Whonix Vulnerable to this ?

Hi,

I was reading a post on reddit
"https://m.reddit.com/r/DarkNetMarkets/comments/4q97qe/regarding_sr2_staffer_doctorclus_arrest_does/"

Basically someone asked “If a relay is seized and run by LE, will that be able to find out the real IP of the user?”

Is this true ? and if so, would whonix be susceptible to this method ?

all opinions are most welcome.

Thanks
Anon

Good day,

What was written on there isn’t correct in the first place as it completley misses what a relay truly is. Simply assuming that any kind of taken over relay can tell you the IP address of the people using said relay at a certain point in time cannot be correct for several reasons, mainly though, because there are different types of relays used for every connection which goes through Tor.

Regard this for more specific information of the different types: https://www.eff.org/torchallenge/what-is-tor.html

To answer the question, only one type of the three different relay types, the entry node is aware of the IP-Address you use to access Tor. This however is not a vulnerability in any way and actually necessary for Tor to work at all. This isn’t an issue because any traffic going through this initial relay is encrypted. The person providing this entry node (no matter whether it is a private person, an organization, or law enforcement) can thus only know that someone with a certain IP is trying to access Tor, but not what he/she is doing.

Also, Whonix does not modify Tor in any way shape or form.

Have a nice day,

Ego

Whonix should be susceptible to most attacks against the Tor network, since it is based on Tor.

In that specific reddit thread, what actually is the vulnerability? “Carnegie Mellon tor hack”, then see:

• https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users
• https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
• https://blog.torproject.org/category/tags/cmu

Good day,

Non really. Mainly speculation and wild claims in regards to how the “Silk Road take downs” happend, when in reality those were based on attacks “from the inside” and using old vulnerabilities inside Firefox/the Tor Browser Bundle which aren’t possible with Whonix anyways.

Have a nice day,

Ego

Basically someone asked “If a relay is seized and run by LE, will that be able to find out the real IP of the user?”

The most sensitive relay is the guard node. If the attackers zero in on the guard or if its being run by a malicious party a variety of traffic confirmation attacks can be mounted to eventually unmask a hidden service.

Defenses like padding are being researched to make this infeasible.

Is this true ? and if so, would whonix be susceptible to this method ?

Since its a network protocol vulnerability yes. Whonix guarantees that all VM traffic will go thru Tor and that it will be very difficult to deploy unmasking malware against users but it does not/ cannot improve on the Tor protocol itself.

The court docs on SR1 attacks are particularly misleading claiming the servers were misconfigured however they were almost certainly attacked with 0day. SR2 was likely taken down with the CMU confirmation attack which was possible because 1) a defect in Tor and 2) Tor devs overlooked a 100 node sybil attack because they thought that university researchers were ethical not mercenaries.

An interesting hosting option is Freenet freesites.