Current practical, low-latency, anonymity designs like Tor fail when the attacker can see both ends of the communication channel. For example, suppose the attacker controls or watches the Tor relay a user chooses to enter the network, and also controls or watches the website visited. In this case, the research community is unaware of any practical, low-latency design that can reliably prevent the attacker from correlating volume and timing information on both ends.
Mitigating this threat requires consideration of the Tor network topology. Suppose the attacker controls, or can observe, C relays from a pool of N total relays. If a user selects a new entry and exit relay each time the Tor network is used, the attacker can correlate all traffic sent with a probability of (c/n)2. For most users, profiling is as hazardous as being traced all the time. Simply put, users want to repeat activities without the attacker noticing, but being noticed once by the attacker is as detrimental as being noticed more frequently. [...]
The solution to this problem is "entry guards". Each Tor client selects a few relays at random to use as entry points, and only uses those relays for the first hop. If those relays are not controlled or observed, the attacker can't use end-to-end techniques and the user is secure. If those relays are observed or controlled by the attacker, then they see a larger fraction of the user's traffic — but still the user is no more profiled than before. Thus, entry guards increase the user's chance of avoiding profiling (on the order of (n-c)/n), compared to the former case.
You can read more at [https://www.freehaven.net/anonbib/#wright02 An Analysis of the Degradation of Anonymous Protocols], [https://www.freehaven.net/anonbib/#wright03 Defending Anonymous Communication Against Passive Logging Attacks], and especially [https://www.freehaven.net/anonbib/#hs-attack06 Locating Hidden Servers].
Restricting entry nodes may also help to defend against attackers who want to run a few Tor nodes and easily enumerate all of the Tor user IP addresses. Even though the attacker can't discover the user's destinations in the network, they still might target a list of known Tor users. However, this feature won't become really useful until Tor moves to a "directory guard" design as well.
Source and License, see footnote: Source:The Tor blog post speaks about website fingerprinting, which is done without the cooperation of a malicious guard or compromising any other Tor infrastructure. Defending against a malicious guard is the attack you have considered. The two are independent and have different properties and usefulness as an adversarial tool. I describe each here to fix our descriptions of the two things. A malicious guard can compromise all circuits that go through it, _if_ the honest client also picks (or is somehow manipulated into picking) a malicious exit. Then all traffic on this circuit is compromised with certainty. The rate of success for the adversary is proportional to how much bandwidth she can afford and deploy. A website fingerprinting adversary can observe and try to identify all Tor traffic flowing out of the client's machine on the way to the guard. The rate of success for the adversary is proportional to how good the website classifier she has. The first attack is straight forward. Deploy nodes and enjoy the compromises. The second attack is not so clear. For the former, the compromised guard node can separate out the different flows since it can inspect Tor application level information. For the latter, the problem is that the adversary only has network level information and must do the work of first separating out the flows into individual website accesses. Otherwise WF does not work. The advice that the Tor blog post is giving is to make this separation job harder for the adversary and hence render the WF less effective (i.e. very low accuracy). In the case that the app is a web browser then the Tor blog post makes sense, but you could take their advice and _also_ do the 1 app per 1 guard proposal, and get the best of both worlds. There is another consideration, WF works because there is a stable fingerprint to learn (in this case the website that does not change too much _and_ the adversary can generate training data by accessing this website). Is this the case of the apps (other than web browser) you have in mind? Will there be a stable traffic pattern for the adversary to learn? Do you want to hide the fact that the app is being used versus the party that is being communicating with? I think that the blog post is talking about a very narrow problem. Furthermore, there is not yet side consensus on 1) how well WF is actually working in the real world (versus very well known effectiveness or malicious guards) and 2) what the best and practical defences are (where randomly doing lots of stuff at once sounds mostly impractical if not automated and expensive in bandwidth). TariqTo apply this Increase Protection from Malicious Entry Guards configuration, follow these steps: # Import a {{project_name_gateway_short}} into the hypervisor that has never been started. # Take a snapshot and name it "Original". # Start {{project_name_gateway_short}} and wait for Tor to finish bootstrapping (connecting). # After Tor has connected, shutdown {{project_name_gateway_short}} and take another snapshot - the naming convention should match the intended activity, such as "Email". # This snapshot should be used with all {{project_name_workstation_long}} snapshots related to/called "Email", whether it is identity "John Doe", "Jane Doe" and so on. Note the Workstations should also be generated separately from a clean baseline. When a separate activity is required such as IRC, users should revert to the {{project_name_gateway_short}} snapshot (labelled "Original"), then repeat the same steps. That is, allow it to boot and connect to Tor, shut it down, then take a snapshot entitled "IRC". Note that if a webpage IRC chat client is used, then this should be done from "Browsing" snapshot. If you need to run multiple applications at the same time, then consider cloning the VMs.
From: Tariq Elahi== Important Caveats == * Do not start the application on the Workstation before taking the Gateway snapshot. This is to prevent it from generating data on the Gateway -- such as Onion Service descriptors -- that can be linked across sessions or detected in the event of the Workstation being infected. https://lists.torproject.org/pipermail/tor-dev/2016-November/011636.html * If you use multiple instances of the same application concurrently -- email accounts John Doe and Jane Doe in the example above -- make sure each gets its own Gateway VM (cloned from the "Email" snapshot for example) and its own isolated network. They should never share the same Gateway because a malicious Workstation can: ** Sniff data on the shared isolated network; and ** Also manipulate the common Tor client into divulging information belonging to the other application.
Subject: Re: Fwd: Re: Tor revised guard behavior & chances of malicious guard
To: HulaHoop, adrelanos@whonix.org Hi, I have replied inline below. On 27/09/18 17:22, HulaHoop wrote:[snip] Thanks for getting back to us. With your permission I'd like to quote your reply on our wiki.Sure, but I would to take a look at what the context and quote is if that is alright, please.IIRC Tor is currently using a 2 guard per client config but will be moving to 1 because of research showing it's safer. Should we force the use of one guard even if it's not the standard configuration of most Tor users at the moment?I thought Tor was using one guard and thinking of moving to two. Is it the other way around? Forcing some users to do something different from other users partitions the user base and this is considered not a good thing to do in general.With 1G/A being the best option it would translate to cloning the Tor VM (for as many separate Apps desired) before first run - to ensure they don't share the same guard correct?They could share the same guard if it gets picked randomly. The likelihood of this happening at random depends on the bandwidth of the guard so it might not be as rare. The trick is making sure you don't pick an already used guard without needing to divulge information about all other apps' guards.I'm trying to think how the different Tor instances can look at each other's guard lists across different VMs. Probably through using inter-VM communication or something similar. Spawning multiple Tor instances on the same Gateway VM would be easier but getting each instance to use only it's own internal network that connects to its unique App VM is not as straight forward as the separate VM approach.Indeed, communication between the VMs is needed. Perhaps a mediation agent that could help facilitate the list matching process? I am quite interested in this now. Perhaps we should talk more about this over chat if that will help. Tariq
{{project_name_gateway_vm}}) will ''likely'' lead to a new set of Tor entry guards, which is [https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters proven to degrade anonymity].
{{mbox
| image = [[File:Ambox_warning_pn.svg.png|40px]]
| text ='''Warning:''' Users considering using disposable {{project_name_gateway_short}} ProxyVMs in Qubes R4 are [[Qubes/Disposables#Warnings|warned]] that this technique severely degrades anonymity; new Tor guards are created during each distinct {{project_name_short}} session.
}}
== Anonymity and Performance-related Issues ==
Users may be tempted to create a new {{project_name_gateway_short}} ({{project_name_gateway_vm}}) in the following circumstances:
* Bootstrapping is slow or regularly fails.
* Tor logs show warnings suggestive of route manipulation attacks or other oddities.
* System logs reveal attempted attacks on {{project_name_short}} or Tor processes, for example in AppArmor logs.
* Current Tor performance is very slow or unreliable due to collapsing circuits or other factors.
* The user is concerned about the amount of Tor data that could be revealed if {{project_name_gateway_short}} is infected, particularly after a long period of use.
== Manual Guard Rotation Threats ==
Forcing the rotation of guards more often than Tor’s default is dangerous for several reasons:
* It increases the likelihood of a compromised or malicious Tor guard being selected. This raises the chance of a successful [https://securityaffairs.co/wordpress/17489/intelligence/traf%EF%AC%81c-correlation-vs-anonymity-on-tor.html correlation attack] if the adversary runs Tor exit relays in the network.
* The user is more likely to traverse a [https://www.freehaven.net/anonbib/#feamster:wpes2004 given] [https://www.freehaven.net/anonbib/#DBLP:conf:ccs:EdmanS09 set] of [https://www.freehaven.net/anonbib/#ndss13-relay-selection Internet infrastructure links] that are under the adversary's control, such as [https://web.mit.edu/6.033/www/papers/InterdomainRouting.pdf Autonomous Systems (ASes)] or [https://www.itu.int/en/wtpf-13/Documents/backgrounder-wtpf-13-ixps-en.pdf Internet Exchange Points (IXPs)].
* Every Tor guard change acts like a fingerprinting mechanism, since other users are less likely to pick the same set. If the adversary is able to enumerate a user's Tor guards and later observes someone with the same set, the chance is high the two observations stem from the same person.
For these reasons the Tor design changed in 2014 to establish a solitary primary guard node, while also increasing the set period for guard rotation. Also, do not discount the possibility that an adversary might purposefully cause poor Tor throughput, in the hope Tor guards are manually changed: https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters
We should also consider whether an adversary can *induce* congestion or resource exhaustion to cause a target user to switch away from her guard. Such an attack could work very nicely coupled with the guard enumeration attacks discussed above.In one sense, slow Tor entry guards should be welcomed -- “honeypot” operators on the Tor network are unlikely to have constrained bandwidth which might chase away intended targets. == Recommendations == If users feel compelled in their circumstances to proceed despite the anonymity risks, then it may be safer to first try: * One of the fallback primary entry guards. * A configured [[Bridges|bridge]]. * Chaining other [[Tunnels/Introduction|tunnels]] with Tor. * Creating a fresh {{project_name_gateway_short}} (
{{project_name_gateway_vm}}) and [[#Copy_Tor_Configuration_files_and_Settings_to_Another_{{project_name_gateway_vm}}_Instance|copying across the Tor state file]].
The safest decision is to persist with poor performance and wait for normal guard rotation.
= Mitigate the Threat of Guard Fingerprinting =
Note: Weigh the fingerprinting risks outlined earlier before proceeding. In most cases the decision to not rotate guards (even temporarily) is the correct one.
If guard fingerprinting across different locations is a legitimate concern, there are several ways to mitigate the threat. Viable options include: bridges, temporarily rotating guards or cloning {{project_name_gateway_short}} ({{project_name_gateway_vm}}) with new guards.
== Clone {{project_name_gateway_short}} ({{project_name_gateway_vm}}) with New Entry Guards ==
{{mbox
| image = [[File:Ambox_warning_pn.svg.png|40px]]
| text ='''Warning:''' Do not clone the {{project_name_gateway_short}} ({{project_name_gateway_vm}}) with new guards at your home address. If the Tor client connects through the home network, the new guards might be correlated to the home address.
}}
It is possible to clone the current {{project_name_gateway_short}} ({{project_name_gateway_vm}}) and regenerate the Tor state file. Once the VM is cloned, it is important that the original is not unintentionally used for any anonymous activities. To negate this threat, disable networking in the original {{project_name_gateway_short}} until returning home.
Create a {{project_name_gateway_short}} ({{project_name_gateway_vm}}) clone and name it {{project_name_gateway_short}}-temp ({{project_name_gateway_vm}}-temp):
# VirtualBox: follow [https://dirkstrauss.com/clone-virtualbox-vm/ these instructions] to create a VM snapshot. Right-click on {{project_name_gateway_vm}} → Clone qube
# [[#Fresh_Tor_Entry_Guards_by_Regenerating_the_Tor_State_File|Regenerate the Tor State File]].
== Regenerate the Tor State After Saving the Tor State Folder ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = [[Non-Qubes-Whonix|{{non_q_project_name_short}}]] only.
}}
Before arriving at the remote location, the {{project_name_gateway_short}} Tor state folder is moved to the $HOME directory and the Tor state file is regenerated. Perform all the following steps in {{project_name_gateway_short}} konsole.
{{Box|text=
'''1.''' Stop Tor.
{{CodeSelect|code=
sudo systemctl stop tor@default
}}
'''2.''' Move the Tor state folder to the $HOME directory.
{{CodeSelect|code=
sudo mv /var/lib/tor ~/
}}
'''3.''' Restart Tor.
{{CodeSelect|code=
sudo systemctl restart tor@default
}}
}}
Before returning home, the Tor state folder is restored to its original settings.
{{Box|text=
'''1.''' Stop Tor.
{{CodeSelect|code=
sudo systemctl stop tor@default
}}
'''2.''' Remove the temporary Tor state folder.
{{CodeSelect|code=
sudo rm -r /var/lib/tor
}}
'''3.''' Restore the Tor state folder.
{{CodeSelect|code=
sudo mv ~/tor /var/lib
}}
'''4.''' Restart Tor.
{{CodeSelect|code=
sudo systemctl restart tor@default
}}
}}
== Alternating Bridges ==
If [[Bridges|Bridges]] are already configured, alternate bridges are recommended for different locations. If bridges are not being used, consider using entry guards in your primary location and relying on alternate bridges in different locations.
Wording clarification: There is no such thing as "Alternating-Bridges". It's not it's own word. It means "a bridge to alternate". As in "use different bridges".
Complete the following steps in {{project_name_gateway_short}} ({{project_name_gateway_vm}}).
{{Box|text=
'''1.''' {{Disable_Tor}}
'''2.''' Configure Tor to use bridges. Refer to the [[Bridges|Bridges]] documentation.
'''3.''' Enable Tor at the new location.
{{Enable_Tor}}
'''4.''' Before leaving this location, disable Tor. If traveling to a different area, add a different bridge address. To revert to the usual Tor guards used at home, remove the torrc bridge settings before enabling the network or rollback to a VM snapshot created at home.
}}
== Copy Tor Configuration files and Settings to Another {{project_name_gateway_vm}} Instance ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = [[Qubes|{{q_project_name_short}}]] only.
}}
{{mbox
| image = [[File:Ambox_warning_pn.svg.png|40px]]
| text ='''Warning:''' Carefully follow these instructions to avoid unforeseen consequences. If an alternative command is used to remove the Tor state folder, this can result in broken file persistence across reboots. This relates to the [[Qubes|{{q_project_name_short}}]] design, which uses bind-dirs file persistence for the Tor folder and other select directories. At the very least, users would need to mount and then unmount the Tor folder in the same way as bind-dirs does. This is likely a complicated and time-consuming task.
}}
In some circumstances [[Qubes|{{q_project_name_short}}]] users might want to copy the Tor state and custom configuration options from an existing {{project_name_gateway_vm}} ProxyVM to another {{project_name_gateway_vm}} instance. For example, this is useful for testing later {{project_name_short}} releases without aiding deanonymization attempts by advanced adversaries As the same Tor entry guard is used. or when creating an identical backup that does not share any other persistent data, except for Tor state and custom torrc options.
=== Copy Tor State Files to Another {{project_name_gateway_vm}} Instance ===
The following instructions copy the Tor state from {{project_name_gateway_vm}}-old to {{project_name_gateway_vm}}-new.
{{Box|text=
'''1.''' In {{project_name_gateway_vm}}-new, stop Tor.
{{CodeSelect|code=
sudo systemctl stop tor@default
}}
'''2.''' In {{project_name_gateway_vm}}-new, remove the Tor state file.
{{mbox
| image = [[File:Ambox_warning_pn.svg.png|40px]]
| text ='''Warning:''' When removing files take care that extra spaces are not added to the file path! For example, if a space is accidentally placed before the asterisk in the command to remove the Tor state file, the / (root directory) and all system data would be lost.
}}
{{CodeSelect|code=
sudo su
}}
{{CodeSelect|code=
sudo rm /var/lib/tor/*
}}
'''3.''' In {{project_name_gateway_vm}}-old, stop Tor.
{{CodeSelect|code=
sudo systemctl stop tor@default
}}
'''4.''' In {{project_name_gateway_vm}}-old, copy the Tor state file across to {{project_name_gateway_vm}}-new.
{{CodeSelect|code=
sudo qvm-copy /var/lib/tor {{project_name_gateway_vm}}-new
}}
If the following error appears, it can be safely ignored (hit "OK" when prompted).
qfile-agent: Fatal error: stat “VM” (error type: No such file or directory)'''5.''' In
{{project_name_gateway_vm}}-new, list the QubesIncoming directory to ensure the Tor state file was copied over successfully.
{{CodeSelect|code=
ls ~/QubesIncoming/{{project_name_gateway_vm}}-old/tor
}}
The output should include the files below.
cached-certs cached-microdescs lock
cached-microdesc-consensus cached-microdescs.new state
'''6.''' In {{project_name_gateway_vm}}-new, move the newly copied Tor state file to ''/var/lib/tor''
{{CodeSelect|code=
sudo mv ~/QubesIncoming/{{project_name_gateway_vm}}-old/tor/* /var/lib/tor
}}
'''7.''' In {{project_name_gateway_vm}}-new, change ownership of all files in the Tor state folder to debian-tor
{{CodeSelect|code=
sudo chown -R debian-tor:debian-tor /var/lib/tor
}}
'''8.''' In {{project_name_gateway_vm}}-new, start Tor.
{{CodeSelect|code=
sudo systemctl start tor@default
}}
'''9.''' In {{project_name_gateway_vm}}-new, run [https://www.kicksecure.com/wiki/Systemcheck systemcheck] to verify Tor is functioning properly. If Tor fails to start, verify the Tor folder has the proper file permissions with the following command: sudo ls -l /var/lib/tor
{{CodeSelect|code=
whonixcheck
}}
}}
=== Copy Tor Configuration Options (torrc) to Another {{project_name_gateway_vm}} ===
These instructions copy custom Tor configuration options (torrc) from {{project_name_gateway_vm}}-old to {{project_name_gateway_vm}}-new.
{{Box|text=
'''1.''' In {{project_name_gateway_vm}}-old, copy the torrc options across to {{project_name_gateway_vm}}-new. Note: From {{project_name_short}} 14 onward, all unique Tor configurations (torrc) options must be stored in /usr/local/etc/torrc.d/50_user.conf and nowhere else.
{{CodeSelect|code=
qvm-copy /usr/local/etc/torrc.d/50_user.conf {{project_name_gateway_vm}}-new
}}
If the following error appears, it can be safely ignored (hit "OK" when prompted).
qfile-agent: Fatal error: stat “VM” (error type: No such file or directory)
'''2.''' In {{project_name_gateway_vm}}-new, list the QubesIncoming directory to ensure the torrc options were copied over successfully.
{{CodeSelect|code=
cat ~/QubesIncoming/{{project_name_gateway_vm}}-old/50_user.conf
}}
'''3.''' In {{project_name_gateway_vm}}-new, move the 50_user.conf options from the QubesIncoming directory to the 50_user.conf file.
{{CodeSelect|code=
sudo mv ~/QubesIncoming/{{project_name_gateway_vm}}-old/50_user.conf /usr/local/etc/torrc.d/50_user.conf
}}
'''4.''' In {{project_name_gateway_vm}}-new, change ownership of the Tor configuration file.
{{CodeSelect|code=
sudo chown -R root:root /etc/tor
}}
'''5.''' In {{project_name_gateway_vm}}-new, restart Tor so the newly copied Tor config options take effect.
{{CodeSelect|code=
sudo systemctl restart tor@default
}}
'''6.''' In {{project_name_gateway_vm}}-new, run [https://www.kicksecure.com/wiki/Systemcheck systemcheck] to verify Tor is functioning properly. If Tor is not running after restart, it is possible to verify the newly migrated torrc options are valid with the following command: anon-verify. The output should be similar to the following.
{{project_name_gateway_vm}}).
'''1.''' {{Disable_Tor}}
'''2.''' Delete Tor's state file.
{{CodeSelect|code=
sudo rm /var/lib/tor/state
}}
'''3.''' Enable Tor at the new location.
{{Enable_Tor}}
}}
== Configure Non-Persistent Entry Guards ==
Some users might consider configuring non-persistent entry guards so they constantly change. In almost all cases this is inadvisable, because persistent entry guards are a [[#Introduction|critical anonymity feature]]. A far more secure alternative is [[#Alternating Bridges|Alternating Bridges]], although this requires a considerable time investment.
{{project_name_gateway_vm}}).
'''1.''' {{Disable_Tor}}
'''2.''' Modify Tor settings.
{{Open /usr/local/etc/torrc.d/50_user.conf}}
Add.
{{CodeSelect|code=
DataDirectory /var/run/tor
}}
Save.
'''3.''' Enable Tor at the new location.
{{Enable_Tor}}
'''4.''' Before leaving this location, disable Tor and repeat the above steps if traveling to a different area. To revert to the usual guard nodes at home, remove the torrc setting before enabling the network or rollback to a VM snapshot that was created there.
}}