Attacking Tor at the Application Layer

Presented at DEF CON 17 (2009), July 31, 2009, 6 p.m. (50 minutes)

Surfing the web using Tor makes you invincible, right? Wrong! Between the technical deficiencies, web browser idiosyncrasies, Tor vulnerabilities, social engineering, and bone-headed user decisions, there is ample room for attack and exploitation. This presentation covers past and present application layer attacks against Tor. From practical hacking and ControlPort madness, to the most up-to-date techniques and beyond, this is an in-depth, technical look at active client-side attacks, HTML content injection, browser fingerprinting, network leakage and other relevant anonymity set issues. So, forget about the over-heated nodes, infinite circuits and magic packets. When anyone with some JavaScript knowledge, a server on the Internet and a little bit of cleverness can launch these attacks, now is the time to start paying attention to how you use Tor.

Presenters:

• Gregory Fleischer - Security Researcher
  Gregory Fleischer has over ten years experience in application development and software security. As an independent security researcher, he has worked with The Tor Project to identify weaknesses in Tor application components such as Torbutton, Vidalia and Privoxy. He has reported vulnerabilities in widely used client-side technologies including Mozilla Firefox, Sun Java and Adobe Flash. Gregory is currently employed as application security engineer with an online brokerage firm.

Links:

• https://defcon.org/html/defcon-17/dc-17-speakers.html#Fleischer
• https://infocon.org/cons/DEF CON/DEF CON 17/DEF CON 17 video and slides/DEF CON 17 - Gregory Fleischer - Attacking Tor and the Application Layer - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=nEUPdUniVxQ

Similar Presentations:

• May Contain Hackers (MCH2022) / Modernizing the Tor Ecosystem for the Future
• ToorCon: Seattle 2008 / Mainstreaming Tor
• DEF CON 16 (2008) / de-Tor-iorate Anonymity