[tor-talk] isp monitoring tor

Seth David Schoen schoen at eff.org
Tue Oct 7 00:06:59 UTC 2014


Mirimir writes:

> Tor is vulnerable to two general sorts of attacks. One involves the use
> of malicious relays in various ways to deanonymize circuits. The other
> involves the use of traffic analysis to correlate traffic captured at
> edges of the Tor network (to users and the websites that they access).
> 
> With ISPs, there's the risk that some organization can monitor traffic
> on both ends. It's common to characterize such organizations as "global
> passive adversaries". However, a single ISP (or a firm owning multiple
> ISPs) could do that, if it provides service to both users and websites.
> Also, users who access websites in their own nation via Tor are
> similarly vulnerable to their government.

To expand on this theme, there are several traffic attacks that don't
require an adversary to be truly "global".  Creating a popular relay in
the hope that users who are interesting to you will route through it is a
pretty cheap and powerful attack (and one that motivated the creation of
guard nodes).  And there can be timing attacks just based on (sometimes
rather coarse-grained) knowledge of when a particular anonymous user was
active, which might even come from chat or server logs rather than from
monitoring live network traffic, so long as the attacker does have the
ability to monitor the first hop.

I've taken to saying "someone who can observe both ends" most of the time
instead of "the global adversary".  (I think the Tor developers often say
this too; the global adversary is just someone who can _almost always_
observe both ends.)  A kind of challenging wrinkle is that there are
a lot of conceivable ways that someone could "observe" one end of the
connection.  One sometimes underappreciated way is that someone else who
was observing it at the time of the communication, including a party to
the communication or a server operator, could tell the adversary about
it later.

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107


More information about the tor-talk mailing list