Identifying users who access Tor hidden services -- websites that are only accessible inside the Tor anonymity network -- is easier than de-anonymizing users who use Tor to access regular Internet websites.
Security researchers Filipo Valsorda and George Tankersley showed Friday at the Hack in the Box security conference in Amsterdam why Tor connections to hidden services are more vulnerable to traffic correlation attacks.
One of Tor's primary goals is to provide anonymity for Internet users. This is achieved by routing their Web traffic through a series of randomly chosen nodes or relays before passing it back onto the public Internet.
The nodes that make up the Tor network are run by volunteers and they can have specialized roles. There are nodes called entry guards that serve as the first hops onto the network and there are also exit relays that pass the traffic back onto the Internet.
Internet servers that receive traffic from Tor users won't see the real IP (Internet Protocol) addresses of those users. What they'll see will be the IP addresses of randomly chosen Tor exit nodes.
The Tor hidden service protocol extends the anonymity protection to servers as well. It makes it impossible for users to see the real IP address of a server that runs a Tor hidden service, like for example, a website.
Hidden services use addresses that end in .onion, a pseudo top-level domain that doesn't exist on the Internet and only resolves inside the Tor network. This anonymity protection for both servers and users makes hidden services attractive to political activists in countries where free speech is not well protected or where Internet surveillance is common, but also to criminals who use such websites to hide their activities from law enforcement.
The infamous online bazaar Silk Road where users sold drugs, arms and other kinds of illegal goods and services, operated as a Tor hidden service. The FBI eventually shut it down and arrested its owner, but other similar marketplaces have taken its place.
The biggest threat to the Tor network, which exists by design, is its vulnerability to traffic confirmation or correlation attacks. This means that if an attacker gains control over many entry and exit relays, they can perform statistical traffic analysis to determine which users visited which websites.
The Tor developers are closely monitoring exit relays and removing bad ones from the network, so it's relatively hard for someone to pull off such an attack. In addition, if an attacker wants to identify Tor users visiting a specific Internet website, they'd have to gain control over a very large number of exit and entry nodes in order to increase their chance of success, since the relays will be different for every connection.
Sign up for Computerworld eNewsletters.