Not a lot of people are aware of the weaknesses of TOR. I will try to give a short introduction into some of these weaknesses. The TOR faq explains some possible attacks and I will give two more examples.
The first example attack is using a vulnerability in the control port of a TOR client. The control port usually runs on port 9051 and can be used to control the TOR client. The client only listens to localhost so a firewall should be sufficient to shield this port from the outside....or not....what if you can serve the TOR user with a webpage and embed a link in the page connecting to localhost:9051. The browser of the user will interpret the request and connect to the control port of the localhost running the TOR client. The control port connection handling has a vulnerability (TOR client < 0.1.2.16) in how it handles requests. If a command in the request was unknown it would generate an error message but would not drop the connection. So sending some commands to the control port would be easy because it skips the commands which it can not interpret, e.g. http commands. It would be fairly easy to generate a webpage with some javascript to connect to a control port of a visiting TOR client. Through the control port it is a breeze to alter e.g. the torrc file and direct that user to a single tor node you control through the ExitNode option which specifies a preferred exitnode for the TOR client to use. Advisory is here
The second attack is against hidden services. A hidden service is e.g. a webserver running in the TOR network. People can request pages from this webserver but will not be able to locate them on the internet. An attack on these hidden services was described in this paper. It uses a technique to overload the CPU of the hidden service, creating different clock skews and thereby timestamps of network packets. By overloading the CPU the timestamp on network packets change. So if you overload an hidden service and at the same time connect to all TOR servers listed in the TOR directory you can identify the server the hidden service is running on.
As a special teaser there are some other scenarios thinkable related to browser based attacks. Check this paper for details.
TOR is great for protecting your anonimity but it is still not fool proof. The TOR client software is still in alpha stage and the TOR network is still being developed with new services and uses for the TOR protocol. Use TOR but know what you are using and how you are using it.
Saturday, September 22, 2007
Tor weaknesses
Subscribe to:
Post Comments (Atom)
2 comments:
As you mentioned, the first vulnerability you described only affects Tor <0.1.2.16, so that is one very good reason to get the new version. In fact version 0.1.2.17 includes some performance improvements, so everyone should upgrade even if they are not affected by the flaw.
I wrote the paper you mentioned as the second vulnerability. Shava Nerad from the Tor project has responded to some of the points it raises. It is also worth noting that the attack makes certain assumptions and is only applicable in some scenarios. These are discussed in the associated paper.
The paper describing the problems with Torbutton also proposes improvements to resist the attack. These fixes are in the development version of Torbutton, but it needs more testing before being promoted to stable.
Thank you for your comment.
I agree a newer version is up and everybody should ofcourse upgrade. More experienced users will probably do that through their automatic distro upgrade or some other mechanism.
The point here is that by trying to make Tor more user friendly to install, a lot of people are using the Vidalia packaged bundle. According to my knowledge this bundle does not have any automatic upgrade mechanism. This leads to a lot of users still using the vulnerable version. Maybe some automatic check for security patches or upgrades for the components should be implemented in Vidalia.
Thank you for the links to the other papers, much appreciated.
Yonathan
Post a Comment