Re: [tor-relays] [tor-talk] clockskewer attack
From the script (pastebin link):
#!/usr/bin/env python2.7 # # clockskewer.py -- skewers http servers in onionland to an ip address # # This script takes advantage of the fact that no one # in onionland configures their http server correctly # by having it send datetime stamps in every response # # calculates the clockskew and then finds a corrilating # tor relay with an open http server with the same skew
So it actually assumes that the targeted hidden service is running a Tor relay _and_ an open HTTP server. (I've cc'd cypherpunks on this so that you don't have to keep forwarding things around, Eugen.) On Wed, 2012-10-03 at 17:39 +0200, Eugen Leitl wrote:
----- Forwarded message from Ted Smith <tedks@riseup.net> -----
From: Ted Smith <tedks@riseup.net> Date: Wed, 03 Oct 2012 11:09:00 -0400 To: Eugen Leitl <eugen@leitl.org> Cc: cypherpunks@al-qaeda.net Subject: Re: [tor-talk] clockskewer attack
The "attack" assumes that the targeted hidden service is running a Tor relay.
On Wed, 2012-10-03 at 16:52 +0200, Eugen Leitl wrote:
----- Forwarded message from Webmaster <webmaster@felononline.info> -----
From: Webmaster <webmaster@felononline.info> Date: Wed, 03 Oct 2012 09:50:02 -0400 To: tor-talk@lists.torproject.org, tor-relays-request@lists.torproject.org Subject: [tor-talk] clockskewer attack User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120912 Thunderbird/15.0.1 Reply-To: tor-talk@lists.torproject.org
Found some interesting news on reddit. I dont know the tech behind it, but is sounds like playing with Clock allows you to get the IP address of the hidden service
http://www.reddit.com/r/onions/comments/10usgv/clock_skewing_a_clever_unconv... ntional_means_of/
Is this something to be worried about? _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
----- End forwarded message -----
-- Sent from Ubuntu
----- End forwarded message -----
-- Sent from Ubuntu [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
On 2012-10-03, Ted Smith wrote:
So it actually assumes that the targeted hidden service is running a Tor relay _and_ an open HTTP server.
The basic attack pattern is extensible to a relay and any service which can be correlated with each other, through any sufficiently selective metadata divulged by both services. It ain't a new one, either; I seem to remember this sort of stuff being done from at least 2008, which prolly makes the idea older since I'm not exactly a pro in the field. The general statistical attack pattern is correlate, accumulate and intersect. The research behind Tor talks about this stuff already, and notes it cannot be stopped if we presume the relay operator leaks such correlated information. So yes, you ought to be worried -- as the operator of a hidden service. -- Sampo Syreeni, aka decoy - decoy@iki.fi, http://decoy.iki.fi/front +358-50-5756111, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2
On Thu, 2012-10-04 at 05:07 +0300, Sampo Syreeni wrote:
On 2012-10-03, Ted Smith wrote:
So it actually assumes that the targeted hidden service is running a Tor relay _and_ an open HTTP server.
The basic attack pattern is extensible to a relay and any service which can be correlated with each other, through any sufficiently selective metadata divulged by both services. It ain't a new one, either; I seem to remember this sort of stuff being done from at least 2008, which prolly makes the idea older since I'm not exactly a pro in the field.
The general statistical attack pattern is correlate, accumulate and intersect. The research behind Tor talks about this stuff already, and notes it cannot be stopped if we presume the relay operator leaks such correlated information. So yes, you ought to be worried -- as the operator of a hidden service.
This particular script that is currently being hyped up on Reddit as "de-anonymizing most Tor hidden servers" simply makes too many assumptions to be feasible. Yes, this sort of attack is feasible in principle, and this script will probably work if you find a hidden service that is also a relay and is also a publicly reachable HTTP server, but saying it can be carried out against most hidden services is simply false as a matter of fact. Hidden services don't need to be reachable from the Internet. They don't need to have accurate clocks. And as a result, a lot of them aren't vulnerable to a program on the Internet that is being marketed as reliably de-anonymizing hidden services. To summarize: * This is not a novel attack * This particular variant of the attack ("clockskewer") is not effective against many if not most hidden services * The people claiming it does on Reddit are scare-mongering Tor for karma, and that irritates me as someone who likes Tor and wants people who need more-secure systems to research Tor and see the stable, well-tested tool that it is, rather than hype from Reddit. -- Sent from Ubuntu [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
participants (2)
-
Sampo Syreeni -
Ted Smith