Saturday, September 26, 2009

Security Threats in Tor Design

The Tor Project is one of the open-source solutions available to protect privacy and security over the network communication. There are currently 1500 active relays supported and 300,000+ active users world-wide. The basic definition of 'anonimity' is interpreted differently by different set of users. For instance, home users refer it as a privacy solution/anti-censorship, commercial sector call it a network security mechanism and the Government institutions take it as a traffic-analysis resistance.

Consider a simple relay architecture as below, in which each user hide its anonimity behind single proxy host.

Now, you can imagine that single relay could turn to be eavesdropper or single point of failure in communication. So, joining multiple relay-gates can add stability and anonimity in communication.

In this joint-relay conversation over the network, a corrupted node (RelayHost D) can identify that 'Shawn' is talking but never know to whom. Similarly, another node (RelayHost G) can tell that somebody is talking to 'Rosi' but don't know who. Thus, the integrity of privacy is secured, however, visualizing a typical Tor network design (Centralized Directory Protocol) can reveal
other set of threats.

Practical Security Problems

1. Tor hides your identity/location but never encrypt 'COMPLETE' set of network traffic, thus, vulnerable to eavesdropping attack on the internet.
2. Communication on ports like 23, 110, 109 etc should be refused by Tor?
3. Active attack on web cookies (e.g. Gmail Account) are still handy.
4. Before creating new Tor node, you need to be verified by central authority? Does it really exist?
5. What if your node is running anti-virus protection program on the top of win32 platform to detect malicious traffic? What will be the consequences?
6. What if you are relaying through the China node and its ISP is hijacking sessions using SSL MiTM attack.
7. No more than 2 inter-routing relays on one IP address is feasible?
8. Is it really secure to use Tor application directly from USB leaving no traces? How about WINDOWS/Prefetch folder and Registry entries?
9. Problems where communication take place from Tor to Non-Tor node and backward.
10. Abnormal use of proxy settings by the application can result in privacy exposure.
11. Clogging and congestion attacks.

Some Security Measures

1. Filter the connections by blocking unwanted directory authorities.
2. Filter unwanted relay IP addresses.
3. Prevent users from finding the Tor service running on your machine.
4. Cap on filtering based on Tor's network fingerprint.
5. Consider adaptive padding to the traffic.
6. Use higher level of encryption as possible (i.e. AES 256).
7. Integrate efficient algorithm for allocating connections safely to Tor circuit.