back to article Infosec bod: I've found zero-day flaws in Tor's bridge relay defenses. Tor Project: Only the zero part is right

Neal Krawetz, a computer forensics expert, has published details on how to detect Tor bridge network traffic that he characterizes as "zero-day exploits"... which the Tor Project insists are nothing of the sort. The project provides open-source software for communicating anonymously over the internet. It works by randomly …

  1. doublelayer Silver badge

    The problems continue

    This researcher has started to demonstrate various problems in Tor, including the ones mentioned here. While the Tor project may have a pedantic way to argue that these aren't zero-days, they aren't doing very much to describe why they aren't problems. For example, I notice that they spent a lot of time stating that the researcher read a paper wrong, but don't spend very much at all showing why the algorithm he provides for detecting traffic doesn't work. They've provided a few arguments for why it might not work at scale, but they have neither disproven his methods nor proven their defense.

    It's worth reading the full blog entry, linked from the article, to see the details on detection. I also found a previous entry covering problems in the browser and direct connections to be enlightening. I don't always agree with the severity of things this researcher says--for example, in the previous entry he describes how to detect direct Tor traffic as very problematic when there's already a much easier way to do that, but it also has caused me to be more skeptical of things the Tor project says.

    1. NetBlackOps Bronze badge

      Re: The problems continue

      I seriously doubt that a small team of individuals, the TOR Project, with a small, even several million dollar budget, is going to do very well against a superpower, any of them, with a several billion dollars budget. Keep the expectations here real. Perhaps they could do a better job of addressing this individual's concerns better, although it reads as these are known issues and not at all easy to address. My comparison of difficulty looking closely is same difficulty as SPECTRE-class.

      1. This post has been deleted by its author

      2. disgustedoftunbridgewells Silver badge

        Re: The problems continue

        > a superpower, any of them

        A comprehensive list:

        USA

        1. sev.monster

          Re: The problems continue

          That's incredibly myopic of you.

          1. Claptrap314 Silver badge

            Re: The problems continue

            There has only been one superpower since Napoleon--and it is very debatable if Napoleonic France qualified. Whether the US still qualifies as a superpower is debatable, but no other power has had the freedom of action that the had US after the defeat of the USSR.

            1. Scott Wheeler

              Re: The problems continue

              Meanwhile, back in the real world, the term was invented to describe the USA and the USSR during the Cold War.

          2. disgustedoftunbridgewells Silver badge

            Re: The problems continue

            USA is a superpower. China is a regional power. Russia is a regional power.

            I'm not sure who else you could be arguing in favour of.

            If we're talking nuclear powers then USA, UK, France, Israel, Russia, China, North Korea, India and Pakistan and possibly others that I've forgotten.

            1. sev.monster

              Re: The problems continue

              China is most certainly at least on the path to becoming a superpower, if they aren't already broadly considered to be one. Their Silk Road project has seen Chinese influence spread across the developing world, especially in Africa. They export techology, food, medicine, and outsourced labor at an incredible rate, and as a result are able to easily exert their politics. So much is state-backed or directly controlled by the state that it would be easy to say without reaching that China is the most powerful government in the world, in terms of its raw assets.

              If we are OK with describing nations as superpowers in certain fields rather than as a whole, there are more that could be added to this list.

              Disclaimer: I do not supporr the PRC.

      3. Claptrap314 Silver badge

        Re: The problems continue

        So why did Phil Zimmerman manage to get all of that attention back in the day?

        You REALLY don't understand the nature of the problem. SPECTRE-class bugs are demonstrably unfixable in current hardware. TOR is not attempting something impossible.

    2. Graham Cobb

      Re: The problems continue

      Personally I find the comments from the Tor team persuasive: meek and obfs4 have well known detection weaknesses but the main aim is to provide Tor access behind the great firewall. As long as the GFW is not choosing to invest the level of resource that would be necessary to exploit those weaknesses to block Tor traffic, they are doing their job. So, the issue isn't whether the protocols have weaknesses, it is the need to conduct ongoing research to determine if private bridges continue to be accessible or not.

      If you can get access to a bridge you can trust, then Tor continues to protect your actual communications.

      The most significant research gap is to know whether the GFW could use these weaknesses to detect Tor use reliably enough that it could identify previously unknown activists. That would mean having a sufficiently low false positive rate that the authorities would find it worth deploying security investigators to determine if the person concerned is actually an activist.

      1. doublelayer Silver badge

        Re: The problems continue

        Which is what the researcher is claiming. Whether they already do so isn't known, but he alleges that it is feasible. Given the level of expense the Chinese government has already taken to provide censorship, they clearly believe it is useful to perform such scans. My guess is that they either already are taking actions to block or identify Tor usage or they believe few of their citizens use it. I'm not sure which it is, but the former makes more sense to me.

        1. Graham Cobb

          Re: The problems continue

          Yes and no. The current (limited) research suggests that private (unlisted) bridges are not being blocked by the GFW. Which means that the Chinese are not, at least, scanning and acting on these results to block the bridges.

          They might be scanning and acting on the results to track down the activists but there has been no evidence of that, so far. My best guess is that they are not bothering: really determined activists will always work harder to hide - they just need to make sure they are blocking the 99.99 % who just install Tor and try to run it (without having a "partner" outside the firewall running an unlisted bridge).

          But this is why it would be good to have ongoing research to help understand whether even stronger pluggable transports are necessary/useful.

    3. Anonymous Coward
      Anonymous Coward

      Re: The problems continue

      Pedantically, for something to be a "zero-day" it has to be actively exploited in the wild, before researchers discover it, or the provider is informed. If there's no evidence of exploitation by hostile actors, then they're definitely not "zero-days", they're just security/privacy issues.

      Don't let the hyperbolic "tech" media confuse you, they just latch onto any buzzword that sounds "cool" and "hackery" and apply it to anything they want to sound sensational.

      1. doublelayer Silver badge

        Re: The problems continue

        "Pedantically, for something to be a "zero-day" it has to be actively exploited in the wild, before researchers discover it, or the provider is informed."

        Even more pedantically, that's not it. The zero-day doesn't start counting up until there is a solution--something we know about and it's being used but there is no patch is still a zero-day. Now you may be correct about requiring an active exploit; the researcher claims that a zero-day exploit can be something that could be used but isn't yet known to be, while something that is known to be used is a zero-day attack. I'm not sure I buy that logic. Either way, if he is correct about these being exploitable and someone starts to exploit them while the Tor project hasn't accepted and patched them, they would become zero-days.

  2. Anonymous Coward
    Anonymous Coward

    zero-day?

    I struggle to take seriously someone that would refer to this as a zero-day exploit

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020