Why Tor Users Should Be Cautious About P2P Privacy 122
An anonymous reader writes "I went across your post a few days ago saying that a machine connected to the Internet was all one needed to spy on most BitTorrent users of the Internet. I followed the link to find out that those researchers from INRIA claimed their attacks also worked for BitTorrent users on Tor. I didn't believe it at first, but then today I found this link on the Tor Project. It seems their attacks don't only link your real IP to your BitTorrent files on Tor but also to the web pages that you're browsing! Tell me it's a joke." No joke, but according to Jacob Appelbaum (a Tor developer), the security flaw is more nuanced — and the fault of software outside of Tor. Read on for his explanation of how the privacy benefits of Tor can be easily lost.
Appelbaum writes "This isn't a failing of Tor, it's a failing of BitTorrent application designers and a privacy failure of their users too. The BitTorrent clients don't appear to double check the information that's ripe for tampering. When combined with common BitTorrent applications that aren't designed for privacy, it's possible to cause a BitTorrent client to leak information about their actual source IP. The BitTorrent protocol is difficult to anonymize with a simple proxy.
Ironically, one of the best points of the paper is that those BitTorrent clients also harm the anonymity of the users' web browsing. The user's browsing will often leave the same Tor Exit Node as their BitTorrent traffic; the user is using the same circuit for browsing as they are for BitTorrent. If the user isn't practicing safe browsing techniques, they're probably going to reveal some more of their traffic to the authors of the paper. This is just like the normal internet too. If you browse unsafely, people can observe you or tamper with the data in transit. So in conclusion, this paper isn't about busting anonymity networks as much as it is about busting BitTorrent client privacy."
Additionally, he says, "Tor can't keep you anonymous if you don't actually use Tor for your connections. ... The real key is that if they had done transparent proxying (that failed closed) and they had a privacy-aware BT client, the user would probably be fine. Please don't use BitTorrent and Tor together."
Re:Pardon my ignorance... but tor for P2P? (Score:5, Funny)
so maybe Tor should upgrade their infrastructure like every other ISP has had to do to keep up with demand
Re:Pardon my ignorance... but tor for P2P? (Score:1, Funny)
Oh, you're that one remaining guy running IE without any extra crap added on. Thanks, I've been wondering about that oddly short user agent.
Re:Privacy to hide Piracy (Score:4, Funny)
FYI, cartoons are not real life.
Re:Using Tor securely (Score:3, Funny)
Overheard at the CIA...
"Sir! We have analyzed that connection and found it to originate from a public access point. We hacked the system and found it to be a blank virtual machine. It's disconnected now and we don't have any other identifying data. This guy was pretty slick."
"Excellent! Find Dr. Sp0ng, arrest him, and lock him up. No one else would anonymize themselves that effectively, so he is obviously the culprit!"