research / document impact for tunnel users if Tor [exit] relays hosted at the same tunnel provider

phabricator-migrator · February 19, 2024, 5:46pm

Information

ID: 492
PHID: PHID-TASK-xmjltpeunms4unshpzle
Author: Patrick
Status at Migration Time: resolved
Priority at Migration Time: Normal

Description

It is possible to host Tor relays [any… bridges, entry, middle or exit] behind VPN IPs using VPN port forwarding.

scenario 1)

a) User uses VPN IP A on the host, thereby using it as it’s first relay.
b) User’s Tor client happens to pick a Tor exit relay running on VPN IP A.
Conditions a and b match at the same time. The user is now using the same IP as first and last proxy.

scenario 2)

a) User sets up a VPN inside Whonix-Workstation. Thereby that results in user → Tor → VPN → internet. Using VPN IP A.
b) A Tor entry guard is being hosted on VPN IP A.
Conditions a and b match at the same time. The user is now using the same IP as first and last proxy.

It might result in Tor over Tor. Needs to be through through.

document where:

TODO:

think this through
1. a) Is Tor clever enough to detect and avoid such situations?
ask on the tor-talk mailing list

Comments

HulaHoop

2016-04-07 10:51:14 UTC

Patrick

2016-04-07 13:45:58 UTC

HulaHoop

2016-04-07 18:12:14 UTC

scenario 1)

a) User uses VPN IP A on the host, thereby using it as it's first relay.
b) User's Tor client happens to pick a Tor exit relay running on VPN IP A.
Conditions a and b match at the same time. The user is now using the same IP as first and last proxy.
Simplified: VPN IP A - could be considered as any other ISP running surveilling a user. And the Tor Exit running on a VPN - a malicious exit. Some Exits are malicious but that does not break Tor. The Exit lasts for 10 minutes. The user is safe if the Tor Guard is OK. That is the most common situation anyway.
scenario 2)

a) User sets up a VPN inside Whonix-Workstation. Thereby that results in user -> Tor -> VPN -> internet. Using VPN IP A.
b) A Tor entry guard is being hosted on VPN IP A.
Conditions a and b match at the same time. The user is now using the same IP as first and last proxy.
Simplified: Malicious guard is pretty bad but on its own is not enough to deanonymize. As long as the Tor Exit is not also cooperating with the same party as the one hosting the Guard - Tor should not fail.
I am running a Tor daemon in relay mode
on my computer. And I am running a separate Tor daemon in client mode.
Will the Tor in client mode avoid using my own Tor relay?
This is a third (and different) scenario.

[fr33d0m4all] You can explicitly configure Tor client to exclude your own node by using ExcludeNodes and specifying the ID of your relay
[fr33d0m4all] user: ExcludeNodes node,node,…
[fr33d0m4all] A list of identity fingerprints, country codes, and address patterns of nodes to avoid when building a circuit. Country codes must be wrapped in braces; fingerprints may be preceded by a dollar sign. (Example: ExcludeNodes ABCD1234CDEF5678ABCD1234CDEF5678ABCD1234, {cc}, 255.254.0.0/8)
1) a) Is Tor clever enough to detect and avoid such situations?
Tor cannot detect something outside its network but a newer research version takes AS path selection and network adversaries into account when creating circuits. Based on this research:

http://freehaven.net/anonbib/cache/DBLP:conf/ccs/EdmanS09.pdf
http://freehaven.net/anonbib/cache/oakland2012-lastor.pdf

EDIT:

Its called ASToria

http://arxiv.org/pdf/1505.05173.pdf
Astoria/astoria-tor-client at master · sbunrg/Astoria · GitHub
https://www.dailydot.com/politics/tor-astoria-timing-attack-client/

Patrick

2016-04-07 18:55:03 UTC

! In T492#8634, @HulaHoop wrote:
scenario 1)

a) User uses VPN IP A on the host, thereby using it as it's first relay.
b) User's Tor client happens to pick a Tor exit relay running on VPN IP A.
Conditions a and b match at the same time. The user is now using the same IP as first and last proxy.
Simplified: VPN IP A - could be considered as any other ISP running surveilling a user. And the Tor Exit running on a VPN - a malicious exit. Some Exits are malicious but that does not break Tor. The Exit lasts for 10 minutes. The user is safe if the Tor Guard is OK. That is the most common situation anyway.
Considering it an ISP is a category mistake. You cannot go up to that threat model for the sake of the argument. Because Tor entry guards in the first place defeat only a weaker threat model, where an adversary hosts malicious Tor entry guards. The original case for Tor entry guards was to that your chances are better if you stick to the Tor entry guards. From the point of view, the ISP can be considered a permanent entry.

Afaik, Tor is most vulnerable if the adversary controls the first and the last relay and runs an end-to-end correlation attack. That’s one reason why it’s 3 and not 4 hops in Tor. Because those in the middle are less important. This is why Tor tries to avoid using a relay by the same host more than once in its chain.
scenario 2)

a) User sets up a VPN inside Whonix-Workstation. Thereby that results in user -> Tor -> VPN -> internet. Using VPN IP A.
b) A Tor entry guard is being hosted on VPN IP A.
Conditions a and b match at the same time. The user is now using the same IP as first and last proxy.
Simplified: Malicious guard is pretty bad but on its own is not enough to deanonymize. As long as the Tor Exit is not also cooperating with the same party as the one hosting the Guard - Tor should not fail.
After the Tor exit, it connects to the VPN before connecting to the destination. For practical purposes, is the VPN to be considered an extension of the Tor chain? Fact remains, that you are connecting to a server hosted by the same provider twice in your chain. That should make certain attacks easier. Perhaps some passive attacks. More certainly it allows to run active attacks. By tampering with the traffic at the earliest link in the chain, i.e. by adding a artificial delay, these effects could be measured at latest link in the chain. A more rough attack would be to selectively not serve most but one user [or delay] until there is a correlation.

It may not be the end of the world, but something useful to avoid.
I am running a Tor daemon in relay mode
on my computer. And I am running a separate Tor daemon in client mode.
Will the Tor in client mode avoid using my own Tor relay?
This is a third (and different) scenario.

[fr33d0m4all] You can explicitly configure Tor client to exclude your own node by using ExcludeNodes and specifying the ID of your relay
[fr33d0m4all] user: ExcludeNodes node,node,…
[fr33d0m4all] A list of identity fingerprints, country codes, and address patterns of nodes to avoid when building a circuit. Country codes must be wrapped in braces; fingerprints may be preceded by a dollar sign. (Example: ExcludeNodes ABCD1234CDEF5678ABCD1234CDEF5678ABCD1234, {cc}, 255.254.0.0/8)
You can certainly exclude it manually. But that was not the question. Good to have this information so it can be incorporated when asking the question. Because I am not looking for a workaround here that may or may not be needed. An authoritative answer would be useful since we are trying to establish a negative here. (“No, Tor does not figure out it’s external IP and then tries to avoid using other relays hosted within the same /16 subnet.”)

Patrick

2016-07-07 23:04:00 UTC

Patrick

2016-07-08 11:24:02 UTC

Patrick

2016-07-08 11:49:57 UTC

Patrick

2016-07-15 16:14:06 UTC

HulaHoop

2016-07-16 03:22:06 UTC