Tuesday, August 06, 2013

Anonymity Smackdown: NSA vs. Tor

In recent news, Tor was hacked -- kinda. A guy hosting hidden services was arrested (with help from FBI), and his servers changed to deliver malware to expose user IP addresses (with help from NSA). This makes us ask: given all the recent revelations about the NSA, how secure is Tor at protecting our privacy and anonymity?

The answer is "not very". Tor has many weaknesses, especially the "Tor Browser Bundle". Experts might be able to protect their privacy with Tor against the NSA, but the casual user probably can't. I'm going to describe some of the reasons here.

The NSA runs lots of Tor nodes

The NSA hosts many nodes, anonymously, at high speed, spread throughout the world. These include ingress, middle nodes, hidden services, and most especially, egress nodes. It's easy for them to create a front company, sign up for service, and host the node virtually anywhere.

On any random Tor connection, there is a good chance that one of your hops will be through an NSA node.
Update: This is a controversial claim. I have some sources I cannot name. Also: I don't have the exact details as to what "many" means: 1%? 10% 30%??

Tor uses only three hops

By default, Tor chooses three hops: the ingress point, the egress point, and only a single in-between node. If the NSA is able to control one or two of these nodes, you are still okay because the third node will protect you. But, if the NSA is able to control all three, then your connection is completely unmasked.

This means that the NSA occasionally gets lucky, when somebody's connection hits three NSA nodes, allowing them to unmask the user.
Update: If we assume the NSA controls 1% of Tor nodes, that comes out to one-in-a-million chance the NSA will unmask somebody on any random connection. If a million connections are created per day, that means the NSA unmasks one person per day.

Tor creates many new paths

Tor doesn't use a single static path through the network. Instead, it opens up a new path/tunnel every 15 minutes. Modern web-services create constant background connections. Thus, if you have your Outlook mail or Twitter open (and aren't using SSL), these will cause a new path to be created through the Tor network every 15 minutes, or 96 new paths every day, or 3000 new paths a month.

That means over the long run, there's a good chance that the NSA will be able to catch one of those path with a three-hop configuration, and completely unmask you.
Update: This is partly mitigated by the "guard" ingress node concept. You crease only a single connection to the guard node, then fan out paths from there. But, mitigated doesn't mean the same thing as "fixed".

Your egress traffic may be unencrypted

Tor encrypts your traffic on your end, but when it leaves the last node in the Tor network, it'll be whatever it would be originally. If you are accessing websites without SSL, then this last hop will be unencrypted. It's usually easy to verify within web-browsers whether they are using SSL, but most other apps have bugs that cause unencrypted sessions to be created.
Update: Also, some of your egress traffic is poorly encrypted, such as the 1024-bit keys without forward security that Facebook uses.
Update: @addelindh points out that things like SSLstrip often works because people aren't paying attention and websites don't support things like HSTS, and thus, even when you want SSL, it'll sometimes fail for you in the face of a hostile attacker. Somebody needs to setup an exit node, then SSLstrip it to figure out how often that works.

Tor uses 1024-bit RSA DH

Tor connections are only protected by 1024-bit RSA/DH keys. The NSA can crack those keys. We don't know how easily they can do it. I'm guessing the NSA spent several years and a billion dollars to build ASICs. That means, their internal accounting might  charge $1-million per 1024-bit RSA/DH key cracked. This means they won't try to crack keys for petty criminals, but they have the power to crack keys for serious targets.

The NSA doesn't need to control all three servers along your route through Tor. Instead, it can control two servers and crack the RSA/DH key of the remaining connection.
Update: We know the NSA can crack 1024-bit keys, because would cost only a few million dollars. What we don't know how many such keys it can crack per day. The number could be less than one such key per day.
Major Update: Because of Tor's "perfect forward secrecy", the NSA wouldn't be cracking the RSA key when eavesdropping. Instead, they would need to crack the "ephemeral" keys. A lot of older servers use 1024-bit DH ephemeral keys, which are about as easy to break as 1024-bit RSA keys. Newer servers use 256-bit ECDH keys which are a lot stronger, and likely not crackable by the NSA (estimates say NSA can crack up to 160-bit ECDH keys). Thus, for older servers, the ability of the NSA to passively eavesdrop and crack keys is a big threat, but for newer servers, it's likely not a threat. (I'm using http://www.keylength.com/ and round numbers here for key lengths). (I'm using http://torstatus.blutmagie.de/ and my own pcaps to confirm a lot of 1024-bit DH is still out in the Tor nodes).
Update: I did a rough survey of the 4200 active Tor servers. Roughly 10% use the newer uncrackable ECDH keys, whereas the other 90% use the older crackable 1024-bit DH keys. 

The NSA can influence parts of the network

The NSA can flood the servers it doesn't control with traffic, thus encouraging users to move onto their own servers. Thus, they can get more connections onto their servers than chance would suggest.

Multiple apps share the same underlying Tor egress

Let's say that you use SSL for Twitter, but non-SSL for your email app. Both of these go out the same exit node. This allows the the NSA to associate the two together, the user named in the email connection associated with the otherwise anonymous Twitter connection. This association works well when the NSA is controlling the exit node, and less well if it's simply monitoring the exit node.

Outages out you

As everyone knows, if the NSA is monitoring you and the server you visit, they might be able to match up traffic patterns to associate the two. This is tricky for them, so a better way is to control the association by injecting faults. If the NSA is able to reset (spoof TCP RST) packets to your end of the connection, it'll cause the egress connection on the other end to drop. Some suspect the NSA is doing this in order to find hidden services.

Exploits (0day or not) can leak your IP address

In the recent incident, the FBI put a Firefox exploit on the servers that was designed to leak a person's IP address. There are lots of other things that can do this, ranging from hidden stuff within video files to PDF files. I doubt that it is possible, in the normal sense (i.e. without putting the Tor proxy and apps on separate machines), to prevent your IP address from being discovered.

DNS leakages can get you

This is partially fixed, with the latest build of Firefox in the Tor Browser Bundle. But it's potentially broken in other apps. The basic problem is that Tor is TCP-based, but DNS requests go over UDP. Also, DNS requests go over separate APIs in the operating system that bypass the proxying of Tor. Consequently, when apps open a proxied TCP connection, they'll still leak your IP address when resolving a name via DNS. (h/t @inthecloud247)

Mistakes inevitably happened

Remember: Lulzsec hacker Sabu was discovered because while he normally logged onto chatrooms using Tor, he forgot once -- and once was enough.

The NSA passes info to the FBI !!!

Normally, the NSA wouldn't go after petty criminals, like kids buying drugs on SilkRoad. That's because doing so would reveal the existence of the program, which the NSA wants to keep secret.

But now we've heard stories about how the NSA can give such information to FBI without revealing the program. Unmasking connections is opportunistic: the NSA is just running a huge dragnet and testing connections when they get lucky. With the above program, they can just pass it along to the FBI. That means even the pettiest of petty criminals might getting caught with the NSA's Tor monitoring.


Experts can probably use Tor safely, hiding from the NSA -- assuming they control a smaller number of nodes, and that their 1024-bit key factoring ability is small. It would require a lot of opsec, putting apps on a different [virtual] machine than the proxy, and practicing good opsec to make sure egress connections are encrypted.

However, the average person using the Tor Browser Bundle is unlikely to have the skills needed to protect themselves. And this might be good thing: it means dissidents throughout the world can probably hide from their own government, while our NSA cleans the network of all the drug dealers and child pornographers.

Update: Some comments might appear on the Tor mailing list here.

Update: Some useful tweets by experts:


Anonymous said...

you need to combine tor with a vpn for maximum effectiveness. encrypt all the things.

Anonymous said...

The discussion of "only three nodes in a circuit" is factually inaccurate. If an adversary controls just the entry and exit node, they can deanonymize the traffic. The Tor project would ideally want to use just two-hop circuits for efficiency (since it is absolutely no less secure than three hops), but they have found that having new nodes be middle nodes is a good testing phase.