Forgot your password?
typodupeerror
Privacy Networking Security Software The Internet Your Rights Online

Why Tor Users Should Be Cautious About P2P Privacy 122

Posted by timothy
from the but-this-computer's-in-a-safe-location dept.
An anonymous reader writes "I went across your post a few days ago saying that a machine connected to the Internet was all one needed to spy on most BitTorrent users of the Internet. I followed the link to find out that those researchers from INRIA claimed their attacks also worked for BitTorrent users on Tor. I didn't believe it at first, but then today I found this link on the Tor Project. It seems their attacks don't only link your real IP to your BitTorrent files on Tor but also to the web pages that you're browsing! Tell me it's a joke." No joke, but according to Jacob Appelbaum (a Tor developer), the security flaw is more nuanced — and the fault of software outside of Tor. Read on for his explanation of how the privacy benefits of Tor can be easily lost.
Appelbaum writes "This isn't a failing of Tor, it's a failing of BitTorrent application designers and a privacy failure of their users too. The BitTorrent clients don't appear to double check the information that's ripe for tampering. When combined with common BitTorrent applications that aren't designed for privacy, it's possible to cause a BitTorrent client to leak information about their actual source IP. The BitTorrent protocol is difficult to anonymize with a simple proxy. Ironically, one of the best points of the paper is that those BitTorrent clients also harm the anonymity of the users' web browsing. The user's browsing will often leave the same Tor Exit Node as their BitTorrent traffic; the user is using the same circuit for browsing as they are for BitTorrent. If the user isn't practicing safe browsing techniques, they're probably going to reveal some more of their traffic to the authors of the paper. This is just like the normal internet too. If you browse unsafely, people can observe you or tamper with the data in transit. So in conclusion, this paper isn't about busting anonymity networks as much as it is about busting BitTorrent client privacy." Additionally, he says, "Tor can't keep you anonymous if you don't actually use Tor for your connections. ... The real key is that if they had done transparent proxying (that failed closed) and they had a privacy-aware BT client, the user would probably be fine. Please don't use BitTorrent and Tor together."
This discussion has been archived. No new comments can be posted.

Why Tor Users Should Be Cautious About P2P Privacy

Comments Filter:
  • by CharlyFoxtrot (1607527) on Friday April 30, 2010 @09:01PM (#32052332)

    I prefer running it in a VM which rolls itself back, and has as little customization as possible, so it fits in with the millions of other people running IE with standard XP installs.

    I'd like to see some way of tor-ifying all network connections coming out of a VM to make sure there is no leakage instead of running tor inside the VM. I've toyed with the idea of using one VM with tor installed as a router for another VM used for browsing but that seems like overkill.

  • by keneng (1211114) on Friday April 30, 2010 @10:16PM (#32052828) Journal

    Anomos' Key Features:
    --------------------
    1)UNLIKE BITTORRENT, NO PEERS DIRECTLY UPLOAD/DOWNLOAD TO OTHER PEERS.
    Every peer relays to other peers just like Tor. This makes it more difficult for the prying eyes.
    2)The more peers connecting to the same tracker, the stronger the anonymity for everyone.
    3)runs on windows, mac os x, and linux
    4)Based on the original python-based bittorrent sources
    5)Tweaked to be tor-friendly

    For more information:
    http://anomos.info/ [anomos.info]

    Anomos torrent sites are on their way. Seek and you shall find.

  • by buchner.johannes (1139593) on Friday April 30, 2010 @10:40PM (#32052974) Homepage Journal

    Well you could put the Bittorrent tracker traffic over Tor. It doesn't have to be responsive, and it is low-bandwidth. It occurs repeated though (probably every minute or so).
    Client-to-Client communication is encrypted anyway, so one can plausibly deny it has anything to do with (certain) torrents.

  • by BitZtream (692029) on Friday April 30, 2010 @11:49PM (#32053424)

    Wow, you realize at some point it becomes easier to just buy the content you're trying to hide transfering than what you're doing right?

    By the time your transfer is complete, the copyright will have expired, even at lifetime + 75 years.

  • by BitZtream (692029) on Friday April 30, 2010 @11:54PM (#32053458)

    1. The court tends to call bullshit when its obvious you're going out of your way to facilitate breaking the law and using ignorance as an excuse.
    2. Thats a simple option for the software of all p2p software, the Internet had ways to deal with flow control before you ever connected to it.
    3. So use SSL ... already done.
    4. Again, already done.
    5. This creates a way to figure out who is hosting what, defeating #1 Of course, its kind of a requirement to know who is offering what so that you can figure out where to ask for it.

    If you want something public to be useful, its not going to be private or completely anonymous, you're asking for mutually exclusive features.

  • by Ux64 (1187075) on Saturday May 01, 2010 @12:39AM (#32053750)
    True. Problem with Tor is that it is LOW LATENCY network. There is no way to hide traffic by adding hops on low latency network, if all connections are monitored. And even if there are some unmonitored nodes, traffic can be still easily monitored.

    That's why all links between peers should use constant bandwith method. Every link need to maintain same utiliation level, even if no traffic is being passed. This is very old method, but rarely being used with P2P.

"Of course power tools and alcohol don't mix. Everyone knows power tools aren't soluble in alcohol..." -- Crazy Nigel

Working...