Short Bytes: Traffic fingerprinting is a technique used to sniff the web traffic by analyzing the data packets’ flow pattern- without removing the encryption. This technique has been recently used successfully to break the layers of anonymity of the Tor network users and hidden services.
Just a few days ago we read about Tor Honeypot that could be used to set up a trap to capture the Tor user’s identity. Today, we are telling you about aresearch done by MIT and QCRI researchers that outlines vulnerabilities in Tor’s design. Before going into the details, let me explain the working of Tor as traffic fingerprinting is a continuation of the same.
How Tor works and why it’s called “The Onion Router”
A Tor network consists of many Tor-installed computers connected to the Internet. Each time a Tor user makes a request to visit a website like fossBytes, his/her computer will enclose this Web request in multiple encryption layers, and forward it to the a computer(called guard) which is a part of the Tor network. This selection is totally random and user’s request could be forwarded to any computer on the network. Now, guard computer will peel off the top layer of encryption and pass it to another random computer- and so on. As the wrapped request reaches the last computer, the final encryption layer is peeled off.
So, multiple layers of encryption like layers of onion – hence, Tor is an acronym for “The Onion Router.”
The Tor network also provides some “hidden services” that protect the anonymity of destination site as well. These websites are configured to access traffic coming only through Tor network. The host’s computer uses Tor routers as the “introduction points” that are used by people to access the hidden website’s content.
If a person wants to browse the hidden service, a “Tor circuit” is created. User’s and host’s computer build Tor-secured links to the introduction point- that forms this Tor circuit. Identifying more hosts, routers, and the browser- Tor circuit builds another circuits. It’s called a rendezvous point and once again it has an anonymous location.
What is traffic fingerprinting and how is it used to attack Tor network?
What is traffic fingerprinting? The basic website traffic fingerprinting refers to recognize the web traffic by analyzing the patterns, responses, and packets sent and received in a particular direction- everything despite the use encryption or anonymity.
How is it used to attack Tor network? The traffic fingerprinting in Tor requires that attacker’s computer to act as the guard on a Tor circuit. If an attacker manages to connect lots of machines to the Tor network, there are good odds that, on some occasion, some computer of attacker will be at the right place and at the right times to sniff the traffic.
When a Tor circuit is established, the systems on Tor network pass a huge amount of data. MIT News writes: “By looking for patterns in the number of packets passing in each direction through a guard, machine-learning algorithms could, with 99% accuracy, determine whether the circuit was an ordinary Web-browsing circuit, an introduction-point circuit, or a rendezvous-point circuit.” To achieve this, breaking Tor’s encryption wasn’t necessary.
Similarly, using a Tor-enabled computer, traffic analysis could identify the hidden services with 88% accuracy. So, if the attacker happens to be in luck as a guard for a user, he/she can tell which sites the user accessed.
How to defend against traffic fingerprinting in Tor network?
Researchers recommend to mask the sequences to make all the sequences look identical- actually, send dummy data packets to make all different circuits look the same.
“We are considering their countermeasures as a potential improvement to the hidden service,” they add. “But we think we need more concrete proof that it definitely fixes the issue.”
Traffic fingerprinting in Tor network isn’t something that could be done over a period of few days. An attacker must spend a long time to collect data and to dig deeper into the network.