Tor Stinks: Traffic Analysis Methods Get More Public Light via HackerFactor
grarpamp
grarpamp at gmail.com
Thu Sep 17 01:21:10 PDT 2020
https://www.hackerfactor.com/blog/index.php?/archives/896-Tor-0day-Finding-IP-Addresses.html
https://www.hackerfactor.com/blog/index.php?/archives/890-Tor-0day-Replying-to-the-Tor-Project.html
https://www.hackerfactor.com/blog/index.php?/categories/19-Tor
Hackerfactor...
"
I read off the address: "152 dot" and they repeated back "152 dot".
"19 dot" "19 dot" and then they told me the rest of the network
address. (I was stunned.) Tor is supposed to be anonymous. You're not
supposed to know the IP address of a hidden service. But they knew.
They had been watching the Tor-based DDoS. They had a list of the
hidden service addresses that were being targeted by the attack. They
just didn't know that this specific address was mine.
As it turns out, this is an open secret among the internet service
community: You are not anonymous on Tor.
As mentioned earlier, the Tor Project claims to protect against "an
adversary who can observe some fraction of network traffic." I've
shown that they do not protect against someone with a God's eye view,
or even someone who controls 10% of Tor guards along with some of the
exit nodes. So how small does "some fraction" need to be for Tor to
actually provide protection? What if the adversary only controls one
(1) guard and nothing else?
Just because the vendor says an exploit is out of scope, doesn't mean
it isn't a problem. (The Tor Project explicitly says that Tor provides
protection against "traffic analysis" and "prevents websites and other
services from learning your location" from an adversary "who can
operate onion routers of his own". So using traffic analysis from one
hostile guard to identify the location of a hidden service doesn't
seem to be out of scope.)
These exploits represent a fundamental flaw in the current Tor
architecture. People often think that Tor provides network anonymity
for users and hidden services. However, Tor really only provides
superficial anonymity. Tor does not protect against end-to-end
correlation, and owning one guard is enough to provide that
correlation for popular hidden services.
"
Tor Project ignores, kicks out, and censors people
for informing its users and world of embarrassing facts...
like this falseness still on the frontpage...
"
DEFEND AGAINST SURVEILLANCE
Tor Browser prevents someone watching your connection from knowing
what websites you visit. All anyone monitoring your browsing habits
can see is that you're using Tor.
"
While Tor Project was partying...
https://blog.torproject.org/welcome-new-tor-board-members
It did not report that all its mailing lists, blogs, etc are
arbitrarily censored...
https://blog.torproject.org/anti-censorship-august-2020
https://blog.torproject.org/anti-censorship-challenges-priorities-progress
Or tell its funders what tor can and cannot do...
https://blog.torproject.org/tor-project-membership-program
Many softwares and projects do some things quite well, other
things not so well. Be informed on range of all those things.
More information about the cypherpunks
mailing list