[Cryptography] NSA and Tor was Updates on Durov charges in France
Peter Fairbrother
peter at tsto.co.uk
Fri Sep 6 20:37:40 EDT 2024
On 06/09/2024 09:50, efc--- via cryptography wrote:
>
>
> On Fri, 6 Sep 2024, Peter Fairbrother wrote:
> I usually consider Tor fine for "regular" use cases. And with regular I
> mean if you want privacy, but are not in conflict with the government.
> That means you are such "small fry" that no one will bother with you.
The kind of global passive attack the NSA can mount is limited to -
probably just the NSA. It's a question of availability of traffic data,
and the NSA has more of that than anyone (except maybe GCHQ).
There are some sophisticated attacks which can be mounted with less
access as well, but with global access it is much simpler.
I don't know how secure the TOR browser is though.
[...]
>> NSA [...] finds traffic which matches the sizes and
>> timings of the packets [...]
> Wouldn't it be trivial to protect against size by just adding some
> random payload?
>
> When it comes to timing attacks...
>
>> If you can only see some traffic then it gets a bit statistical, but
>> long-term everyone is screwed. You can control a few nodes.
>
> ... a yes, I thought it would become statistical. I imagine that there
> could be added delays in the network, but that would reduce usability.
Yep, the need for speed. That, plus traffic volumes limits, also limits
the maximum amount of dummy traffic you can add to be less than useful.
Also, it does not help any if the NSA are observing entry/exit nodes
only, and ignoring intermediate nodes, as the traffic from a user to a
node and from a node to a website is the same.
It may be encrypted using TLS or whatever, but it's the same ol' web
traffic. The webservers aren't special Tor webservers after all (unless
they are .onions, which doesn't really help much).
As to statistics, I did a little swift research.
To do an entry/exit point only attack the NSA can definitely monitor
traffic in-country from at least 1,053 of the 1,837 exit nodes (those in
the US, Germany, Denmark, Switzerland, UK and Canada) and probably 224
more (France, Netherlands).
Those give a 32% or 48% probability that both entry and exit points for
any circuit are being monitored.
In which case, if the traffic can be correlated, any anonymity is toast.
Connect a few times, and ..
Those are minimum figures, I guess NSA might have agreements with a lot
more countries which I don't know about.
Perhaps more important, they do not include traffic on international
cables which is heavily monitored by NSA and GCHQ (NSA built a $3
billion submarine to tap cables underwater), and "boomerang" traffic,
where traffic from eg Albania to Zimbabwe goes via the US or UK for some
reason.
So, the NSA can certainly access more than enough traffic data. Can they
collect and use it?
Total Tor traffic is about 40GB/s, 20MB/s for an average exit node.
Filtering a node is trivial (except sometimes where there is other
traffic on the same IP address). If the filters just report overall
files then they might need to send NSA 1MB/s per node, or 2GB/s in all.
A lot for you and me, spare change for the NSA. As for the work needed
to correlate, I expect that's lost in the noise.
So, can they do it? Yes, undoubtedly. Do they do it? I don't see why not.
Supposing they do, they may see the cost/benefit ratio of letting anyone
else know about it to be well on the side of keeping Mum, and use a
bodyguard of lies even internally. It could be a biggie on a rainy day.
I don't think they would tell the Snowden contractors about it. I
wouldn't. No need to know. In fact I would lie and say we can't do it.
> What about setting up your own entry nodes to make sure that
> you don't risk connecting to one under government control?
One node under government control doesn't help the Government to trace
end users, they need a few (or many/most if they are only doing passive
attacks).
I am no expert on the minutiae of Tor, but I hear that setting up your
own node to hide your own traffic is generally a bad idea.
Peter Fairbrother
More information about the cryptography
mailing list