Why Tor Users Should Be Cautious About P2P Privacy 122
An anonymous reader writes "I went across your post a few days ago saying that a machine connected to the Internet was all one needed to spy on most BitTorrent users of the Internet. I followed the link to find out that those researchers from INRIA claimed their attacks also worked for BitTorrent users on Tor. I didn't believe it at first, but then today I found this link on the Tor Project. It seems their attacks don't only link your real IP to your BitTorrent files on Tor but also to the web pages that you're browsing! Tell me it's a joke." No joke, but according to Jacob Appelbaum (a Tor developer), the security flaw is more nuanced — and the fault of software outside of Tor. Read on for his explanation of how the privacy benefits of Tor can be easily lost.
Appelbaum writes "This isn't a failing of Tor, it's a failing of BitTorrent application designers and a privacy failure of their users too. The BitTorrent clients don't appear to double check the information that's ripe for tampering. When combined with common BitTorrent applications that aren't designed for privacy, it's possible to cause a BitTorrent client to leak information about their actual source IP. The BitTorrent protocol is difficult to anonymize with a simple proxy.
Ironically, one of the best points of the paper is that those BitTorrent clients also harm the anonymity of the users' web browsing. The user's browsing will often leave the same Tor Exit Node as their BitTorrent traffic; the user is using the same circuit for browsing as they are for BitTorrent. If the user isn't practicing safe browsing techniques, they're probably going to reveal some more of their traffic to the authors of the paper. This is just like the normal internet too. If you browse unsafely, people can observe you or tamper with the data in transit. So in conclusion, this paper isn't about busting anonymity networks as much as it is about busting BitTorrent client privacy."
Additionally, he says, "Tor can't keep you anonymous if you don't actually use Tor for your connections. ... The real key is that if they had done transparent proxying (that failed closed) and they had a privacy-aware BT client, the user would probably be fine. Please don't use BitTorrent and Tor together."
Pardon my ignorance... but tor for P2P? (Score:5, Insightful)
Pardon my ignorance, but using Tor for P2P stuff is at best abusive, at worst highly destructive. Tor wasn't designed for high bandwidth applications. It was designed for Web browsing and ensuring that packets from an exit node would be very hard to trace back to the sender as the first priority.
Of course, even with the best anonymization methods, if someone has cookies, Flash shared objects, or shared objects stored by add-ons that positively identifies their Web browser, their browsing history can be linked together, and some sort of profile be built.
Tor is half the battle. The second half is making sure your Web browser is anonymous. I prefer running it in a VM which rolls itself back, and has as little customization as possible, so it fits in with the millions of other people running IE with standard XP installs.
Re:Pardon my ignorance... but tor for P2P? (Score:5, Insightful)
Re:Pardon my ignorance... but tor for P2P? (Score:4, Insightful)
FFS... use Freenet for that, not Tor!
Tor is preferable if you need low latency; Freenet is preferable for transferring large amounts of data (due to its cache nature).
Re: (Score:2)
Re: (Score:2, Insightful)
Yeah, but Freenet fills a large local cache with child porn, no ifs, ands, or buts about it. Get accused of something, get your HD seized, and good luck explaining to a 60-year-old judge or jury members who likely can't configure their own e-mail clients that you didn't *really* download that stuff.
TOR carries plenty of nasty material, but it isn't cached locally in such quantities. A cache-heavy tool connected to unknown users intrinsically has some nasty drawbacks.
Re: (Score:1, Informative)
Slow down, cowboy. Read the comment instead of just quoting it, and you'll notice that he only said there are legit reasons to use TOR for torrents, not that he actually does so.
Re: (Score:2)
Except the reason it's a dick move to use Tor for torrents is not because people are almost certainly downloading copyright material.
It's a dick move because Tor is a free service, and downloading torrents (or any large files, for that matter) over the network costs whosever node you are punching out of (and everyone's in between, if multiple relays are involved) a lot of money in bandwidth charges.
In other words, you are abusing someone else's network connection by using large amounts of bandwidth for long
Re: (Score:1)
The great thing about Tor is it is completely anonymous, so it is impossible for an exit node to ban anyone.
Re: (Score:1)
Re: (Score:2)
Actually he said, to paraphrase, "I can imagine them wanting to watch something that would get them in trouble, I can forgive that. There are legitimate uses for bittorrent over tor."
He did not say "Circulate video through bittorrent/tor simply because it's a documentary" or anything like that. It's easy to misread him, but he went out of his way to say he wasn't supporting that.
Re:Pardon my ignorance... but tor for P2P? (Score:4, Insightful)
He did not say "Circulate video through bittorrent/tor simply because it's a documentary" or anything like that. It's easy to misread him, but he went out of his way to say he wasn't supporting that.
You're completely missing why it's a dick move to download torrents on TOR. The AC said exactly why in his post, and everybody has subsequently ignored it.
Downloading torrents eats away at Tor's bandwidth in large chunks. Tor is a free service, but they have to pay for bandwidth. One person downloading torrents uses the same bandwidth as 100 people or more actively browsing the web. Most people don't actively browse either, they sit on a site and dick around for a while, so it's very possible someone with a high bandwidth connection downloading torrents could use the same bandwidth as several hundred people browsing. This is the same complaint cable companies make, and it's legitimate, but we pay a lot for the service so we tell them to piss off and upgrade their network. Tor is totally different, you are abusing someone's network who is letting you use it for free.
Ergo, downloading torrents on Tor is a real dick move.
Re: (Score:2)
News shows and documentaries are just as copyrighted as movies, why is downloading them acceptable if movies are not?
Either way, the argument doesn't work, and it's still a dick move. It should completely stop now, because it should be abundantly clear that torrenting over Tor only serves to wast the network's bandwidth.
Re: (Score:2)
News/documentaries might contain THE TRUTH(tm), which some governments may try to suppress and jail you if they knew you watched it.
If you can go to jail for watching it, you sure as hell can't legally buy it. You might as well just turn yourself in. So you need an illegal copy, and you need that transfer kept private.
So, in that instance, Tor-torrenting is morally OK.
But, in most cases, people are not Tor-torrenting THE TRUTH(tm), just hollywood movies, thinking Tor will stop them getting caught - their se
Re: (Score:2)
ok as a hypothetical example
the Tienanmen Square incident apparently is widely censored in china, for someone in china downloading video footage and news reports of that seems a valid use of tor.
copyright has nothing to do with it. Maybe a documentary might show a relatively simple way of providing clean drinking water for you or I this would be entertainment to some other people this could be the source of an improved quality of life.
some material would never be of real value such as mickey mouse video's a
Re: (Score:1)
Re: (Score:2)
what part of people getting killed don't you understand?
http://www.nytimes.com/2010/02/03/world/asia/03dissident.html [nytimes.com]
That link should give you an idea of what can happen when governments don't like what you say or do.
I don't need tor to torrent anything. Others can be in deadly danger if they don't.
Re: (Score:1)
Re: (Score:2)
Correct. Use I2P (with I2PSnark) instead. The entire torrent stays on the mixnet. It works better because it doesn't rely on exit nodes, only relays, and more people are willing to run relays.
Re:Pardon my ignorance... but tor for P2P? (Score:4, Interesting)
I prefer running it in a VM which rolls itself back, and has as little customization as possible, so it fits in with the millions of other people running IE with standard XP installs.
I'd like to see some way of tor-ifying all network connections coming out of a VM to make sure there is no leakage instead of running tor inside the VM. I've toyed with the idea of using one VM with tor installed as a router for another VM used for browsing but that seems like overkill.
Re:Pardon my ignorance... but tor for P2P? (Score:4, Informative)
That's easy enough to do [torproject.org] with iptables or pf.
Re: (Score:2)
I set up a separate SSID and subnet on the OpenWRT, transparent proxied into Tor. Forced anonymous browsing == use that SSID, everything goes through Tor or else fails completely.
Re:Pardon my ignorance... but tor for P2P? (Score:5, Funny)
so maybe Tor should upgrade their infrastructure like every other ISP has had to do to keep up with demand
Re: (Score:2)
God I hope that was a joke, if so you definitely deserve the +5. If not, it's a sad day on slashdot. ;)
Re: (Score:1)
Sorry, didn't log in on the above comment -- but I'm not really anonymous or cowardly, just slack...:)
Shava
Re: (Score:1, Funny)
Oh, you're that one remaining guy running IE without any extra crap added on. Thanks, I've been wondering about that oddly short user agent.
Re: (Score:3, Interesting)
Well you could put the Bittorrent tracker traffic over Tor. It doesn't have to be responsive, and it is low-bandwidth. It occurs repeated though (probably every minute or so).
Client-to-Client communication is encrypted anyway, so one can plausibly deny it has anything to do with (certain) torrents.
Re: (Score:2)
1. If you don't use Tor for the client-to-client traffic, you would have to reveal your real IP to the tracker, so other clients (including malicious ones) can connect to your client.
2. What when you serve the content in question when a malicious peer using that tracker connects to your client, encrypted or not?
Re: (Score:2)
Good point. But then one of two scenarios happen:
I.
The third party tries to find all pirates, so it tries to connect & track all users of one or more torrents. Then they might find your real address somehow and blackmail/sue you.
This is a violation of privacy, no one is allowed to just snoop traffic or probe everyones computer just to stir something up. I can not believe such evidence would hold up in court. The only one who might take such action is the police (or other gov organisation), but they need
Re: (Score:2)
Good comeback :) Here are my replies:
I.
The third party tries to find all pirates, so it tries to connect & track all users of one or more torrents. Then they might find your real address somehow and blackmail/sue you. This is a violation of privacy, no one is allowed to just snoop traffic or probe everyones computer just to stir something up. I can not believe such evidence would hold up in court. The only one who might take such action is the police (or other gov organisation), but they need some previous evidence and most likely a warrent.
I don't think this will hold up in many countries as snooping. Snooping would include you being a MITM, or information that you gather monitoring a conversation between two parties. However, in our case, the malicious party is actually your peer. You are communicating with him and sending him the data as intended for him.
II) The malicious client just knows your IP and wants to find out what you serve or if you serve illegal files. I assume you have set your bittorrent client to only allow encrypted c2c communication. If you use HTTPS to download the .torrent files, the malicious client does not know which file the torrent hash belongs to. If you use a Proxy or HTTPS trackers (do they exist?), the malicious client does not even know the hashs.
So your bittorrent client will deny serving the malicious client because of a hash mismatch.
It doesn't work like this in practice. I'll explain, assuming you are familiar with the .torrent file format, and protocols for Bittorrent tracker and p
Re: (Score:2)
I think most of the people who use TOR and BT do it the way I do; the only thing going through TOR is the connection to the tracker, which gives me the IP of the other clients, without giving the tracker, or anyone listening to the trackers communications, my IP.
I then connect directly to the other clients to interchange packets. This is obviously not secure, but it's an incremental thing. It's more secure than not doing it.
It also helps to make sure that the only packets leaving your computer are packets t
Re: (Score:2)
When you connect to the tracker, you have to give it the same IP you'll be using to connect to clientes. Tor doesn't protect you, because even if the IP is anonymised in the Transport Layer, it'll still be sent in the Application layer: http://wiki.theory.org/BitTorrentSpecification#Tracker_HTTP.2FHTTPS_Protocol [theory.org]
Re: (Score:2)
| When you connect to the tracker, you have to give it the same
| IP you'll be using to connect to clientes.
What makes you say that? if you look at the tracker request parameters, it states that it determines the IP address of the client by seeing where the request came from, which is the exit node from TOR. Some clients, but apparently not the one I use, attempt to send the "true" IP address of the client; with TCP filtering enabled there is no way the client can det
Others agree (Score:1)
See my tagline about i2p, a low-latency onion type network made for anonymous general purpose use. It even has built-in bittorrent. It's been running for over 5 years now, and is reaching maturity (and success).
FWIW, most bittorrent access over tor is for tracker info only... not data transfer. Enabling the tor option in Vuze/Azeurus prefs will not unduly burden the tor network.
I2P? (Score:1)
What about i2p [wikipedia.org]? As it uses modified p2p programs (including BitTorrent), is it vulnerable to this flaw or not?
Oh, crap. We're screwed. (Score:1)
What else could I say?
Re: (Score:1, Informative)
I'm sorry, but that is just plain FALSE.
Torrent clients for I2P don't leak your IP address at all (I2P trackers don't even work with IP addresses anyway).
Your comment is misleading because the issue here is NOT the transport layer (i.e. Tor), but the fact that regular torrent clients (i.e. non-I2P torrent clients) *may* leak your IP address.
tl;dr: present proof of what you're saying or STFU
Re: (Score:1, Informative)
What about i2p [wikipedia.org]? As it uses modified p2p programs (including BitTorrent), is it vulnerable to this flaw or not?
Not if you use the BitTorrent client that comes with I2P, or Robert, which is another BitTorrent client for I2P. There is a paragraph on torrenting in I2P on the Wikipedia page you linked to:
http://en.wikipedia.org/wiki/I2P#BitTorrent
However, if you use a BitTorrent client that is not written with I2P in mind, it will reveal your IP the same way it does over TOR.
Re: (Score:3, Informative)
Re: (Score:2)
And to further expand on this, as well as respond to the GP's claims he filters everything: BT simply wasn't built for protecting privacy. No matter how much filtering and encryption you do, the fact of the matter is that your BT client will happily connect and exchange file pieces with anybody who wants it, and it is easy to prove that you had those pieces and knew what file(s) they were from. Thus potentially landing you in trouble.
What is needed here is something that will add real privacy and plausible
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
if i want to find pirates, i would get a regular isp-account, fire up my bittorent client, like any normal pirate, and then collect ips. I do not see, how peerblock could help you there, because i do not differ in behaviour from other pirates.
mod parent +1 Obvious
Using Tor securely (Score:5, Insightful)
Re: (Score:3, Informative)
Here are the instructions for doing transparent Torification [torproject.org].
Re: (Score:2)
Re: (Score:1)
Thanks to the VM backdoor in most hypervisors, a VM that is intent on leaking info can query the host for that info.
Info can also be leaked through characteristics of the Tor protocol itself.
When you connect using Tor, there is going to be an adjacent node that knows your IP address.
A machine that wants to leak its IP could initiate a finger-printable pattern designed to be picked up by a probe monitoring many Tor nodes.
Re: (Score:2)
As for adjacent nodes knowing your IP, though, the whole point of Tor is that they don't know if the data is coming from your or somebody 10 hops back. All they know is that you're using Tor.
Re: (Score:3, Funny)
Overheard at the CIA...
"Sir! We have analyzed that connection and found it to originate from a public access point. We hacked the system and found it to be a blank virtual machine. It's disconnected now and we don't have any other identifying data. This guy was pretty slick."
"Excellent! Find Dr. Sp0ng, arrest him, and lock him up. No one else would anonymize themselves that effectively, so he is obviously the culprit!"
Re: (Score:3, Insightful)
Good thing I'm only College-Dropout Sp0ng. They'll never find me.
Re: (Score:2)
Re: (Score:1)
Way to avoid this security problem (Score:2, Insightful)
Surrender and go Amish!
Re: (Score:2)
TOR was so hacked from day 0 via clusters of high-traffic colluding Tor routers ect.
If your connecting on a telco system hardwired into the NSA all TOR does is make you glow.
The NSA can tap all of the US and the US friendly telcos that offering TOR friendly bandwidth so entry and exit points could be traced back if needed.
Then you have efforts like "Hacker builds tracking system to nab Tor pedophil
Privacy to hide Piracy (Score:1)
That's the real name of the game, people what to download whatever they want but that nobody recognized them. Just like thieves wear black mask so that they are not recognized when stealing.
Such protocols will be frowned upon by bigger players than RIAA and MPAA, for example international police don't want child predators to be able to share illegal material with such privacy.
Re:Privacy to hide Piracy (Score:4, Funny)
FYI, cartoons are not real life.
Re: (Score:2)
Comment removed (Score:4, Interesting)
Re:a tor-friendly p2p alternative: http://anomos.i (Score:3, Interesting)
Wow, you realize at some point it becomes easier to just buy the content you're trying to hide transfering than what you're doing right?
By the time your transfer is complete, the copyright will have expired, even at lifetime + 75 years.
Re: (Score:3, Insightful)
Re: (Score:2)
Tor is a known tool for collectors of CP. CP videos are not generally sold in stores.
Re: (Score:2)
Now, I understand why Tor is so slow.
Pirates: please, don't pollute the Tor network with your files.
Tor is only for web browsing or for low quality video streaming.
If you really want to download pirated stuff, there are tons of other ways than to kill Tor.
If you are able to use Tor (which is for the tech savvy), you should be able to discover the other ways.
Hints: NNTP, HTTP, IRC.
Re: (Score:1)
If you visit the i2p forums, they would explain to you that tor doesn't have the necessary design to handle anything bandwidth intensive (and the usage pattern of bt--tor is insecure). You need a different anonymizing network stack like i2p.
Re: (Score:3, Informative)
Re: (Score:2)
Yup, all they have to do is subpoena the tracker and everyone on that list is done. Plus, the tracker has a record of everything that was sent to everyone (it must, by nature of the protocol).
In other words, it looks a lot like anonymity, but all it really protects you from is someone in the middle of the cloud sniffing out your IP address. There are services that already find and block such hosts on the network, so you are not really gaining a lot in that respect. It will not protect you from litigation
Re: (Score:2)
I don't have enough time to screw with it, but I'll try the linux build. Thx
The (big) downside (Score:1)
You can't use it for anything other than transferring files.
Someone should invent a new p2p program (Score:2)
It would have the following aspects:
1.Freenet style "you dont know what you are sharing" plausible deniability so when the RIAA come after you for file sharing, you can prove in court that you had no clue that you were sharing that content.
2.A full set of options so you can limit its resource usage (and so it wont just use up all available bandwidth the way some p2p protocols and clients do)
3.Good encryption designed so that you cant tell what someone is downloading unless you are sharing the data yourself
Re: (Score:2, Interesting)
1. The court tends to call bullshit when its obvious you're going out of your way to facilitate breaking the law and using ignorance as an excuse. ... already done.
2. Thats a simple option for the software of all p2p software, the Internet had ways to deal with flow control before you ever connected to it.
3. So use SSL
4. Again, already done.
5. This creates a way to figure out who is hosting what, defeating #1 Of course, its kind of a requirement to know who is offering what so that you can figure out where
casual sharing (Score:2)
You don't sound like you have much grasp of the problem honestly. I doubt the plausible deniability will hold up all that well, plus search gets very difficult. Onion routing definitely could make obtaining evidence harder.
I'd favor instead restricting file transfers to people's social networks and instant messaging connections. I'm aware that some IMs like Yahoo have file sharing functionality, but you might get more traction with a multi-protocol plug-in for the various libpurple based IM clients like
Re: (Score:2)
1.Freenet style "you dont know what you are sharing" plausible deniability so when the RIAA come after you for file sharing, you can prove in court that you had no clue that you were sharing that content.
Here's how well plausible deniability works:
File-Sharing Mom Fined 1.9 Million [cbsnews.com]
Here's how it works:
You: But I had no idea people were downloading those files, it could have been anything!
Jury: But you were sharing everything, it is in fact a stated feature on the website when you download, so you obviously intended to share those files too. Since you intended to share them, and you did actually share them, you are guilty.
You: Damn! I woulda gotten away with it too, if it weren't for those meddling kids!
Tha
Re: (Score:2)
The whole point is that you have no idea what files are in your encrypted blob (just like Freenet) or whether any of them are illegal in any way.
Global "Lawful Interception" break Tor anyway (Score:2)
Re: (Score:3, Interesting)
That's why all links between peers should use constant bandwith method. Every link need to maintain same utiliation level, even if no traffic is being passed. This is very old method, but rarely being used with P2P.
Re: (Score:2)
The odd thing is that file transfers like used with torrents should be fairly friendly to constant-bandwidth approaches like what mixmaster used. It probably wouldn't be any slower than tor is today. If anything, having people downloading stuff might help since it gives the network more traffic to mix stuff in.
What is needed, however, is to build the anonymity into the file transfer protocol, so that you don't need exit nodes. The reason torrent over tor is popular is that you can use existing swarms wit
Re: (Score:1)
The way to hide it is to run a relay or exit node. FWIW, every node on i2p is a relay.
Re: (Score:2)
Tor works pretty well if your packets get routed through places that don't like the interested countries. In particular, Iranian dissidents can very likely take full advantage of Tor.
Re: (Score:1)
Actually, if you look at how Tor works, the links are encrypted and tunneled together such that it is nearly impossible to trace a well formed route -- of course, assuming flash or a torrent client aren't giving up your IP within the data packets before it enters or after it exits the cloud.
You should think about learning more about how Tor works at http://torproject.org -- it's a lot more than a simple 3-hop proxy.
yrs,
Shava Nerad
former Tor staff, current volunteer
Re: (Score:2)
Well. (Score:2)
Highly suprised? Not at all.
a) The same story was about a year ago about embassies using tor and being sniffed on
b) All anonymizing techniques rely on a sufficiently high ration of suitable "good" to "bad" nodes. Nowadays, injecting 1000 bad nodes is not costly. I suppose many secret services have 1000s of machines (or virtual machines) in the Tor network
c) If your endpoint needs to keep a stateful connection for your machine, he will be able to sniff the total connection. At least he will be able to extrac
Gnunet and Freenet are designed for privacy (Score:1)
Easiest way to secure any system is get rid of way too complex systems. Just like web browsers, web servers, extensions like php, python, sql, email clinents and protocols like BitTorrent. Keep it simple, very simple, is the key when dealing w
This isn't a 'flaw' in BitTorrent... (Score:3, Insightful)
In case anyone is thinking that this is somehow a 'security flaw' in BitTorrent, we should be clear that privacy is not a design goal of BitTorrent; BitTorrent was designed to provide extremely reliable, efficient file delivery. So while BitTorrent has many strengths (efficiency, etc.) there is a tradeoff between its goals and the goals of a network such as Tor. Specifically, in order to maximize efficiency, BitTorrent distributes your IP address quite openly, has consistent and obvious torrent IDs, etc., which make it efficient and reliable, but pretty much the OPPOSITE of concealing what you are doing from your ISP and the rest of the p2p network. Anyone who was surprised that it's easy to monitor BitTorrent traffic hasn't read the protocol spec - it is EXTREMELY easy to monitor activity in BitTorrent networks, because BitTorrent intentionally distributes everyone's IP addresses, transfer activity, etc., in order to allow the protocol to operate efficiently. So if you want to monitor BitTorrent, you just find tracker addresses and torrent IDs (which are in the .torrent files) and ask the trackers and for the addresses of all of the peers in each torrent, and get back a nice list of peers.
There are other p2p networks that do attempt to conceal what you are doing in the network, but the cost of that is that they generally are inefficient (wasting tons of CPU and bandwidth) and thus perform badly, making them unpopular with people who want to rapidly download files.
And I will second the note that running BitTorrent through Tor is a terrible idea. You end up with the worst of both networks - terrible performance and not much security. Worse, doing so damages the rest of the Tor network, interfering with people who are using Tor for what it is designed for.
Toe like BitTorrent... (Score:1, Insightful)
Re: (Score:2)
The only people who think BitTorrent is private are those who have no clue know how BitTorrent works.
It's like giving out your address over the web and wondering why you're suddenly getting so much mail all of the sudden. But what great offers! Seriously, people need to wise up a bit.
How the hell do you think a distributed download service is supposed to work and still remain anonymous?
And don't give me Anomos, the tracker still maintains everyone's IP and links it to the torrent they are downloading. It
Tor is hopeless (Score:2, Insightful)
Tor, as a means of obtaining "privacy", is hopeless. If you use a web browser, the browser headers, cookies, single-pixel GIFs, and Java applets still tend to give out identity information. A sizable fraction of TOR exit points are exploits of one kind or another. Give it up.
Re: (Score:2, Informative)
Why was this marked Flamebait? Most of it is true.
Even dealing with all the points in the first sentence, the last part is impossible to fix.
Tor, by its very nature, is open to attack from any company with enough money to buy a couple hundred servers and bandwidth for all of them.
Trusting Tor is like trusting some guy in a mask who looks "important".
It is not a matter of proving that most of the nodes, or a good chunk of the nodes are from agencies of some sort, it is the fact that you CAN'T.
Trusting an un
Re: (Score:1)
um. If you care about anonymity, you can disable most of that in the browser. I recommend Firefox for the best nuanced control of these parameters.
There's a good guide here:
http://advocacy.globalvoicesonline.org/projects/guide/
yrs,
Shava Nerad
former Tor staff, current volunteer
Re: (Score:2)
It doesn't matter who votes.
It matters who writes the candidates lists.