This article takes 3 minutes to read
We have all heard the various news blurbs about “Special Projects” in effect to de-anonymize ToR (The Onion Router) from Universities supposedly sponsored by government institutions to the Child Pornography Sting as of late where a multi-threaded law enforcement team leveraged interesting tactics to infiltrate the TOR Darknet and prosecute the affiliates of the Pedophile Ring.
But this is not “News”, history shows consistently the race between Lockers and Pickers is a never ending saga. Ultimately this race is beneficial to all of us, as progress is made on either side of the Lock and Pick spectrum by-products to remain to prove useful to the global community in the form of new and advanced technology. Raising the bar to ensure a certain amount of acumen and level of effort are required to breach the technological perimeters of your privacy.
As it turns, today is the day for another perspective on relying on TOR as your primary source of identity obfuscation. A unique letter from an anonymous source clearly illuminates the “breachability” of the TOR encapsulation algorithm via the (commonly seen by TOR users) Captcha Guard from the infamous anti-DDoS company Cloud Flare. (for indiscriminate customer policies that encourage Terrorist Groups and Hacktivist to leverage their services)
Take a gander at the logic articulated below and make your own conclusions. Defense in Depth should also apply to your privacy safeguards. Tor alone is not enough, never has been.
18 July 2016
Cloudflare reCAPTCHA De-anonymizes Tor Users
Cloudflare’s insistence on solving reCAPTCHA puzzles when visitors are coming from Tor exit nodes to one of the 2 million web sites that Cloudflare ‘protects’ can be very instrumental for traffic analysis and de-anonymizing of Tor users.
This is how:
The only non-public prerequisite for the de-anonymizing entity is the ability to monitor traffic between ISPs and Tor entry nodes, and traffic entering Cloudflare servers (no decryption required in either case). There are, of course, no 2 million Cloudflare servers, probably there is no more than few hundred.
Each click on one of the images in the puzzle generates a total of about 50 packets between Tor user’s computer and the Cloudflare’s server (about half are requests and half are real-time responses from the server.) All this happens in less than a second, so eventual jitter introduced in onion mixing is immaterial. The packet group has predictable sizes and patterns, so all the adversary has to do is note the easily detectable signature of the “image click” event, and correlate it with the same on the Cloudflare side. Again, no decryption required.
There likely are many simultaneous users (thousands), but they do not solve puzzles at the same time, and they do not click on the puzzle image at the same time. Simple math shows that disambiguating is trivial. If there is some ambiguity left, Cloudflare can conveniently serve few more images to specific users (or even random users, as long as within the same few seconds different users get different amount of ‘correct’ images.)
This obvious opportunity is not the proof, but NSA would have to be utterly incompetent not to be exploiting it. No one is that incompetent.
This article was first published on peerlyst.com: “Paradigm Shift Article: Tor+VPN=Better Privacy Wait..ONE MORE STEP” by J. Tate, due out July 19, 2016. Copyright © 2016 by J. Tate. With permission of the publisher, peerlyst.com. All rights reserved.