Barriers to TOR Research at UC Berkeley Joseph Lorenzo Hall Karl Chen Matthew Rothenberg http://josephhall.org/papers/torpapr.pdf

Introduction Thesis: research opportunities with TOR at UC Berkeley are limited. Tension exists between features of TOR and the institutional environment. We had an neat experiment utilizing TOR ready to go, but were never able to turn it on. We used the experience as an opportunity to make recommendations to Berkeley (and TOR).

Thesis: research opportunities with TOR at UC Berkeley are limited.

Tension exists between features of TOR and the institutional environment.

We had an neat experiment utilizing TOR ready to go, but were never able to turn it on.

We used the experience as an opportunity to make recommendations to Berkeley (and TOR).

Outline What is TOR? Our planned experiment Legal and institutional barriers Options available to TOR researchers

What is TOR?

Our planned experiment

Legal and institutional barriers

Options available to TOR researchers

What is TOR? An internet anonymization tool.

An internet anonymization tool.

What is TOR? Technical description of TOR/onion routing. Can specify exit policy to control IPs/ports of exit traffic. Must specify IP addresses , not domains. Clients can specify preferred exit node. History and motivation of similar tools. Recent research / improvements / attacks in onion routing.

Technical description of TOR/onion routing.

Can specify exit policy to control IPs/ports of exit traffic.

Must specify IP addresses , not domains.

Clients can specify preferred exit node.

History and motivation of similar tools.

Recent research / improvements / attacks in onion routing.

The Planned Experiment What were our planned research goals? To profile TOR traffic. What are people doing / going? Is TOR something that our institution should support? Are there uses of the network that should be disincentivized? A high-level description of the planned experiment. Technical infrastructure. Using a virtual interface for TOR traffic. What we would log and why. How it would be logged efficiently. Storage needs for the logs. This was all doable and in place.

What were our planned research goals?

To profile TOR traffic. What are people doing / going?

Is TOR something that our institution should support?

Are there uses of the network that should be disincentivized?

A high-level description of the planned experiment.

Technical infrastructure.

Using a virtual interface for TOR traffic.

What we would log and why.

How it would be logged efficiently.

Storage needs for the logs.

This was all doable and in place.

Legal Hurdles Content Federal Wiretapping Law (18 USC §2 510-2522) Court order for govt. access, penalties and damages as well as a civil cause of action State Law (California Penal Code §6 29.50-629.98) Network Attributes Federal Pen-register Law (18 USC §3 121-3127) Bar is lower, exceptions exist, no civil cause of action

Content

Federal Wiretapping Law (18 USC §2 510-2522)

Court order for govt. access, penalties and damages as well as a civil cause of action

State Law (California Penal Code §6 29.50-629.98)

Network Attributes

Federal Pen-register Law (18 USC §3 121-3127)

Bar is lower, exceptions exist, no civil cause of action

Institutional Hurdles Departmental Approval Unauthenticated proxies forbidden by Minimum Standards for Security of Berkeley Campus Networked Devices (MSSBCND) Campus Information Security Committee approval for exception to MSSBCND UCB Risk Management Attorneys Library Services Licensing (For dealing with IP-based authentication)

Departmental Approval

Unauthenticated proxies forbidden by Minimum Standards for Security of Berkeley Campus Networked Devices (MSSBCND)

Campus Information Security Committee approval for exception to MSSBCND

UCB Risk Management Attorneys

Library Services Licensing (For dealing with IP-based authentication)

The Rub Blocking exit traffic to services we subscribe to is difficult. 3k+ entries in the proxy.pac file. Uses domain names with wildcards (e.g., *.acm.org ) TOR doesn’t handle large exit policies well (technically and socially).

Blocking exit traffic to services we subscribe to is difficult.

3k+ entries in the proxy.pac file.

Uses domain names with wildcards (e.g., *.acm.org )

TOR doesn’t handle large exit policies well (technically and socially).

Options For TOR Research (1) Operating in middleman mode. (no exit traffic) Pros: minimal exit policy, no worries with proxy.pac. Cons: would not allow experiments that rely on exit traffic Successively adding entries to an allowed list in the exit policies. Pros: very small exit policy, would not have to worry about proxy.pac. Cons: very limited view of internets, would be biased to certain types of traffic (web, etc.), limited by the length of time that it takes for an exit policy change to propagate to other nodes.

Operating in middleman mode. (no exit traffic)

Pros: minimal exit policy, no worries with proxy.pac.

Cons: would not allow experiments that rely on exit traffic

Successively adding entries to an allowed list in the exit policies.

Pros: very small exit policy, would not have to worry about proxy.pac.

Cons: very limited view of internets, would be biased to certain types of traffic (web, etc.), limited by the length of time that it takes for an exit policy change to propagate to other nodes.

Options For TOR Research (2) Blocking all IP addresses that correspond to proxy.pac regexs in DNS (using searchDNS). Pros: Highly precise. Cons: Results in an exit policy 3k-150k entries long, blocks legitimate traffic, doesn ’t block traffic to IP addresses that don ’t have DNS entries. Blocking whole netblocks associated with second-level domains. Pros: Smaller exit policy list. Cons: Blocks much more legitimate traffic, exit policy is still 3k long.

Blocking all IP addresses that correspond to proxy.pac regexs in DNS (using searchDNS).

Pros: Highly precise.

Cons: Results in an exit policy 3k-150k entries long, blocks legitimate traffic, doesn ’t block traffic to IP addresses that don ’t have DNS entries.

Blocking whole netblocks associated with second-level domains.

Pros: Smaller exit policy list.

Cons: Blocks much more legitimate traffic, exit policy is still 3k long.

Possible Solutions Have a trusted segment of our network. Get rid of IP-based “authentication” with services with which we’ve contracted. Modify TOR such that its directory protocol is more enterprise-user friendly.

Have a trusted segment of our network.

Get rid of IP-based “authentication” with services with which we’ve contracted.

Modify TOR such that its directory protocol is more enterprise-user friendly.