From b2c0823d8f16a4f8452b6d6da14296950cb5ab81 Mon Sep 17 00:00:00 2001 From: Mike Perry Date: Tue, 18 Jul 2023 00:32:53 +0000 Subject: Proposal #344: Prioritizing Protocol Information Leaks in Tor --- proposals/344-protocol-info-leaks.txt | 1186 +++++++++++++++++++++++++++++++++ 1 file changed, 1186 insertions(+) create mode 100644 proposals/344-protocol-info-leaks.txt diff --git a/proposals/344-protocol-info-leaks.txt b/proposals/344-protocol-info-leaks.txt new file mode 100644 index 0000000..b967b51 --- /dev/null +++ b/proposals/344-protocol-info-leaks.txt @@ -0,0 +1,1186 @@ +Filename: 344-protocol-info-leaks.txt +Title: Prioritizing Protocol Information Leaks in Tor +Author: Mike Perry +Created: 2023-07-17 +Purpose: Normative +Status: Draft + + +0. Introduction + +Tor's protocol has numerous forms of information leaks, ranging from highly +severe covert channels, to behavioral issues that have been useful +in performing other attacks, to traffic analysis concerns. + +Historically, we have had difficulty determining the severity of these +information leaks when they are considered in isolation. At a high level, many +information leaks look similar, and all seem to be forms of traffic analysis, +which is regarded as a difficult attack to perform due to Tor's distributed +trust properties. + +However, some information leaks are indeed more severe than others: some can +be used to remove Tor's distributed trust properties by providing a covert +channel and using it to ensure that only colluding and communicating relays +are present in a path, thus deanonymizing users. Some do not provide this +capability, but can be combined with other info leak vectors to quickly yield +Guard Discovery, and some only become dangerous once Guard Discovery or other +anonymity set reduction is already achieved. + +By prioritizing information leak vectors by their co-factors, impact, and +resulting consequences, we can see that these attack vectors are not all +equivalent. Each vector of information leak also has a common solution, and +some categories even share the same solution as other categories. + +This framework is essential for understanding the context in which we will be +addressing information leaks, so that decisions and fixes can be understood +properly. This framework is also essential for recognizing when new protocol +changes might introduce information leaks or not, for gauging the severity of +such information leaks, and for knowing what to do about them. + +Hence, we are including it in tor-spec, as a living, normative document to be +updated with experience, and as external research progresses. + +It is essential reading material for any developers working on new Tor +implementations, be they Arti, Arti-relay, or a third party implementation. + +This document is likely also useful to developers of Tor-like anonymity +systems, of which there are now several, such as I2P, MASQUE, and Oxen. They +definitely share at least some, and possibly even many of these issues. + +Readers who are relatively new to anonymity literature may wish to first +consult the Glossary in Section 3, especially if terms such as Covert Channel, +Path Bias, Guard Discovery, and False Positive/False Negative are unfamiliar +or hazy. There is also a catalog of historical real-world attacks that are +known to have been performed against Tor in Section 2, to help illustrate how +information leaks have been used adversarially, in practice. + +We are interested in hearing from journalists and legal organizations who +learn about court proceedings involving Tor. We became aware of three +instances of real-world attacks covered in Section 2 in this way. Parallel +construction (hiding the true source of evidence by inventing an alternate +story for the court -- also known as lying) is a possibility in the US and +elsewhere, but (so far) we are not aware of any direct evidence of this +occurring with respect to Tor cases. Still, keep your eyes peeled... + + +0.1. Table of Contents + + 1. Info Leak Vectors + 1.1. Highly Severe Covert Channel Vectors + 1.1.1. Cryptographic Tagging + 1.1.2. End-to-end cell header manipulation + 1.1.3. Dropped cells + 1.2. Info Leaks that enable other attacks + 1.2.1. Handshakes with unique traffic patterns + 1.2.2. Adversary-Induced Circuit Creation + 1.2.3. Relay Bandwidth Lying + 1.2.4. Metrics Leakage + 1.2.5. Protocol Oracles + 1.3. Info Leaks of Research Concern + 1.3.1. Netflow Activity + 1.3.2. Active Traffic Manipulation Covert Channels + 1.3.3. Passive Application-Layer Traffic Patterns + 1.3.4. Protocol or Application Linkability + 1.3.5. Latency Measurement + 2. Attack Examples + 2.1. CMU Tagging Attack + 2.2. Guard Discovery Attacks with Netflow Deanonymization + 2.3. Netflow Anonymity Set Reduction + 2.4. Application Layer Confirmation + 3. Glossary + + +1. Info Leak Vectors + +In this section, we enumerate the vectors of protocol-based information leak +in Tor, in order of highest priority first. We separate these vectors into +three categories: "Highly Severe Covert Channels", "Info Leaks that Enable +other attacks", and "Info Leaks Of Research Concern". The first category +yields deanonymization attacks on their own. The second category enables other +attacks that can lead to deanonymization. The final category can be aided by +the earlier vectors to become more severe, but overall severity is a +combination of many factors, and requires further research to illuminate all +of these factors. + +For each vector, we provide a brief "at-a-glance" summary, which includes a +ballpark estimate of Accuracy in terms of False Positives (FP) and False +Negatives (FN), as 0, near-zero, low, medium, or high. We then list what is +required to make use of the info leak, the impact, the reason for the +prioritization, and some details on where the signal is injected and observed. + + +1.1. Highly Severe Covert Channel Vectors + +This category of info leak consists entirely of covert channel vectors that +have zero or near-zero false positive and false negative rates, because they +can inject a covert channel in places where similar activity would not happen, +and they are end-to-end. + +They also either provide or enable path bias attacks that can capture +the route clients use, to ensure that only malicious exits are used, leading +to full deanonymization when the requirements are met. + +If the adversary has censorship capability, and can ensure that users only +connect to compromised Guards (or Bridges), they can fully deanonymize all +users with these covert channels. + + +1.1.1. Cryptographic Tagging + +At a glance: + Accuracy: FP=0, FN=0 + Requires: Malicious or compromised Guard, at least one exit + Impact: Full deanonymization (path bias, identifier transmission) + Path Bias: Automatic route capture (all non-deanonymized circuits fail) + Reason for prioritization: Severity of Impact; similar attacks used in wild + Signal is: Modified cell contents + Signal is injected: by guard + Signal is observed: by exit + +First reported at Black Hat in 2009 (see [ONECELL]), and elaborated further +with the path bias amplification attack in 2012 by some Raccoons (see +[RACCOON23]), this is the most severe vector of covert channel attack in Tor. + +Cryptographic tagging is where an adversary who controls a Guard (or Bridge) +XORs an identifier, such as an IP address, directly into the circuit's +cipher-stream, in an area of known-plaintext. This tag can be exactly +recovered by a colluding exit relay, ensuring zero false positives and zero +false negatives for this built-in identifier transmission, along with their +collusion signal. + +Additionally, because every circuit that does not have a colluding relay will +automatically fail because of the failed digest validation, the adversary gets +a free path bias amplification attack, such that their relay only actually +carries traffic that they know they have successfully deanonymized. Because +clients will continually attempt to re-build such circuits through the guard +until they hit a compromised exit and succeed, this violates Tor's distributed +trust assumption, reducing it to the same security level as a one-hop proxy +(ie: the security of fully trusting the Guard relay). Worse still, when the +adversary has full censorship control over all connections into the Tor +network, Tor provides zero anonymity or privacy against them, when they also +use this vector. + +Because the Exit is able to close *all* circuits that are not deanonymized, +for maximal efficiency, the adversary's Guard capacity should exactly match +their Exit capacity. To make up for the loss of traffic caused by closing many +circuits, relays can lie about their bandwidth (see Section 1.2.3). + +Large amounts of circuit failure (that might be evidence of such an attack) +are tracked and reported by C-Tor in the logs, by the path bias detector, but +when the Guard is under DDoS, or even heavy load, this can yield false alarms. +These false alarms happened frequently during the network-wide DDoS of +2022-2023. They can also be induced at arbitrary Guards via DoS, to make users +suspicious of their Guards for no reason. + +The path bias detector could have a second layer in Arti, that checks to see +if any specific Exits are overused when the circuit failure rate is high. This +would be more indicative of an attack, but could still go off if the user is +actually trying to use rare exits (ie: country selection, bittorrent). + +This attack, and path bias attacks that are used in the next two sections, do +have some minor engineering barriers when being performed against both onion +and exit traffic, because the onion service traffic is restricted to +particular hops in the case of HSDIR and intro point circuits. However, +because pre-built circuits are used to access HSDIR and intro points, the +adversary can use their covert channel such that only exits and pre-built +onion service circuits are allowed to proceed. Onion services are harder to +deanonymize in this way, because the HSDIR choice itself can't be controlled +by them, but they can still be connected to using pre-built circuits until the +adversary also ends up in the HSDIR position, for deanonymization. + +Solution: Path Bias Exit Usage Counter; + Counter Galois Onion (CGO) (Forthcoming update to Prop#308). +Status: Unfixed (Current PathBias detector is error-prone under DDoS) +Funding: CGO explicitly funded via Sponsor 112 + + +1.1.2. End-to-end cell header manipulation + +At a glance: + Accuracy: FP=0, FN=0 + Requires: Malicious or compromised Guard, at least one exit + Impact: Full deanonymization (path bias, identifier transmission) + Path Bias: Full route capture is trivial + Reason for prioritization: Severity of Impact; used in the wild + Signal is: Modified cell commands. + Signal is injected: By either guard or exit/HSDIR + Signal is observed: By either guard or exit/HSDIR + +The Tor protocol consists of both cell header commands, and relay header +commands. Cell commands are not encrypted by circuit-level encryption, so they +are visible and modifiable by every relay in the path. Relay header commands +are encrypted, and not visible to every hop in the path. + +Not all cell commands are forwarded end-to-end. Currently, these are limited +to RELAY, RELAY_EARLY, and DESTROY. Because of the attack described here, +great care must be taken when adding new end-to-end cell commands, even if +they are protected by a MAC. + +Previously, a group of researchers at CMU used this property to modify the +cell command header of cells on circuits, to switch between RELAY_EARLY and +RELAY at exits and HSDIRs (see [RELAY_EARLY]). This creates a visible bit in +each cell, that can signal collusion, or with enough cells, can encode an +identifier such as an IP address. They assisted the FBI, to use this attack in +the wild to deanonymize clients. + +We addressed the CMU attack by closing the circuit upon receiving an "inbound" +(towards the client) RELAY_EARLY command cell, and by limiting the number of +"outbound" (towards the exit) RELAY_EARLY command cells at relays, and by +requiring the use of RELAY_EARLY for EXTEND (onionskin) relay commands. This +defense is not generalized, though. Guards may still use this specific covert +channel to send around 3-5 bits of information after the extend handshake, +without killing the circuit. It is possible to use the remaining outbound +vector to assist in path bias attacks for dropped cells, as a collusion signal +to reduce the amount of non-compromised traffic that malicious exits must +carry (see the following Section 1.1.3). + +If this covert channel is not addressed, it is trivial for a Guard and Exit +relays to close every circuit that does not display this covert channel, +providing path bias amplification attack and distributed trust reduction, +similar to cryptographic tagging attacks. Because the inbound direction *is* +addressed, we believe this kind of path bias is currently not possible with +this vector by itself (thus also requiring the vector from Section 1.1.3), but +it could easily become possible if this defense is forgotten, or if a new +end-to-end cell type is introduced. + +While more cumbersome than cryptographic tagging attacks, in practice this +attack is just as successful, if these cell command types are not restricted +and limited. It is somewhat surprising that the FBI used this attack before +cryptographic tagging, but perhaps that was just a lucky coincidence of +opportunity. + +Solution: CGO (Updated version of Prop#308) covers cell commands in the MAC; + Any future end-to-end cell commands must still limit usage +Status: Fix specific to CMU attack; Outbound direction is unfixed +Funding: Arti and relay-side fixes are explicitly funded via Sponsor 112 + + +1.1.3. Dropped cells + +At a glance: + Accuracy: FP=0, FN=0 + Requires: Malicious Guard or Netflow data (if high volume), one exit + Impact: Full deanonymization (path bias amplification, collusion signal) + Path Bias: Full route capture is trivial + Reason for prioritization: Severity of Impact; similar attacks used in wild + Signal is: Unusual patterns in number of cells received + Signal is injected: By exit or HSDIR + Signal is observed: at guard or client<->guard connection. + +Dropped cells are cells that a relay can inject that end up ignored and +discarded by a Tor client. These include: + - Unparsable cells + - Unrecognized cells (ie: wrong source hop, or decrypt failures) + - invalid relay commands + - unsupported (or consensus-disabled) relay commands or extensions + - out-of-context relay commands + - duplicate relay commands + - relay commands that hit any error codepaths + - relay commands for an invalid or already-closed stream ID + - semantically void relay cells (incl relay data len == 0, or PING) + - onion descriptor-appended junk + +This attack works by injecting inbound RELAY cells at the exit or at a middle +relay, and then observing anomalous traffic patterns at the guard or at the +client->guard connection. + +The severity of this covert channel is extreme (zero false positives; zero +false negatives) when they are injected in cases where the circuit is +otherwise known to be silent, because of the protocol state machine. These +cases include: + - Immediately following an onionskin response + - During other protocol handshakes (onion services, conflux) + - Following relay CONNECTED or RESOLVED (not as severe - no path bias) + +Because of the stateful and deterministic nature of the Tor protocol, +especially handshakes, it is easy to accurately recognize these specific cases +even when observing only encrypted circuit traffic at the Guard relay (see +[DROPMARK]). + +Because this covert channel is most accurate before actual circuit use, when +the circuit is expected to be otherwise silent, it is trivial for a Guard +relay to close every circuit that does not display this covert channel, +providing path bias amplification attack and distributed trust reduction, +similar to cryptographic tagging attacks and end-to-end cell header +manipulation. This ability to use the collusion signal to perform path bias +before circuit use differentiates dropped cells within the Tor Protocol from +deadweight traffic during application usage (such as javascript requests for +404 URLs, covered in Section 1.3.2). + +This category is not quite as severe as these previous two categories by +itself, for two main reasons. However, it is also the case that due to other +factors, these reasons may not matter in practice. + +First, the Exit can't use this covert channel to close circuits that are not +deanonymized by a colluding Guard, since there is no covert channel from the +Guard to the Exit with this vector alone. Thus, unlike cryptographic tagging, +the adversary's Exits will still carry non-deanonymized traffic from +non-adversary Guards, and thus the adversary needs more Exit capacity than +Guard capacity. These kinds of more subtle trade-offs with respect to path +bias are covered in [DOSSECURITY]. However, note that this issue can be fixed +by using the previous RELAY_EARLY covert channel from the Guard to the Exit +(since this direction is unfixed). This allows the adversary to confirm +receipt of the dropped cell covert channel, allowing both the Guard and the +Exit to close all non-confirmed circuits, and thus ensure that they only need +to allocate equal amounts of compromised Guard and Exit traffic, to monitor +all Tor traffic. + +Second, encoding a full unique identifier in this covert channel is +non-trivial. A significant amount of injected traffic must be sent to exchange +more than a simple collusion signal, to link circuits when attacking a large +number of users. In practice, this likely means some amount of correlation, +and a resulting (but very small) statistical error. + +Obviously, the actual practical consequences of these two limitations are +questionable, so this covert channel is still regarded as "Highly Severe". It +can still result in full deanonymization of all Tor traffic by an adversary +with censorship capability, with very little error. + +Solution: Forthcoming dropped-cell proposal +Status: Fixed with vanguards addon; Unfixed otherwise +Funding: Arti and relay-side fixes are explicitly funded via Sponsor 112 + + +1.2. Info Leaks that enable other attacks + +These info leaks are less severe than the first group, as they do not yield +full covert channels, but they do enable other attacks, including guard +discovery and eventual netflow deanonymization, and website traffic +fingerprinting. + + +1.2.1. Handshakes with unique traffic patterns + +At a glance: + Accuracy: FP=near-zero, FN=near-zero + Requires: Compromised Guard + Impact: Anonymity Set Reduction and Oracle; assists in Guard Discovery + Path Bias: Full route capture is difficult (high failure rate) + Reason for Prioritization: Increases severity of vectors 1.2.2 and 1.3.3 + Signal is: Caused by client's behavior. + Signal is observed: At guard + Signal is: Unique cell patterns + +Certain aspects of Tor's handshakes are very unique and easy to fingerprint, +based only on observed traffic timing and volume patterns. In particular, the +onion client and onion service handshake activity is fingerprintable with +near-zero false negatives and near-zero false positive rates, as per +[ONIONPRINT]. The conflux link handshake is also unique (and thus accurately +recognizable), because it is our only 3-way handshake. + +This info leak is very accurate. However, the impact is much lower than that +of covert channels, because by itself, it can only tell if a particular Tor +protocol, behavior, or feature is in use. + +Additionally, Tor's distributed trust properties remain in-tact, because there +is no collusion signal built in to this info leak. When a path bias attack +is mounted to close circuits during circuit handshake construction without a +collusion signal to the Exit, it must proceed hop-by-hop. Guards must close +circuits that do not extend to colluding middles, and those colluding middles +must close circuits that don't extend to colluding exits. This means that the +adversary must control some relays in each position, and has a substantially +higher circuit failure rate while directing circuits to each of these relays +in a path. + +To put this into perspective, an adversary using a collusion signal with 10% +of Exits expects to fail 9 circuits before detecting their signal at a +colluding exit and allowing a circuit to succeed. However, an adversary +without a collusion signal and 10% of all relays expects to fail 9 circuits +before getting a circuit to their middle, but then expects 9 of *those* +circuits to fail before reaching an Exit, for 81 circuit failures for every +successful circuit. + +Published attacks have built upon this info leak, though. + +In particular, certain error conditions, such as returning a single +"404"-containing relay cell for an unknown onion service descriptor, are +uniquely recognizable. This fingerprint was used in the [ONIONFOUND] guard +discovery attack, and they provide a measurement of its uniqueness. + +Additionally, onion client fingerprintability can be used to vastly reduce the +set of website traffic traces that need to be considered for website traffic +fingerprinting (see Section 1.3.3), making that attack realistic and +practical. Effectively, it functions as a kind of oracle in this case (see +Glossary, and [ORACLES]). + +Solution: Padding machines at middles for protocol handshakes (as per [PCP]); + Pathbias-lite. +Status: Padding machines deployed for onion clients, but have weaknesses + against DF and stateful cross-circuit fingerprints +Funding: Not explicitly funded + + +1.2.2. Adversary-Induced Circuit Creation + +At a glance: + Accuracy: FP=high, FN=high + Requires: Onion service activity, or malicious exit + Impact: Guard discovery + Path Bias: Repeated circuits eventually provide the desired path + Reason for Prioritization: Enables Guard Discovery + Signal is: Inducing a client to make a new Tor circuit + Signal is injected: by application layer, client, or malicious relay + Signal is observed: At middle + +By itself, the ability for an adversary to cause a client to create circuits +is not a covert channel or arguably even an info leak. Circuit creation, even +bursts of frequent circuit creation, is commonplace on the Tor network. + +However, when this activity is combined with a covert channel from Section +1.1, with a unique handshake from Section 1.2.1, or with active traffic +manipulation (Section 1.3.2), then it leads to Guard Discovery, by allowing +the adversary to recognize when they are chosen for the Middle position, and +thus learn the Guard. Once Guard Discovery is achieved, netflow analysis of +the Guard's connections can be used to perform intersection attacks and +eventually determine the client IP address (see Section 1.3.1). + +Large quantities of circuit creation can be induced by: + - Many connections to an Onion Service + - Causing a client to make connections to many onion service addresses + - Application connection to ports in rare exit policies, followed by circuit + close at Exit + - Repeated Conflux leg failures + +In Tor 0.4.7 and later, onion services are protected from this activity via +Vanguards-Lite (Proposal #333). This system adds a second layer of vanguards +to onion service circuits, with rotation times set such that it is sufficient +to protect a user for use cases on the order of weeks, assuming the adversary +does not get lucky and land in a set. Non-Onion service activity, such as +Conflux leg failures, is protected by feature-specific rate limits. + +Longer lived onion services should use the Vanguards Addon, which implements +Mesh Vanguards (Prop#292). It uses two layers of vanguards, and expected +use cases of months. + +These attack times are probabilistic expectations, and are rough estimates. +See the proposals for details. To derive these numbers, the proposals assume a +100% accurate covert channel for detecting that the middle is in the desired +circuit. If we address the low hanging fruit for such covert channels above, +these numbers change, and such attacks also become much more easily +detectable, as they will rely on application layer covert channels (See +Section 1.3.2), which will resemble an application layer DoS or flood. + +Solution: Mesh-vanguards (Prop#292); Vanguards-lite (Prop#333); rate limiting + circuit creation attempts; rate limiting the total number of distinct + paths used by circuits +Status: Vanguards-lite deployed in Tor 0.4.7; Mesh-vanguards is vanguards addon; + Conflux leg failures are limited per-exit; Exitpolicy scanner exists +Funding: Not explicitly funded + + +1.2.3. Relay Bandwidth Lying + +At a glance: + Accuracy: FP=high, FN=high + Requires: Running relays in the network + Impact: Additional traffic towards malicious relays + Path Bias: Bandwidth lying can make up for circuit rejection + Reason for prioritization: Assists Covert Channel Path Bias attacks + Signal is injected: by manipulating reported descriptor bandwidths + Signal is observed: by clients choosing lying relays more often + Signal is: the effect of using lying relays more often + +Tor clients select relays for circuits in proportion to their fraction of +consensus "bandwidth" weight. This consensus weight is calculated by +multiplying the relay's self-reported "observed" descriptor bandwidth value by +a ratio that is measured by the Tor load balancing system (formerly TorFlow; +now sbws -- see [SBWS] for an overview). + +The load balancing system uses two-hop paths to measure the stream bandwidth +through all relays on the network. The ratio is computed by determining a +network-wide average stream bandwidth, 'avg_sbw', and a per-relay average +stream bandwidth, 'relay_sbw'. Each relay's ratio value is 'relay_sbw/avg_sbw'. +(There are also additional filtering steps to remove slow outlier streams). + +Because the consensus weights for relays derive from manipulated descriptor +values by multiplication with this ratio, relays can still influence their +weight by egregiously lying in their descriptor value, thus attracting more +client usage. They can also attempt to fingerprint load balancer activity and +selectively give it better service, though this is more complicated than +simply patching Tor to lie. + +This attack vector is especially useful when combined with a path bias attack +from Section 1.1: if an adversary is using one of those covert channels to +close a large portion of their circuits, they can make up for this loss of +usage by inflating their corresponding bandwidth value by an equivalent +amount, thus causing the load balancer to still measure a reasonable ratio for +them, and thus still provide fast service for the fully deanonymized circuits +that they do carry. + +There are many research papers written on alternate approaches to the +measurement problem. These have not been deployed for three reasons: + 1. The unwieldy complexity and fragility of the C-Tor codebase + 2. The conflation of measurement with load balancing (we need both) + 3. Difficulty performing measurement of the fastest relays with + non-detectable/distributed mechanisms + +In the medium term, we will work on detecting bandwidth lying and manipulation +via scanners. In the long term, Arti-relay will allow the implementation of +distributed and/or dedicated measurement components, such as [FLASHFLOW]. +(Note that FlashFlow still needs [SBWS] or another mechanism to handle load +balancing, though, since FlashFlow only provides measurement). + +Solutions: Scan for lying relays; implement research measurement solutions +Status: A sketch of the lying relay scanner design is in [LYING_SCANNER] +Funding: Scanning for lying relays is funded via Sponsor 112 + + +1.2.4. Metrics Leakage + +At a glance: + Accuracy: FP=low, FN=high + Requires: Some mechanism to bias or inflate reported relay metrics + Impact: Guard discovery + Path Bias: Potentially relevant, depending on type of leak + Reason for prioritization: Historically severe issues + Signal is injected: by interacting with onion service + Signal is observed: by reading router descriptors + Signal is: information about volume of traffic and number of IP addresses + +In the past, we have had issues with info leaks in our metrics reporting (see +[METRICSLEAK]). We addressed them by lowering the resolution of read/write +history, and ensuring certain error conditions could not willfully introduce +noticeable asymmetries. However, certain characteristics, like reporting local +onion or SOCKS activity in relay bandwidth counts, still remain. + +Additionally, during extremely large flooding or DDoS attempts, it may still +be possible to see the corresponding increases in reported metrics for Guards +in use by onion services, and thus discover its Guards. + +Solutions: Fix client traffic reporting; remove injectable asymmetries; + reduce metrics resolution; add noise +Status: Metrics resolution reduced to 24hr; known asymmetries fixed +Funding: Not funded + + +1.2.5. Protocol Oracles + +At a glance: + Accuracy: FP=medium, FN=0 (for unpopular sites: FP=0, FN=0) + Requires: Probing relay DNS cache + Impact: Assists Website Traffic Fingerprinting; Domain Usage Analytics + Path Bias: Not Possible + Reason for prioritization: Historically accurate oracles + Signal is injected: by client causing DNS caching at exit + Signal is observed: by probing DNS response wrt to cell ordering via all exits + Signal is: If cached, response is immediate; otherwise other cells come first + +Protocol oracles, such as exit DNS cache timing to determine if a domain has +been recently visited, increase the severity of Website Traffic Fingerprinting +in Section 1.3.3, by reducing false positives, especially for unpopular +websites. + +There are additional forms of oracles for Website Traffic Fingerprinting, but +the remainder are not protocol oracles in Tor. See [ORACLES] in the +references. + +Tor deployed a defense for this oracle in the [DNSORACLE] tickets, to +randomize expiry time. This helps reduce the precision of this oracle for +popular and moderately popular domains/websites in the network, but does not +fully eliminate it for unpopular domains/websites. + +The paper in [DNSORACLE] specifies a further defense, using a pre-load of +popular names and circuit cache isolation defense in Section 6.2, with third +party resolvers. The purpose of the pre-load list is to preserve the cache +hits for shared domains across circuits (~11-17% of cache hits, according to +the paper). The purpose of circuit isolation is to avoid Tor cache hits for +unpopular domains across circuits. The purpose of third party resolvers is to +ensure that the local resolver's cache does not become measurable, when +isolating non-preloaded domains to be per-circuit. + +Unfortunately, third party resolvers are unlikely to be recommended for use by +Tor, since cache misses of unpopular domains would hit them, and be subject to +sale in DNS analytics data at high resolution (see [NETFLOW_TICKET]). + +Also note that the cache probe attack can only be used by one adversary at a +time (or they begin to generate false positives for each other by actually +*causing* caching, or need to monitor for each other to avoid each other). +This is in stark contrast to third party resolvers, where this information is +sold and available to multiple adversaries concurrently, for all uncached +domains, with high resolution timing, without the need for careful +coordination by adversaries. + +However, note that an arti-relay implementation would no longer be single +threaded, and would be able to reprioritize asynchronous cache activity +arbitrarily, especially for sensitive uncached activity to a local resolver. +This might be useful for reducing the accuracy of the side channel, in this +case. + +Unfortunately, we lack sufficient clarity to determine if it is meaningful to +implement any further defense that does not involve third party resolvers +under either current C-Tor, or future arti-relay circumstances. + +Solutions: Isolate cache per circuit; provide a shared pre-warmed cache of + popular domains; smarter cache handling mechanisms? +Status: Randomized expiry only - not fully eliminated +Funding: Any further fixes are covered by Sponsor 112 + + +1.3. Info Leaks of Research Concern + +In this section, we list info leaks that either need further research, or are +undergoing active research. + +Some of these are still severe, but typically less so than the already covered +ones, unless they are part of a combined attack, such as with an Oracle, +or with Guard Discovery. + +Some of these may be more or less severe than currently suspected: If we +knew for certain, they wouldn't need research. + + +1.3.1. Netflow Activity + +At a glance: + Accuracy: FP=high; FN=0 (FN=medium with incomplete vantage point set) + Requires: Access to netflow data market, or ISP coercion + Impact: Anonymity Set Reduction; Deanonymization with Guard Discovery/Oracle + Path Bias: Not possible + Reason for Prioritization: Low impact without Guard Discovery/Oracle + Signal is: created by using the network + Signal is observed: at ISP of everything that is using the network. + Signal is: Connection tuple times and byte counts + +Netflow is a feature of internet routers that records connection tuples, as +well as time stamps and byte counts, for analysis. + +This data is bought and sold, by both governments and threat intelligence +companies, as documented in [NETFLOW_TICKET]. + +Tor has a padding mechanism to reduce the resolution of this data (see Section +2 of [PADDING_SPEC]), but this hinges on clients' ability to keep connections +open and padded for 45-60 minutes, even when idle. This padding reduces the +resolution of intersection attacks, making them operate on 30 minute time +windows, rather than 15 second time windows. This increases the false positive +rate, and thus increases the duration of such intersection attacks. + +Large scale Netflow data can also be used to track Tor users as they migrate +from location to location, without necessarily deanonymizing them. Because Tor +uses three directory guards, and has ~4000 Guard relays, the choice +Choose(4000,3) of directory Guards is ~10 billion different combinations, +though probability weighting of Guard selection does reduce this considerably +in practice. Lowering the total number of Guard relays (via arti-relay and +using only the fastest Guards), and using just two directory guards as opposed +to three can reduce this such that false positives become more common. More +thorough solutions are discussed in [GUARDSETS]. + +Location tracking aside, by itself, this data (especially when padded) is not +a threat to client anonymity. However, this data can also be used in +combination with a number of Oracles or confirmation vectors, such as: + - Guard Discovery + - Flooding an onion service with huge amounts of traffic in a pattern + - Advertising analytics or account activity log purchase + - TCP RST injection + - TLS conn rotation + +These oracles can be used to either confirm the connection of an onion +service, or to deanonymize it after Guard Discovery. + +In the case of clients, the use of Oracle data can enable intersection attacks +to deanonymize them. The oracle data necessary for client intersection attack +is also being bought and sold, as documented in [NETFLOW_TICKET]. It is +unknown how long such attacks take, but it is a function of the number of +users under consideration, and their connection durations. + +The research interest here is in determining what can be done to increase the +amount of time these attacks take, in terms of increasing connection duration, +increasing the number of users, reducing the total number of Guard relays, +using a UDP transport, or changing user behavior. + +Solutions: Netflow padding; connection duration increase; QUIC transport; + using bridges; decreasing total number of guards; using only two + directory guards; guardsets; limiting sensitive account usage +Status: Netflow padding deployed in C-Tor and arti +Funding: Not explicitly funded + + +1.3.2. Active Traffic Manipulation Covert Channels + +At a Glance: + Accuracy: FP=medium, FN=low + Requires: Netflow data, or compromised/monitored Guard + Impact: Anonymity Set Reduction; Netflow-assisted deanonymization + Path Bias: Possible via exit policy or onion service reconnection + Reason for Prioritization: Can assist other attacks; lower severity otherwise + Signal is injected: by the target application, manipulated by the other end. + Signal is observed: at Guard, or target->guard connection. + Signal is: Unusual traffic volume or timing. + +This category of covert channel occurs after a client has begun using a +circuit, by manipulating application data traffic. This manipulation can +occur either at the application layer, or at the Tor protocol layer. + +Because it occurs after the circuit is in use, it does not permit the use of +path bias or trust reduction properties by itself (unless combined with one of +the above info leak attack vectors -- most often Adversary-Induced Circuit +Creation). + +These covert channels also have a significantly higher false positive rate +than those before circuit use, since application traffic is ad-hoc and +arbitrary, and is also involved during the attempted manipulation of +application traffic. + +For onion services, this covert channel is much more severe: Onion services may +be flooded with application data in large-volume patterns over long periods of +time, which can be seen in netflow logs. + +For clients, this covert channel typically is only effective after the +adversary suspects an individual, for confirmation of their suspicion, or +after Guard Discovery. + +Examples of this class of covert channel include: + - Application-layer manipulation (AJAX) + - Traffic delays (rainbow, swirl - see [BACKLIT]) + - Onion Service flooding via HTTP POST + - Flooding Tor relays to notice traffic changes in onion service throughput + - Conflux leg switching patterns + - Traffic inflation (1 byte data cells) + +Solution: Protocol checks; Padding machines at middles for specific kinds of + traffic; limits on inbound onion service traffic; Backlit +Status: Protocol checks performed for conflux; vanguards addon closes + high-volume circuits +Funding: Not explicitly funded + + +1.3.3. Passive Application-Layer Traffic Patterns + +At a Glance: + Accuracy: FP=medium, FN=Medium + Requires: Compromised Guard (external monitoring increases FP+FN rate) + Impact: Links client and destination activity (ie: deanonymization with logs) + Path Bias: Not Possible + Reason for prioritization: Large FP rate without oracle, debated practicality + Signal is: not injected; passively extracted + Signal is observed: at Guard, or entire network + Signal is: timing and volume patterns of traffic. + +This category of information leak occurs after a client has begun using a +circuit, by analyzing application data traffic. + +Examples of this class of information leak include: + - Website traffic fingerprinting + - End-to-end correlation + +The canonical application of this information leak is in end-to-end +correlation, where application traffic entering the Tor network is correlated +to traffic exiting the Tor network (see [DEEPCOFFEA]). This attack vector +requires a global view of all Tor traffic, or false negatives skyrocket. +However, this information leak is also possible to exploit at a single +observation point, using machine learning classifiers (see [ROBFINGERPRINT]), +typically either the Guard or bridge relay, or the path between the +Guard/bridge and the client. + +In both cases, this information leak has a significant false positive rate, +since application traffic is ad-hoc, arbitrary, and self-similar. Because +multiple circuits are multiplexed on one TLS connection, the false positive +and false negative rates are higher still at this observation location, as +opposed to on a specific circuit. + +In both cases, the majority of the information gained by classifiers is in the +beginning of the trace (see [FRONT] and [DEEPCOFFEA]). + +This information leak gets more severe when it is combined with another oracle +(as per [ORACLES]) that can confirm the statistically derived activity, or +narrow the scope of material to analyze. Example oracles include: + - DNS cache timing + - Onion service handshake fingerprinting + - Restricting targeting to either specific users, or specific websites + - Advertising analytics or account activity log purchase (see + [NETFLOW_TICKET]) + +Website traffic fingerprinting literature is divided into two classes of +attack study: Open World and Closed World. Closed World is when the adversary +uses an Oracle to restrict the set of possible websites to classify traffic +against. Open World is when the adversary attempts to recognize a specific +website or set of websites out of all possible other traffic. + +The nature of the protocol usage by the application can make this attack +easier or harder, which has resulted in application layer defenses, such as +[ALPACA]. Additionally, the original Google QUIC was easier to fingerprint +than HTTP (See [QUICPRINT1]), but IETF HTTP3 reversed this (See [QUICPRINT2]). +Javascript usage makes these attacks easier (see [INTERSPACE], Table 3), where +as concurrent activity (in the case of TLS observation) makes them harder. +Web3 protocols that exchange blocks of data instead of performing AJAX +requests are likely to be much harder to fingerprint, so long as the web3 +application is accessed via its native protocol, and not via a website +front-end. + +The entire research literature for this vector is fraught with analysis +problems, unfortunately. Because smaller web crawl sizes make the attacks more +effective, and because attack papers are easier to produce than defenses +generally, dismal results are commonplace. [WFNETSIM] and [WFLIVE] examine +some of these effects. It is common for additional hidden gifts to adversaries +to creep in, leading to contradictory results, even in otherwise comprehensive +papers at top-tier venues. The entire vein of literature must be read with a +skeptical eye, a fine-tooth comb, and a large dumpster nearby. + +As one recent example, in an otherwise comprehensive evaluation of modern +defenses, [DEFCRITIC] found a contrary result with respect to the Javascript +finding in the [INTERSPACE] paper, by training and testing their classifiers +with knowledge of the Javascript state of the browser (thus giving them a free +oracle). In truth, neither [DEFCRITIC] nor [INTERSPACE] properly examined the +effects of Javascript -- a rigorous test would train and test on a mix of +Javascript and non-Javascript traffic, and then compare the classification +accuracy of each set separately, after joint classification. Instead, +[DEFCRITIC] just reported that disabling Javascript (via the security level of +Tor Browser) has "no beneficial effect", which they showed by actually letting +the adversary know which traces had Javascript disabled. + +Such hidden gifts to adversaries are commonplace, especially in attack papers. +While it may be useful to do this while comparing defenses against each other, +when these assumptions are hidden, and when defenses are not re-tunable for +more realistic conditions, this leads to focus on burdensome defenses with +large amounts of delay or huge amounts of overhead, at the expense of ignoring +lighter approaches that actually improve the situation in practice. + +This of course means that nothing gets done at all, because Tor is neither +going to add arbitrary cell delay at relays (because of queue memory required +for this and the impacts on congestion control), nor add 400% overhead to +both directions of traffic. + +In terms of defense deployment, it makes the most sense to place these padding +machines at the Guards to start, for many reasons. This is in contrast to +other lighter padding machines for earlier vectors, where it makes more sense +to place them at the middle relay. In this case, the heavier padding machines +necessary for this vector can take advantage of higher multiplexing, which +means less overhead. They can also use the congestion signal at the TLS +connection, to more easily avoid unnecessary padding when the TLS connection +is blocked, thus only using "slack" Guard capacity. Conflux also can be tuned +to provide at least some benefit here: even if in lab conditions it provides +low benefit, in the scenarios studied by [WFNETSIM] and [WFLIVE], this may +actually be considerable, unless the adversary has both guards, which is more +difficult for an internal adversary. Additionally, the distinction between +external and internal adversaries is rarely, if ever, evaluated in the +literature anyway, so there is little guidance on this distinction as a whole, +right now. + + +Solution: Application layer solutions ([ALPACA], disabling Javascript, web3 apps); + Padding machines at guards for application traffic; conflux tuning +Status: Unfixed +Funding: Padding machine and simulator port to arti are funded via Sponsor 112 + + +1.3.4. Protocol or Application Linkability + +At a Glance: + Accuracy: FP=0, FN=0 + Requires: Compromised Exit; Traffic Observation; Hostile Website + Impact: Anonymity Set Reduction + Path Bias: Not Possible + Reason for prioritization: Low impact with faster releases + Signal is: not injected; passively extracted + Signal is observed: at Exit, or at application destination + Signal is: Rare protocol usage or behavior + +Historically, due to Tor's slow upgrade cycles, we have had concerns about +deploying new features that may fragment the anonymity set of early adopters. + +Since we have moved to a more rapid release cycle for both clients and relays +by abandoning the Tor LTS series, these concerns are much less severe. +However, they can still present concerns during the upgrade cycle. For +Conflux, for example, during the alpha series, the fact that few exits +supported conflux caused us to limit the number of pre-built conflux sets to +just one, to avoid concentrating alpha users at just a few exits. It is not +clear that this was actually a serious anonymity concern, but it was certainly +a concern with respect to concentrating the full activity of all these users +at just a few locations, for load balancing reasons alone. + +Similar concerns exist for users of alternate implementations, both of Tor, +and of applications like the browser. We regard this as a potential research +concern, but it is likely not a severe one. For example, assuming Tor Browser +and Brave both address browser fingerprinting, how bad is it for anonymity +that they address it differently? Even if they ensure that all their users +have the same or similar browser fingerprints, it will still be possible for +websites, analytics datasets, and possibly even Exit relays or Exit-side +network observers, to differentiate the use of one browser versus the other. +Does this actually harm their anonymity in a real way, or must other oracles +be involved? Are these oracles easy to obtain? + +Similarly, letting users choose their exit country is in this category. In +some circumstances, this choice has serious anonymity implications: if the +choice is a permanent, global one, and the user chooses an unpopular country +with few exits, all of their activity will be much more linkable. However, if +the country is popular, and/or if the choice is isolated per-tab or per-app, +is this still significant such that it actually enables any real attacks? It +seems like not so much. + +Solutions: Faster upgrade cycle; Avoiding concentrated use of new features +Status: Tor LTS series is no longer supported +Funding: Not explicitly funded + + +1.3.5. Latency Measurement + +At a glance: + Accuracy: FP=high, FN=high + Requires: Onion service, or malicious Exit + Impact: Anonymity Set Reduction/Rough geolocation of services + Path Bias: Possible exacerbating factor + Reason for Prioritization: Low impact; multiple observations required + Signal is created naturally by anything that has a "reply" mechanic + Signal is observed at either end. + Signal is: delays between a message sent and a message received in reply. + +Latency's effects on anonymity set has been studied in the [LATENCY_LEAK] +papers. + +It may be possible to get a rough idea of the geolocation of an onion service +by measuring the latency over many different circuits. This seems more +realistic if the Guard or Guards are known, so that their contribution to +latency statistics can be factored in, over many many connections to an onion +service. For normal client activity, route selection and the fact that the +Exit does not know specific accounts or cookies in use likely provides enough +protection. + +If this turns out to be severe, it seems the best option is to add a delay on +the client side to attempt to mask the overall latency. This kind of approach +is only likely to make sense for onion services. Other path selection +alterations may help, though. + +Solutions: Guards, vanguards, alternative path selection, client-side delay +Status: Guards and vanguards-lite are used in Tor since 0.4.7 +Funding: Not explicitly funded + + +2. Attack Examples + +To demonstrate how info leaks combine, here we provide some historical +real-world attacks that have used these info leaks to deanonymize Tor +users. + + +2.1. CMU Tagging Attack + +Perhaps the most famous historical attack was when a group at CMU assisted the +FBI in performing dragnet deanonymization of Tor users, through their +[RELAY_EARLY] attack on the live network. This attack could only work on users +who happened to use their Guards, but those users could be fully deanonymized. + +The attack itself operated on connections to monitored HSDIRs: it encoded the +address of the onion service in the cell command header, via the RELAY_EARLY +bitflipping technique from Section 1.1.2. Their Guards then recorded this +address, along with the IP address of the user, providing a log of onion +services that each IP address visited. + +It is not clear if the CMU group even properly utilized the full path bias +attack power here to deanonymize as many Tor users as possible, or if their +logs were simply of interest to the FBI because of what they happened to +capture. It seems like the latter is the case. + +A similar, motivated adversary could use any of the covert channels in Section +1.1, in combination with Path Bias to close non-deanonymized circuits, to +fully deanonymize all exit traffic carried by their Guard relays. There are +path bias detectors in Tor to detect large amounts of circuit failure, but +when the network (or the Guard) is also under heavy circuit load, they can +become unreliable, and have their own false positives. + +While this attack vector requires the Guard relay, it is of interest to any +adversary that would like to perform dragnet deanonymization of a wide range +of Tor users, or to compel a Guard to deanonymize certain Tor users. It is +also of interest to adversaries with censorship capability, who would like +to monitor all Tor usage of users, rather than block them. Such an adversary +would use their censorship capability to direct Tor users to only their own +malicious Guards or Bridges. + + +2.2. Guard Discovery Attacks with Netflow Deanonymization + +Prior to the introduction of Vanguards-lite in Tor 0.4.7, it was possible to +combine "1.2.2. Adversary-Induced Circuit Creation", with a circuit-based +covert channel (1.1.3, 1.2.1, or 1.3.2), to obtain a middle relay confirmed +to be next to the user's Guard. + +Once the Guard is obtained, netflow connection times can be used to find the +user of interest. + +There was at least one instance of this being used against a user of Ricochet, +who was fully deanonymized. The user was using neither vanguards-lite, nor the +vanguards addon, so this attack was trivial. It is unclear which covert +channel type was used for Guard Discovery. The netflow attack proceeded +quickly, because the attacker was able to determine when the user was on and +offline via their onion service descriptor being available, and the number +of users at the discovered Guard was relatively small. + + +2.3. Netflow Anonymity Set Reduction + +Netflow records have been used, to varying degrees of success, to attempt to +identify users who have posted violent threats in an area. + +In most cases, this has simply ended up hassling unrelated Tor users, without +finding the posting user. However, in at least one case, the user was found. + +Netflow records were also reportedly used to build suspicion of a datacenter +in Germany which was emitting large amounts of Tor traffic, to eventually +identify it as a Tor hosting service providing service to drug markets, after +further investigation. It is not clear if a flooding attack was also used in +this case. + + +2.4. Application Layer Confirmation + +The first (and only) known case of fine-grained traffic analysis of Tor +involved an application layer confirmation attack, using the vector from +1.3.2. + +In this case, a particular person was suspected as being involved in a group +under investigation, due to the presence of an informant in that group. The +FBI then monitored the suspect's WiFi, and sent a series of XMPP ping messages +to the account in question. Despite the use of Tor, enough pings were sent +such that the timings on the monitored WiFi showed overlap with the XMPP +timings of sent pings and responses. This was prior to Tor's introduction of +netflow padding (which generates similar back-and-forth traffic every 4-9 +seconds between the client and the Guard). + +It should be noted that such attacks are still prone to error, especially for +heavy Tor users whose other traffic would always cause such overlap, as +opposed to those who use Tor for only one purpose, and very lightly or +infrequently. + + +3. Glossary + +Covert Channel: + A kind of information leak that allows an adversary to send information + to another point in the network. + +Collusion Signal: + A Covert Channel that only reliably conveys 1 bit: if an adversary is + present. Such covert channels are weaker than those that enable full + identifier transmission, and also typically require correlation. + +Confirmation Signal: + Similar to a collusion signal, a confirmation signal is sent over a + weak or noisy channel, and can only confirm that an already suspected + entity is the target of the signal. + +False Negative: + A false negative is when the adversary fails to spot the presence of + an info leak vector, in instances where it is actually present. + +False Positive: + A false positive is when the adversary attempts to use an info leak vector, + but some similar traffic pattern or behavior elsewhere matches the traffic + pattern of their info leak vector. + +Guard Discovery: + The ability of an adversary to determine the Guard in use by a service or + client. + +Identifier Transmission: + The ability of a covert channel to reliably encode a unique identifier, + such as an IP address, without error. + +Oracle: + An additional mechanism used to confirm an observed info leak vector + that has a high rate of False Positives. Can take the form of DNS + cache, server logs, analytics data, and other factors. (See [ORACLES]). + +Path Bias (aka Route Manipulation, or Route Capture): + The ability of an adversary to direct circuits towards their other + compromised relays, by destroying circuits and/or TLS connections + whose paths are not sufficiently compromised. + + +Acknowledgments: + +This document has benefited from review and suggestions by David Goulet, Nick +Hopper, Rob Jansen, Nick Mathewson, Tobias Pulls, and Florentin Rochet. + + +References: + +[ALPACA] + https://petsymposium.org/2017/papers/issue2/paper54-2017-2-source.pdf + +[BACKLIT] + https://www.freehaven.net/anonbib/cache/acsac11-backlit.pdf + +[DEEPCOFFEA] + https://www-users.cse.umn.edu/~hoppernj/deepcoffea.pdf + +[DEFCRITIC] + https://www-users.cse.umn.edu/~hoppernj/sok_wf_def_sp23.pdf + +[DNSORACLE] + https://www.usenix.org/system/files/usenixsecurity23-dahlberg.pdf + https://gitlab.torproject.org/rgdd/ttapd/-/tree/main/artifact/safety-board + https://gitlab.torproject.org/tpo/core/tor/-/issues/40674 + https://gitlab.torproject.org/tpo/core/tor/-/issues/40539 + https://gitlab.torproject.org/tpo/core/tor/-/issues/32678 + +[DOSSECURITY] + https://www.princeton.edu/~pmittal/publications/dos-ccs07.pdf + +[DROPMARK] + https://petsymposium.org/2018/files/papers/issue2/popets-2018-0011.pdf + +[FLASHFLOW] + https://gitweb.torproject.org/torspec.git/tree/proposals/316-flashflow.md + +[FRONT] + https://www.usenix.org/system/files/sec20summer_gong_prepub.pdf + +[GUARDSETS] + https://www.freehaven.net/anonbib/cache/guardsets-pets2015.pdf + https://www.freehaven.net/anonbib/cache/guardsets-pets2018.pdf + +[INTERSPACE] + https://arxiv.org/pdf/2011.13471.pdf (Table 3) + +[LATENCY_LEAK] + https://www.freehaven.net/anonbib/cache/ccs07-latency-leak.pdf + https://www.robgjansen.com/publications/howlow-pets2013.pdf + +[LYING_SCANNER] + https://gitlab.torproject.org/tpo/network-health/team/-/issues/313 + +[METRICSLEAK] + https://gitlab.torproject.org/tpo/core/tor/-/issues/23512 + +[NETFLOW_TICKET] + https://gitlab.torproject.org/tpo/network-health/team/-/issues/42 + +[ONECELL] + https://www.blackhat.com/presentations/bh-dc-09/Fu/BlackHat-DC-09-Fu-Break-Tors-Anonymity.pdf + +[ONIONPRINT] + https://www.freehaven.net/anonbib/cache/circuit-fingerprinting2015.pdf + +[ONIONFOUND] + https://www.researchgate.net/publication/356421302_From_Onion_Not_Found_to_Guard_Discovery/fulltext/619be24907be5f31b7ac194a/From-Onion-Not-Found-to-Guard-Discovery.pdf?origin=publication_detail + +[ORACLES] + https://petsymposium.org/popets/2020/popets-2020-0013.pdf + +[PADDING_SPEC] + https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/padding-spec.txt#L68 + +[PCP] + https://arxiv.org/abs/2103.03831 + +[QUICPRINT1] + https://arxiv.org/abs/2101.11871 (see also: https://news.ycombinator.com/item?id=25969886) + +[QUICPRINT2] + https://netsec.ethz.ch/publications/papers/smith2021website.pdf + +[RACCOON23] + https://archives.seul.org/or/dev/Mar-2012/msg00019.html + +[RELAY_EARLY] + https://blog.torproject.org/tor-security-advisory-relay-early-traffic-confirmation-attack/ + +[ROBFINGERPRINT] + https://www.usenix.org/conference/usenixsecurity23/presentation/shen-meng + +[SBWS] + https://tpo.pages.torproject.net/network-health/sbws/how_works.html + +[WFLIVE] + https://www.usenix.org/system/files/sec22-cherubin.pdf + +[WFNETSIM] + https://petsymposium.org/2023/files/papers/issue4/popets-2023-0125.pdf -- cgit v1.2.3-54-g00ecf From d451c9e121e78f701939b7aecfc95b4079ae1caa Mon Sep 17 00:00:00 2001 From: Mike Perry Date: Tue, 22 Aug 2023 17:13:02 +0000 Subject: Mark Prop #344 Open. --- proposals/344-protocol-info-leaks.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/344-protocol-info-leaks.txt b/proposals/344-protocol-info-leaks.txt index b967b51..abae2a7 100644 --- a/proposals/344-protocol-info-leaks.txt +++ b/proposals/344-protocol-info-leaks.txt @@ -3,7 +3,7 @@ Title: Prioritizing Protocol Information Leaks in Tor Author: Mike Perry Created: 2023-07-17 Purpose: Normative -Status: Draft +Status: Open 0. Introduction -- cgit v1.2.3-54-g00ecf