Skip to content

How NSA tries to compromise Tor anonymity. Tor Stinks document

by paganinip on October 6th, 2013
nsa-tor-hack

Top-secret presentation Tor Stinks leaked by Snowden shows the techniques implemented by the NSA to overwhelm Tor Anonymity with manual analysis.

Tor anonymity has been debated many times, according majority security experts it was one of the most secure way to stay on line being far from prying eyes avoiding government surveillance.
Recently a series of events have completely changed this conviction, last year groups of researchers demonstrated the possibility to track users also on Tor networks, thanks to a technique dubbed Traffic Correlation attack it is possible to break Tor anonymity. A few weeks ago it was spread the news that law enforcement was able to discover the Tor user’s identity exploiting a flaw in the Firefox browser.
In the last month also Tor network has lost a couple of its most popular entities, Freedom Hosting service and SilkRoad illegal market place were shut down by the FBI, circumstances that suggest that the U.S. Authorities have found a way to track criminals (or have simply decided to apply it) even if protected by the Tor anonymity.
Yesterday Edward Snowden released a new classified intriguing NSA document, titled ‘Tor Stinks’ in which the intelligence agency admits to being able de-anonymize a small fraction of Tor users manually.

“We will never be able to de-anonymize all Tor users all the time’ but ‘with manual analysis we can de-anonymize a very small fraction of Tor users’”

The document also reveals that NSA was working to degrade the user experience to dissuade people from using the Tor browser.
The NSA strategy relies on the following principles to unhinge Tor anonymity.
Tor Anonymity Stinks document
  • Infiltrate Tor network running its Tor nodes. Both the NSA and GCHQ run Tor nodes to track traffic back to a specific user, the method is based on the circuit reconstruction from the knowledge of the ‘entry, relay and exit’ nodes between the user and the destination website.

Tor Anonymity Tor path

  • Exploiting zero-day vulnerability of Firefox browser bundled with Tor, with this technique NSA was able to get the user’s IP address. In this way the FBI arrested the owner of Freedom Hosting service provider accused of aiding and abetting child pornography.
  • NSA also uses web cookies to track Tor user widely, the technique is effective also for Tor Browser. The cookies are used to analyze the user’s experience on the Internet, the intelligence agency owned or controlled a series of website that was able to read last stored cookies from the browser on the victim’s machine. With this technique the agency collects user’s data including the IP address. Of course expert users can avoid this type of control in numerous way, for example using a dedicated browser for exclusive Tor navigation, using only the official preconfigured Tor bundle or properly managing the cookies stored on their machine. Unfortunately the surveillance methods appeared effective for a huge quantity of individuals. I always suggest to use a virtual machine with a live OS for protecting your Tor anonymity, cache and cookies in this way will be lost once the machine is shut down. Documents leaked by Snowden show that the NSA is using online advertisements i.e. Google Ads to make their tracking sites popular on the internet.
The concerning aspect of the history is that other governments could use similar techniques to monitor Tor networks, let’s thing to countries such as China, Iran and Syria in which censorship is very strong.
The good news is that despite their effort intelligence agencies are not able to compromise the Tor anonymity for the entire network … maybe.

Pierluigi Paganini

(Security Affairs –  Tor Stinks, Tor Anonymity, NSA)

Comments are closed.