Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Deanonymization in Tor web

232 views

Published on

This presentation introduces topics like Anonymity, Data Anonymization and De-Anonymization, then it focus the attention on possible security and privacy attacks in "The Onion Router" (Tor) web.
Lesson was made on 24/05/2016 for the "Web Security and Privacy 2015/16" course in "La Sapienza" University, Rome.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Deanonymization in Tor web

  1. 1. Presented by • Alessandro Granato • Emilio Cruciani • Giovanni Colonna • Silvio Biagioni Deanonymization Web Security and Privacy course – 2015/2016 – «La Sapienza» University
  2. 2. Presented by • Alessandro Granato Information • http://www.slideshare.net/AlessandroGranato/deanonymization-in-tor-web • linkedin.com/in/alessandro-granato-40b03081 • a.granato.89@gmail.com Deanonymization – The Onion Router Web Security and Privacy course – 2015/2016 – «La Sapienza» University
  3. 3. • What is Anonimity? ▫ Colloquial use – Web use • What is Data Anonymization? ▫ Information Sanitization ▫ Security Privacy • What is De-Anonymization? ▫ Cross-reference Introduction
  4. 4. • Tor is a free SW for anonymous communication ▫ Volunteer relays to conceal user’s location Introduction – The Onion Router • Nested “Onion” encryption ▫ Encrypts Data, Sender IP, Receiver IP ▫ Through random circuits ▫ Last Relay!
  5. 5. • Monitoring to guarantee safety • Tor abused by Cybercrime and Terrorists • Monitoring capabilities over anonymizing networks Governments vs Tor People directly connected to Tor in 2014: 2.5 Mln Connected Users
  6. 6. • Tender for companies: “Perform research, code ‘TOR’ (Navy)” • Develop technology to track Tor’s users Russia vs Tor Rewards: 4 Mln rubles (~$ 111.000)
  7. 7. • Counter-Attack to deanonymizers in Tor Network • Philipp Winter • Stefan Lindskog • Karlstad University Spoiled Onions: Exposing Malicious Tor Exit Relays
  8. 8. • Tor circuits are encrypted tunnels • Exit Relays -> Open internet -> Final destination • Traffic usually lacks of end-to-end encryption • Man in the middle by design • Relays run by volunteers! ▫ Innocent ▫ Malicious Spoiled Onions
  9. 9. • Goal: find malicious exit relays ▫ Develop an exit relay scanner ▫ Design browser extension patch  Fetch and compare suspicious X.509 certificate  standard for a public key infrastructure (PKI) to manage digital certificates ▫ Probe exit relays for 4 months Spoiled Onions: The study
  10. 10. • Python based exit relay scanner • Create custom circuits to exit relays • Circuits probed by modules ▫ Estabilish decoy connections • Objective ▫ Provoke exit relays to tamper with these connections ▫ Reveal them! Spoiled Onions: ExitMap • Stem Library ▫ Implements Tor control port ▫ Inititiate/close circuits ▫ Attach streams to circuits
  11. 11. • Fetch network to know online exit relays • Get fed with set of exit relays ▫ Random permutation • Initiate circuits over exit relays • Invoke desired probing module that estabilish decoy connection ▫ __LeaveStreamsUnattached ▫ __DisablePredictedCircuits Spoiled Onions: Using ExitMap
  12. 12. • HTTPS module ▫ Fetches decoy destination’s X.509 certificate -> extract fingerprint ▫ Compare to expected fingerprint (hard-coded inside) ▫ If mismatch -> ALERT! • SSLSTRIP module ▫ Sslstrip attack: rewrite HTTPS answer as HTTP ▫ Silent attack: browsers don’t show alert  You must notice the absence of TLS indicator (green address bar) ▫ The module verifies if the expected HTTPS link was «downgraded» to HTTP Spoiled Onions: Probing modules
  13. 13. • In 2014: ▫ N = 1000 exit relays ▫ M = 25 malicious exit relays ▫ 2 relays: DNS censorship ▫ 1 relay: misconfigurated ▫ All the others: MitM attack Spoiled Onions: Enemies Found!
  14. 14. • Connection with decoy destination • Change decoy’s certificate with their own self-signed version • Certificate is not issued by trusted autority of Tor’s certificate store • Probable Man in the Middle attack! ▫ User redirected to the about:certerror warning page Spoiled Onions: Enemies Found! (cont’d)
  15. 15. • Subset of malicious relays run by same group of people ▫ Same self-signed certificate (Main Autority) ▫ Same country (Russia) ▫ Same VPS provider ▫ Same netblock (176.99.0.0/20) ▫ Same old version of Tor ▫ Same destination target: Facebook  Social Networks are often attacked using MitM Spoiled Onions: Enemies Found! (cont’d)
  16. 16. • ExitMap checks browser event DOMContentLoaded ▫ Whenever a document is loaded by the browser • Check URI to find «about:certerror» warning page • If found, there is self-signed certificate • It can be authentic, but not in tor certificate store • Refetch certificate with another circuit • Compares the two fingerprints ▫ If same = authentic ▫ If not same = MitM attack Spoiled Onions: Extension design
  17. 17. • If Man in the Middle attack: ▫ Show a warning pop-up ▫ User can send info about the case Spoiled Onions: Extension design (cont’d)
  18. 18. • In 2014 there were ~1000 Tor exit relays • Researchers developed a scanner to monitor exit relays for 4 months • M = 25 malicious exit relay discovered • The majority of MitM attacks were coordinated • To avoid user deanonymization ▫ Developed ExitMap ▫ Developed a set of patches for Tor browser which are capable to fetch self- signed certificates to evaluate their trust-worthiness and advise the user Spoiled Onions: Conclusion
  19. 19. • Slideshare: ▫ http://www.slideshare.net/AlessandroGranato/deanonymization -in-tor-web • Infosec: ▫ http://resources.infosecinstitute.com/hacking-tor-online- anonymity/ • Spoiled Onion paper: ▫ http://www.cs.kau.se/philwint/spoiled_onions/techreport.pdf Useful links
  20. 20. Thank you! Deanonymization – The Onion Router Web Security and Privacy course – 2015/2016 – «La Sapienza» University Questions?

×