they'd likely just be NSA nodes anyhow. I couldn't give a shit about Facebook but it serves as a valid example. It's that age old trust issue surfacing again.

    1. Charles 9 Silver badge

      Re: Curious

      But the age-old trust issue has a caveat. You have to trust someone at some point. If you go into full DTA mode, you've basically isolated yourself.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like