O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Deanonymization in Tor web

260 visualizações

Publicada em

This presentation introduces topics like Anonymity, Data Anonymization and De-Anonymization, then it focus the attention on possible security and privacy attacks in "The Onion Router" (Tor) web.
Lesson was made on 24/05/2016 for the "Web Security and Privacy 2015/16" course in "La Sapienza" University, Rome.

Publicada em: Internet
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Deanonymization in Tor web

  1. 1. Presented by • Alessandro Granato • Emilio Cruciani • Giovanni Colonna • Silvio Biagioni Deanonymization Web Security and Privacy course – 2015/2016 – «La Sapienza» University
  2. 2. Presented by • Alessandro Granato Information • http://www.slideshare.net/AlessandroGranato/deanonymization-in-tor-web • linkedin.com/in/alessandro-granato-40b03081 • a.granato.89@gmail.com Deanonymization – The Onion Router Web Security and Privacy course – 2015/2016 – «La Sapienza» University
  3. 3. • What is Anonimity? ▫ Colloquial use – Web use • What is Data Anonymization? ▫ Information Sanitization ▫ Security Privacy • What is De-Anonymization? ▫ Cross-reference Introduction
  4. 4. • Tor is a free SW for anonymous communication ▫ Volunteer relays to conceal user’s location Introduction – The Onion Router • Nested “Onion” encryption ▫ Encrypts Data, Sender IP, Receiver IP ▫ Through random circuits ▫ Last Relay!
  5. 5. • Monitoring to guarantee safety • Tor abused by Cybercrime and Terrorists • Monitoring capabilities over anonymizing networks Governments vs Tor People directly connected to Tor in 2014: 2.5 Mln Connected Users
  6. 6. • Tender for companies: “Perform research, code ‘TOR’ (Navy)” • Develop technology to track Tor’s users Russia vs Tor Rewards: 4 Mln rubles (~$ 111.000)
  7. 7. • Counter-Attack to deanonymizers in Tor Network • Philipp Winter • Stefan Lindskog • Karlstad University Spoiled Onions: Exposing Malicious Tor Exit Relays
  8. 8. • Tor circuits are encrypted tunnels • Exit Relays -> Open internet -> Final destination • Traffic usually lacks of end-to-end encryption • Man in the middle by design • Relays run by volunteers! ▫ Innocent ▫ Malicious Spoiled Onions
  9. 9. • Goal: find malicious exit relays ▫ Develop an exit relay scanner ▫ Design browser extension patch  Fetch and compare suspicious X.509 certificate  standard for a public key infrastructure (PKI) to manage digital certificates ▫ Probe exit relays for 4 months Spoiled Onions: The study
  10. 10. • Python based exit relay scanner • Create custom circuits to exit relays • Circuits probed by modules ▫ Estabilish decoy connections • Objective ▫ Provoke exit relays to tamper with these connections ▫ Reveal them! Spoiled Onions: ExitMap • Stem Library ▫ Implements Tor control port ▫ Inititiate/close circuits ▫ Attach streams to circuits
  11. 11. • Fetch network to know online exit relays • Get fed with set of exit relays ▫ Random permutation • Initiate circuits over exit relays • Invoke desired probing module that estabilish decoy connection ▫ __LeaveStreamsUnattached ▫ __DisablePredictedCircuits Spoiled Onions: Using ExitMap
  12. 12. • HTTPS module ▫ Fetches decoy destination’s X.509 certificate -> extract fingerprint ▫ Compare to expected fingerprint (hard-coded inside) ▫ If mismatch -> ALERT! • SSLSTRIP module ▫ Sslstrip attack: rewrite HTTPS answer as HTTP ▫ Silent attack: browsers don’t show alert  You must notice the absence of TLS indicator (green address bar) ▫ The module verifies if the expected HTTPS link was «downgraded» to HTTP Spoiled Onions: Probing modules
  13. 13. • In 2014: ▫ N = 1000 exit relays ▫ M = 25 malicious exit relays ▫ 2 relays: DNS censorship ▫ 1 relay: misconfigurated ▫ All the others: MitM attack Spoiled Onions: Enemies Found!
  14. 14. • Connection with decoy destination • Change decoy’s certificate with their own self-signed version • Certificate is not issued by trusted autority of Tor’s certificate store • Probable Man in the Middle attack! ▫ User redirected to the about:certerror warning page Spoiled Onions: Enemies Found! (cont’d)
  15. 15. • Subset of malicious relays run by same group of people ▫ Same self-signed certificate (Main Autority) ▫ Same country (Russia) ▫ Same VPS provider ▫ Same netblock (176.99.0.0/20) ▫ Same old version of Tor ▫ Same destination target: Facebook  Social Networks are often attacked using MitM Spoiled Onions: Enemies Found! (cont’d)
  16. 16. • ExitMap checks browser event DOMContentLoaded ▫ Whenever a document is loaded by the browser • Check URI to find «about:certerror» warning page • If found, there is self-signed certificate • It can be authentic, but not in tor certificate store • Refetch certificate with another circuit • Compares the two fingerprints ▫ If same = authentic ▫ If not same = MitM attack Spoiled Onions: Extension design
  17. 17. • If Man in the Middle attack: ▫ Show a warning pop-up ▫ User can send info about the case Spoiled Onions: Extension design (cont’d)
  18. 18. • In 2014 there were ~1000 Tor exit relays • Researchers developed a scanner to monitor exit relays for 4 months • M = 25 malicious exit relay discovered • The majority of MitM attacks were coordinated • To avoid user deanonymization ▫ Developed ExitMap ▫ Developed a set of patches for Tor browser which are capable to fetch self- signed certificates to evaluate their trust-worthiness and advise the user Spoiled Onions: Conclusion
  19. 19. • Slideshare: ▫ http://www.slideshare.net/AlessandroGranato/deanonymization -in-tor-web • Infosec: ▫ http://resources.infosecinstitute.com/hacking-tor-online- anonymity/ • Spoiled Onion paper: ▫ http://www.cs.kau.se/philwint/spoiled_onions/techreport.pdf Useful links
  20. 20. Thank you! Deanonymization – The Onion Router Web Security and Privacy course – 2015/2016 – «La Sapienza» University Questions?

×