Securing the Tor Network

Presented at DEF CON 15 (2007), Aug. 4, 2007, 5 p.m. (110 minutes).

Imagine your only connection to the Internet was through a potentially hostile environment such as the Defcon wireless network. Worse, imagine all someone had to do to own you was to inject some html that runs a plugin or some clever javascript to bypass your proxy settings. Unfortunately, this is the risk faced by many users of the Tor anonymity network who use the default configurations of many popular browsers and other network software. Tor is designed to make it difficult even for adversaries that control several points in the network to determine where you're coming from or where you're going, yet these "data anonymity" attacks and attacks to bypass Tor can be performed effectively by a malicious website, or just one guy with a Ruby interpreter! To add insult to injury, software vendors seldom consider such exploits and other privacy leaks as real vulnerabilities. Fortunately, there are some things that can be done to improve the security of the web browser and Tor users in general. This talk will discuss various approaches to securing the Tor network and Tor usage against a whole gauntlet of attacks, from browser specific, to general intersection risks, to theoretical attacks on routing itself. Methods of protection discussed will include node scanning, transparent Tor gateways, Firefox extensions (including the dark arts of Javascript hooking), and general user education. Each approach has its own strengths and weaknesses, which will be discussed in detail.

Presenters:

  • Mike Perry - Mad Computer Scientist, fscked.org evil labs
    By day, Mike Perry is a mild mannered reverse engineer owned and operated by Riverbed Technology, slaving away at accelerating broken monopolistic protocols from the Evil Empire and generally helping to make the Internet faster by several orders of magnitude. By night, he transforms into an ardent supporter of digital rights, privacy, and anonymity on and offline. Mike believes that not only is it every person's right to opt-out of the Database Nation, it is also in their self-interest to do so, and to have company. We are only just beginning to understand the consequences of having our entire lives archived and sold to the highest bidder, to say nothing of rampant government surveillance. Those who are not careful with protecting their personal information and online activities are in for some unpleasant surprises in the future: be it from a bitter divorce case, character attacks in a frivolous lawsuit, political opposition, or just plain old marketing spam that arrives at exactly the wrong time. In a world where our minute-to-minute thoughts are archived by IP address in search engines, Mike believes Tor is desperately needed not just by political dissidents, but by everyone.

Links:

Similar Presentations: