Difference between revisions of "The Onion Router"

From ForensicsWiki
Jump to: navigation, search
m
Line 6: Line 6:
 
== Attacks ==
 
== Attacks ==
 
'''Timing attacks'''
 
'''Timing attacks'''
 +
 +
Tor fails when the attacker can correlate timing patterns on both ends of the communications channel.
  
 
'''Misconfigured software'''
 
'''Misconfigured software'''
 +
* DNS leaks
 +
 +
Some applications do name resolution directly (bypassing Tor proxy). In this case lookup requests leak significant information (e.g. web site being visited).
 +
 +
* Web browsers
 +
** Enabled scripts: Java and Flash applets may leak real IP address (see [http://metasploit.com/research/projects/decloak/ Metasploit Decloaking Engine]);
 +
** Enabled cookies: web server can identify clients using unique cookies.
 +
 +
* Direct connections in [[Instant Messaging]] (MSN, ICQ, etc) also leak real IP address
  
 
'''TLS attacks'''
 
'''TLS attacks'''
 +
 +
Various deviations of system time can be detected in TLS traffic (e.g. HTTPS traffic).
 +
Attacker can modify system time of the target computer (or group of them) via NTP and easily trace TLS connections from anonymous network.
  
 
'''Eavesdropping by exit nodes'''
 
'''Eavesdropping by exit nodes'''
Line 17: Line 31:
  
 
== Hidden services ==
 
== Hidden services ==
 +
 +
Location hidden services are also vulnerable to timing correlation attack.
  
 
== External Links ==
 
== External Links ==
  
 
* [https://www.torproject.org/ Official website]
 
* [https://www.torproject.org/ Official website]
* [https://www.torproject.org/svn/trunk/doc/spec/proposals/100-tor-spec-udp.txt Tor Unreliable Datagram Extension Proposal]
 
 
* [http://en.wikipedia.org/wiki/Tor_(anonymity_network) Article in Wikipedia]
 
* [http://en.wikipedia.org/wiki/Tor_(anonymity_network) Article in Wikipedia]
 +
* [https://www.torproject.org/svn/trunk/doc/spec/proposals/100-tor-spec-udp.txt Tor Unreliable Datagram Extension Proposal]
 +
 +
* [http://www.cl.cam.ac.uk/~sjm217/papers/oakland05torta.pdf Low-Cost Traffic Analysis of Tor (University of Cambridge)]

Revision as of 15:48, 3 June 2008

Tor (The Onion Router) is an implementation of second-generation onion routing.

Overview

Tor is a distributed censorship-resistant network designed to anonymize TCP-based applications.

Attacks

Timing attacks

Tor fails when the attacker can correlate timing patterns on both ends of the communications channel.

Misconfigured software

  • DNS leaks

Some applications do name resolution directly (bypassing Tor proxy). In this case lookup requests leak significant information (e.g. web site being visited).

  • Web browsers
    • Enabled scripts: Java and Flash applets may leak real IP address (see Metasploit Decloaking Engine);
    • Enabled cookies: web server can identify clients using unique cookies.

TLS attacks

Various deviations of system time can be detected in TLS traffic (e.g. HTTPS traffic). Attacker can modify system time of the target computer (or group of them) via NTP and easily trace TLS connections from anonymous network.

Eavesdropping by exit nodes

Tor doesn't encrypt traffic between an exit node and the target server, so exit nodes are able to capture all unencrypted traffic. Malicious exit nodes can perform man-in-the-middle attacks on encrypted protocols.

Hidden services

Location hidden services are also vulnerable to timing correlation attack.

External Links