Showing posts with label Tor. Show all posts
Showing posts with label Tor. Show all posts

Saturday, September 22, 2007

Tor weaknesses

Not a lot of people are aware of the weaknesses of TOR. I will try to give a short introduction into some of these weaknesses. The TOR faq explains some possible attacks and I will give two more examples.

The first example attack is using a vulnerability in the control port of a TOR client. The control port usually runs on port 9051 and can be used to control the TOR client. The client only listens to localhost so a firewall should be sufficient to shield this port from the outside....or not....what if you can serve the TOR user with a webpage and embed a link in the page connecting to localhost:9051. The browser of the user will interpret the request and connect to the control port of the localhost running the TOR client. The control port connection handling has a vulnerability (TOR client < 0.1.2.16) in how it handles requests. If a command in the request was unknown it would generate an error message but would not drop the connection. So sending some commands to the control port would be easy because it skips the commands which it can not interpret, e.g. http commands. It would be fairly easy to generate a webpage with some javascript to connect to a control port of a visiting TOR client. Through the control port it is a breeze to alter e.g. the torrc file and direct that user to a single tor node you control through the ExitNode option which specifies a preferred exitnode for the TOR client to use. Advisory is here

The second attack is against hidden services. A hidden service is e.g. a webserver running in the TOR network. People can request pages from this webserver but will not be able to locate them on the internet. An attack on these hidden services was described in this paper. It uses a technique to overload the CPU of the hidden service, creating different clock skews and thereby timestamps of network packets. By overloading the CPU the timestamp on network packets change. So if you overload an hidden service and at the same time connect to all TOR servers listed in the TOR directory you can identify the server the hidden service is running on.

As a special teaser there are some other scenarios thinkable related to browser based attacks. Check this paper for details.

TOR is great for protecting your anonimity but it is still not fool proof. The TOR client software is still in alpha stage and the TOR network is still being developed with new services and uses for the TOR protocol. Use TOR but know what you are using and how you are using it.

Wednesday, September 19, 2007

German TOR server owner quits

Apparently the German TOR server owner who was harassed and never charged by the German police is shutting down his TOR server. He can not cope with the harassment to him and his family anymore. He will stay involved in TOR development though
News article is here

Tuesday, September 18, 2007

Sniffing TOR traffic

The last few weeks some incidents regarding information leaked from the TOR network hit the news (see my MediaDefender and Swedish hacker posts). In this post I will explain how this can happen, how you can try it out yourself and how you can protect yourself against it.

What happened?


People using the TOR network to guarantee their privacy have used the network to read their email and browse the web. Anytime you use an unencrypted protocol (e.g. HTTP, POP3, IMAP) some people participating in the TOR network can read your traffic. The TOR network has encryption in place, but only in the internal network. When your information is send from the TOR network to the internet server it is NOT encrypted, so the last TOR node can see your request (and response) in plain text.

How does it work?


So how do you setup a machine to get some information from the TOR network. It is actually pretty simple. You install a machine with your favourite OS (Linux, Windows or OSX), you install the TOR client software and configure it as an exit node. Now your TOR node is routing TOR traffic and people can also use it as an exit node to request information from the internet. The only thing left is to dump the unencrypted packets to disk for analyses. There are many ways to do that, but tcpdump or similar works fine. Later analysis can be done with the dsniff tools to extract passwords, emails and chat-conversations or ethereal for a full packet analysis.

Is TOR secure?


Yes it is. It is secure for the purpose it was made for. It is secure in protecting your anonymity by encrypting all the traffic between the TOR nodes and masking your ip address for the final destination, be it www.hotmail.com or any other server. It will however not protect you from the dangers of using an unencrypted protocol. There are some other security issues with TOR, but that is for a later blogpost.

How to protect against TOR exit-node sniffing?


Use encrypted protocols. Use SSL when using pop, imap or http. Use a extra SSL proxy layer while serving the web (e.g. proxify.com) and use POP3S and IMAPS when reading your email. Ask your email provider if these protocols are supported, most providers do.

Which tools can I use for this?

Monday, September 17, 2007

TOR server owner arrested in Germany

A TOR server owner got arrested in Germany, read here.

The thing is that anybody who uses TOR is in essence a "TOR server owner/administrator". You use TOR to be anonymous but at the same time traffic is being routed through your TOR software to anonymize other people (that's how TOR works). In TOR you can choose to be a man-in-the-middle only or to be an exit node for other people to use. In the case of an exit node, your TOR software will request web pages (or whatever) for other people using your ip-address. I wonder how this is going to work out in other European countries, I think some law enforcement people will be watching this case closely.

Swedish TOR sniffer

A few weeks ago a Swedish hacker published about 100 POP3 login accounts of governments around the world. In the MediaDefender email leak you will notice a reference to a Swedish person who tried to login to one of the accounts.....is this a coincidence?

Read more about the Swedish TOR sniffer here:

Swedish hacker site

Media coverage
article 1
article 2

TOR overview