Web security and the Onion Peeled: How Tor can be de-anonymised

Krishna Bahirwani: In an exclusive interview, Maria Garnaeva, security expert in Kaspersky Lab’s Global Research and Analysis team speaks to Krishna Bahirwani on Tor, it’s strengths and weaknesses

What is Tor?

Short for “The Onion Router,” Tor is a free tool that keeps a user’s Web browsing private and anonymous. Beyond those with personal privacy or censorship concerns, Tor has been a valuable tool for those in oppressed parts of the world helping activists and others reach parts of the Internet they otherwise would not be able to. Tor is available as a free download for your PC; it also stands for the Tor network, which is made up of voluntary Tor users worldwide. It’s through this network where Tor users’ Internet traffic is directed in order to conceal the user’s location.

In parts of the world where surveillance is conducted over the Internet or by analyzing network traffic, Tor is an important piece of software to preserve anonymity online.
Tor organizers point to a number of use cases for the software and network, including reaching sites or services online that are blocked by local Internet service providers, keeping sensitive communication anonymous–for example between crisis counselors and patients in the medical community, between journalists and their sources, or non-governmental organization (NGO) volunteers wishing to preserve their anonymity in countries hostile to their cause.

How does it protect your identity while on the Internet?

Creating anonymous resources is possible due to the distributed network of servers called “nodes” or routers that operate on the principle of onion rings (hence its name is The Onion Router). All network traffic (i.e. any information) is encrypted repeatedly as it passes through several network nodes on its way to Tor. In addition, no network node knows either the source of the traffic or the destination or its content. This ensures a high level of anonymity making it impossible to determine who is behind the network activity, i.e. a real person.

How do browsers affect Tor?

There are some known techniques that exploit bad browser configuration which may lead to revealing information about the user. For example, if Flash or Java is enabled in the browser, it may be exploited to establish the victim’s real IP address. However, these and other plug-ins are disabled by default in Tor browser and at first sight it leaves no room for exploitation. But there is a different situation with JavaScript: it is enabled by default and is unlikely to be turned off by the majority as many web sites don’t work properly without JavaScript. Thus, technique known as user’s fingerprinting can be used with the help of JavaScript which may lead to further deanonymization.

For instance, Tor Browser can be identified with the help of the HTML5 canvas measureText() function, which measures the width of a text rendered in canvas. If the resulting font width has a unique value (it is sometimes a floating point value), then we can identify the browser, including Tor Browser.

It should be noted that this is not the only function that can acquire unique values. Another such function is etBoundingClientRect(),which can acquire the height and the width of the text border rectangle.
When the problem of fingerprinting users became known to the community (it is also relevant to Tor Browser users), an appropriate request was created. However, Tor Browser developers are in no haste to patch this drawback in the configuration, stating that blacklisting such functions is ineffective.

Is it possible to monitor users protected by Tor?

Yes it is possible though different methods require different resources and work with different effectiveness. In general, it is not an easy task and the more approaches are implemented by an attacker, the greater the probability of collecting valuable information.

Attacks on the communication channel. If the attacker has access to many nodes in the network, he can carry out traffic analysis using statistical correlation of traffic measurements, thus, he can identify the source of anonymous traffic.

Passive Monitoring: Exit nodes being an end link in traffic decryption operations may become a source that can leak interesting information, for example unencrypted user passwords, usernames and other identifying information.

Active monitoring: Apart from just sniffing traffic on the exit nodes, the more severe operations can be performed on them, such as injecting malicious code into that binary files being downloaded. In other words, the malicious exit node can conduct a so-called MITM-attack.

Browser fingerprinting: The JavaScript code installed on many sites, both internal for Tor and external, can ‘fingerprint’ users. That means that, the attacker could, in theory, find out, for instance, sites on which topics are of interest to the user with the unique fingerprint ‘c2c91d5b3c4fecd9109afe0e’, and on which sites that user logs in. As a result, the attacker knows the user’s profile on a web resource, and the user’s surfing history.

What is HTML5 canvas data? How can it be used to identify a user protected by Tor?

HTML5 has brought us not only WebRTC, but also the interesting tag ‘canvas’, which is designed to create bitmap images with the help of JavaScript. This tag has a peculiarity in how it renders images: each web-browser renders images differently depending on various factors, such as:

l Various graphics drivers and hardware components installed on the client’s side;
l Various sets of software in the operating system and various configurations of the software environment.

The parameters of rendered images can uniquely identify a web-browser and its software and hardware environment. Based on this peculiarity, a so-called fingerprint can be created. This technique is not new – it is used, for instance, by some online advertising agencies to track users’ interests. However, not all of its methods can be implemented in Tor Browser. For example, supercookies cannot be used in Tor Browser, Flash and Java is disabled by default, font use is restricted. Some other methods display notifications that may alert the user. However, some loopholes are still open at this moment, with which fingerprinting in Tor can be done without inducing notifications.

Are other anonymous networks like I2P vulnerable as well?
Different anonymous networks provide different tools for the users (for example, being only a network layer as I2P, or also having its own browser as Tor) and take different approaches to traffic encryption. For example, I2P has a better implementation of encryption being more resistant to traffic eavesdropping and MITM-attacks as it is in the case of Tor. But still, as the user can use any browser by his own choice he is still vulnerable to attacks on browsers (Flash, Java, fingerprinting) and, thus, can be identified.