Re: [tor-talk] How secure is a hidden service?
Tor Project sometimes censor and manage speech on its mailing lists from some various facts, alternative points of view, free and open convo, news journalist articles, inquiry, critique of Tor Project itself, etc... perhaps some of the links below may be of interest or merit, or even be nothing but utter nonsense indeed... decide as desired. Busts often have press releases, case docs, and community threads that can be read for info on, and suspicious gaps in stories of, how onions were found. Also look for cases that got dismissed, things can appear strange in them too. http://dreadditevelidot.onion/post/f7f0b5bc445630301df6 https://www.gwern.net/docs/sr/2020-flugsvamp-docs-FUP_B_13010-18.tar.xz Some of the public research and exploit whitepapers against hidden services are listed here... https://www.freehaven.net/anonbib/ Here are some articles, blogs, threads, links to links, and so forth that may have other papers and info of interest... https://restoreprivacy.com/tor/ http://darknetq7skv7hgo.onion/ https://old.reddit.com/r/TOR/comments/7lt954/ddos_related_deanonymization_te... https://www.hackerfactor.com/blog/index.php?/categories/19-Tor https://trac.torproject.org/projects/tor/ticket/19794 https://old.reddit.com/r/onions+tor/ https://lists.cpunks.org/pipermail/cypherpunks/2020-February/079289.html https://lists.cpunks.org/pipermail/cypherpunks/2019-November/077834.html https://www.gwern.net/DNM-arrests https://www.gwern.net/DNM-survival https://surveillancevalley.com/blog/fact-checking-the-tor-projects-governmen... These two messages were replied directly to the Tor Project mailing lists, both were censored by the Tor Project and thus never appeared there for users to consider and or talk about... https://lists.cpunks.org/pipermail/cypherpunks/2020-February/079419.html https://lists.cpunks.org/pipermail/cypherpunks/2020-February/079417.html How hidden are the hidden services of any of today's overlay networks? One answer is as old as humanity... Perhaps that depends on how badly they want to find you. On 2/22/20, Robin Lee <robinlee@mailbox.org> wrote:
On Fri, 2020-02-21 at 05:41 -0500, Roger Dingledine wrote:
On Thu, Feb 20, 2020 at 07:25:32AM +0100, Robin Lee wrote:
I'm wondering how hidden a hidden service actually is? Because last week charges were brought against Flugsvamp, a Swedish darknet drug shop. In the documents made public for the court case the police states that is was able to trace the actual ip-addresses of the onion- addresses. Flugsvamp had two onion-addresses and the the police gave different probabilities that a certain ip-address was behind each.
Is it just a function of time and amount of traffic, i.e. the longer you are online and the more traffic you generate, the more probable it is to discover the true ip-address?
It's complicated.
I should start out with saying I'd never heard of Flugsvamp until your email, and I have no notion of whether they used Tor or what. That said:
Services on the internet are inherently harder to make safe than clients, (a) because they stay at the same place for long periods of time, and (b) because the attacker can induce them to generate or receive traffic, in a way that's harder to reliably do to clients.
Most identification problems with Tor users, and with onion services, have turned out to be opsec mistakes, or flaws in the application software at one end or the other. That is, nothing to do with the Tor protocol at all. But of course in the "layers of conspiracy" world we live in nowadays, you can never be quite sure, because maybe "they" used a complex attack on Tor and then covered it up by pointing to an opsec flaw. One hopefully productive way forward is to point out that even if we don't know how every successful attack really started, we know that opsec flaws are sufficient to explain most of them.
When I'm doing talks about Tor these days, I list these four areas of concern, ordered by how useful or usable they are to attackers in practice: (1) Opsec mistakes, (2) Browser metadata fingerprints / proxy bypass bugs, (3) Browser / webserver exploits, and (4) Traffic analysis.
See e.g. the original story about Farmer's Market: https://blog.torproject.org/trip-report-october-fbi-conference where at first people worried about a vulnerability in Tor, but then it turned out that the operators had been identified and located far before they even switched to using Tor.
To make this thread more productive and more concrete: can you point us to these "documents made public for the court case"? Even if they're in Svenska, they would still be useful to look at. The ones talking about probabilities of IP address I mean.
These documents are available at https://minfil.com/bbu3q0Y4ne/FUP_B_13010-18_zip
Page 103 in the file 'Stockholms TR B 13010-18 Aktbil 202.pdf' contains a short PM about the tracing.
It is a vast set of documents, but as far I've been able to tell identifying the VPS-servers behind the onion-addresses was the first step.
-- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
participants (1)
-
grarpamp