Relays can be malicious and try to tamper with the data. Think of Tor relay encryption like Signal's E2E encryption, where the relays are analogous to Signal's servers. You want to ensure they can neither see what you sent (confidentiality) nor modify it without detection (integrity).
That is correct. But, (in general) encryption does not necessarily guarantees integrity of the data. In other words, a plaintext can be encrypted, the ciphertext given to another party, and they can tamper with the ciphertext in a way that produces predictable changes in the message obtained by decrypting the tampered ciphertext.
The malleability of the ciphertext matters because it enables certain circuit tagging attacks as the article explains. It means that the exit relay could confirm you are using a guard relay also controlled by them and thus discover your origin IP address.
You can indeed use HTTPS with the end server (e.g., accessing Wikipedia). This correctly hides the traffic content from all relays.
To reach this point, though, you first need to set up the Tor circuit itself. This is done in a 'telescopic' fashion: the user connects via TLS to the first relay, then sends a message to extend the circuit to a second relay, then to the third (and usually last) relay. Finally, to open Wikipedia, you send a layered encrypted message to the last relay. All this data is link-protected by TLS on the wire, but protected by Tor's relay encryption mechanism while being processed by the nodes.
But instead of just reporting it directly, we instead get this unsubstantive comment (“Cool! Great! Btw you spelled a word wrong.”). Essentially just noise, nothing that provokes curiosity or interesting discussion.
There are countermeasures you can take against timing attacks, pattern analysis, and other capabilities an attacker may have if they control many relays. If you're trying to exfiltrate military secrets to the Russians, you can probably do it, but you'll have to be extremely careful. Your behaviour is as important as the network you use to communicate over, if not more important.
There is no single state actor that has access to all data centers in the EU, though. For some countries, there's barely a state actor that can access all data centers within a single country.
There is no tool that will let you become immune against a theoretical hyper powerful super government that controls all data centers, just by clicking a button. There never will be.
There's some neat math that shows how one could send (radio) signals which are undetectable to an observer. Last I read, the research was in specific, purely theoretical scenarios but the idea is that you could send bit impulses which stay within the noise floor. Transmit with a power less than R^2 (in discrete time and ignoring triangulation and you have to pre-coordinate the timing of the transmissions with your partner via pre-shared one time pad and use plenty of error correction) the enemy observer cannot prove that someone is sending signals at all.
Maybe no such techniques could ever apply to the internet, but I'm not sure it's proven impossible. You would need a well defined threat model but if you can show that your enemy is working with noisy data and strictly in the digital space, I don't see why statistical de-anonymization couldn't be foiled.
This FUD comes up whenever Tor is mentioned on Hacker News. The answer is: let's say you think Tor isn't 100% flawless. What are you going to do? Not use Tor? It's better than any other option.
What you'd do is that you'd write a distributed remailer where fixed-size messages are sent on fixed timeslots, possibly with some noise in when it's transmitted, with a message always being sent on its timeslot, even if a dummy message must be sent.
I've been writing a system like this in Erlang, intended to be short enough that you can take a picture of the source code and then type it in by hand in a reasonable amount of time, as a sort of protest against Chat Control. I'm not sure I'm going to release it-- after all, they haven't passed it yet, and there are all sorts of problems that this thing could needlessly accelerate, but I've started fiddling with it more intensively recently.
Ah. It actually looks very sensible. I knew things like that existed, but didn't know they had dummy messages.
I guess my approach is more P2P, more simplicity, shortness and clarity focused, as well as perhaps emphasizing general networking less-- I sacrifice more, I'm fine with 3-6 second delays on all messages, for example. I guess I also emphasize scale in that I intend to have 10,000+ connection open simultaneously on every peer, and because of this you don't even always need the retransmission aspect, since the person you want to talk to might be in the group of 10,000 that you send a message to every second.
So in my thing the mixing is less important and the retransmission aspect is only needed when the network grows so big that you, when you connect don't happen to randomly end up directly peering with the person you want to talk to.
While there aren't as many services available, there are alternatives to Tor. Veilid on the protocol level seems to be quite promising, and I2P and other networks also provide some Tor-like features.
If you're trying to browse the web then you won't find many alternatives, but if you're looking to avoid the authorities doing some data exchange, you have options.
> Of course, we need to make sure that the data isn't modified on the way from the client.
Why is this necessary if every layer of the onion is a trustable encrypted link?
Relays can be malicious and try to tamper with the data. Think of Tor relay encryption like Signal's E2E encryption, where the relays are analogous to Signal's servers. You want to ensure they can neither see what you sent (confidentiality) nor modify it without detection (integrity).
Yes, but if it's all encrypted tunnels inside encrypted tunnels (recursively), then those relays can't really see the data, right?
That is correct. But, (in general) encryption does not necessarily guarantees integrity of the data. In other words, a plaintext can be encrypted, the ciphertext given to another party, and they can tamper with the ciphertext in a way that produces predictable changes in the message obtained by decrypting the tampered ciphertext.
Ok, but if I run (say) HTTPS over the innermost tunnel, then I suppose that HTTPS will take care of any discrepancies.
The malleability of the ciphertext matters because it enables certain circuit tagging attacks as the article explains. It means that the exit relay could confirm you are using a guard relay also controlled by them and thus discover your origin IP address.
There are many reasons that these cryptographic tagging attacks are a lot worse than just the timing correlation attacks that are possible if you control the guard and exit of a client: https://archive.torproject.org/websites/lists.torproject.org...
You can indeed use HTTPS with the end server (e.g., accessing Wikipedia). This correctly hides the traffic content from all relays.
To reach this point, though, you first need to set up the Tor circuit itself. This is done in a 'telescopic' fashion: the user connects via TLS to the first relay, then sends a message to extend the circuit to a second relay, then to the third (and usually last) relay. Finally, to open Wikipedia, you send a layered encrypted message to the last relay. All this data is link-protected by TLS on the wire, but protected by Tor's relay encryption mechanism while being processed by the nodes.
Cool! Congrats! Awesome work.
Small typo: “observing predicatable changes“
I think you’re getting downvoted because you’re reporting the typo in an odd and likely unproductive place.
I’m not sure what you expect HN readers to do about the typo. There is a comment section on the blog itself :)
It's not unusual that the author (or someone of the team) see the trafic peak an appears in HN to reply the questions.
Sure, that happens.
But instead of just reporting it directly, we instead get this unsubstantive comment (“Cool! Great! Btw you spelled a word wrong.”). Essentially just noise, nothing that provokes curiosity or interesting discussion.
[dead]
Is it quantum-proof?
Quantum isn’t the problem. Majority-internet telemetry is.
Is it alien-proof?
All information is translated to Finnish at ingress, so yes.
hey guys, anyone believes Tor still can provide anonymity to users ? just trying to ask politely.
broadly yes, but the real question is: what's your threat model? https://ssd.eff.org/glossary/threat-model
I mean definitely state level actor, for example, let's say you can access all data centers in EU as most tor nodes are located in EU.
There are countermeasures you can take against timing attacks, pattern analysis, and other capabilities an attacker may have if they control many relays. If you're trying to exfiltrate military secrets to the Russians, you can probably do it, but you'll have to be extremely careful. Your behaviour is as important as the network you use to communicate over, if not more important.
There is no single state actor that has access to all data centers in the EU, though. For some countries, there's barely a state actor that can access all data centers within a single country.
There is no tool that will let you become immune against a theoretical hyper powerful super government that controls all data centers, just by clicking a button. There never will be.
There's some neat math that shows how one could send (radio) signals which are undetectable to an observer. Last I read, the research was in specific, purely theoretical scenarios but the idea is that you could send bit impulses which stay within the noise floor. Transmit with a power less than R^2 (in discrete time and ignoring triangulation and you have to pre-coordinate the timing of the transmissions with your partner via pre-shared one time pad and use plenty of error correction) the enemy observer cannot prove that someone is sending signals at all.
Maybe no such techniques could ever apply to the internet, but I'm not sure it's proven impossible. You would need a well defined threat model but if you can show that your enemy is working with noisy data and strictly in the digital space, I don't see why statistical de-anonymization couldn't be foiled.
Low stakes (IP violations etc.): absolutely
High stakes (military / nation state scale): no
hey, would you mind elaborating (with sources)?
This FUD comes up whenever Tor is mentioned on Hacker News. The answer is: let's say you think Tor isn't 100% flawless. What are you going to do? Not use Tor? It's better than any other option.
What you'd do is that you'd write a distributed remailer where fixed-size messages are sent on fixed timeslots, possibly with some noise in when it's transmitted, with a message always being sent on its timeslot, even if a dummy message must be sent.
I've been writing a system like this in Erlang, intended to be short enough that you can take a picture of the source code and then type it in by hand in a reasonable amount of time, as a sort of protest against Chat Control. I'm not sure I'm going to release it-- after all, they haven't passed it yet, and there are all sorts of problems that this thing could needlessly accelerate, but I've started fiddling with it more intensively recently.
You may be interested in Katzenpost and the research behind it: https://katzenpost.network/
Ah. It actually looks very sensible. I knew things like that existed, but didn't know they had dummy messages.
I guess my approach is more P2P, more simplicity, shortness and clarity focused, as well as perhaps emphasizing general networking less-- I sacrifice more, I'm fine with 3-6 second delays on all messages, for example. I guess I also emphasize scale in that I intend to have 10,000+ connection open simultaneously on every peer, and because of this you don't even always need the retransmission aspect, since the person you want to talk to might be in the group of 10,000 that you send a message to every second.
So in my thing the mixing is less important and the retransmission aspect is only needed when the network grows so big that you, when you connect don't happen to randomly end up directly peering with the person you want to talk to.
Don’t things like Freenet do similar?
Except that every user is also a node, thereby mixing their personal traffic into a share of network traffic. Or so I understand it.
I'm not sure. Freenet actually stores information, this is pure communication system. I don't think it uses dummy messages.
My target size is also <500 lines, and I think <200 is feasible, whereas Freenet is apparently 192,000 lines.
While there aren't as many services available, there are alternatives to Tor. Veilid on the protocol level seems to be quite promising, and I2P and other networks also provide some Tor-like features.
If you're trying to browse the web then you won't find many alternatives, but if you're looking to avoid the authorities doing some data exchange, you have options.
The better option is to use Tor while being aware of its caveats and limitations. Don't be lulled into a false sense of security.