Security researchers speaking at the Hack in the Box conference in Amsterdam this week have demonstrated that users of hidden services on Tor are putting themselves at risk of being identified – if an attacker is willing to put in the time and resources.
The discovery is significant, because browsing hidden services had been thought to be more secure than the more typical practice of using the Tor network to browse the open web anonymously.
Not so, say Filippo Valsorda, a member of CloudFlare’s security team, and George Tankersley, an independent researcher. In their presentation, the pair showed that it’s surprisingly easy to subvert anonymous access to a hidden server – and thus possibly identify a user of that server – if you’re sneaky about it.
That’s bad, because hidden services are operated not just by dodgy sites like the Silk Road but also by legitimate sites like Facebook. Tor often hits the headlines for enabling things like online drug souksand other criminal operations, when it can be and is used by journalists, whistleblowers, security researchers, and anyone who values their privacy, to exchange information and surf the web anonymously.
“If you run a hidden service that does not need location hiding, you are unnecessarily exposing your users to this risk,” the researchers said. “It would probably be better to let them use Tor on your TLS-enabled clearnet site.”
When using Tor to browse the open web anonymously, you log into an entry point server and then your traffic is rerouted and fed out of an exit server, disguising your IP address. The weakness in this approach is that it would technically be possible to run enough rogue entry and exit nodes to link where users hop onto the Tor network to where they hop off. It would require massive resources and for Tor operators not to notice, but it’s possible.
Hidden services eliminate this possibility, because all traffic stays within the Tor network itself. There’s no exit node to link to an entry node, which is why using hidden services is thought to be more secure.
What the researchers found, however, is that it’s possible to spoof connections to hidden services to identify their users – and doing so might be even easier than identifying users by their exit nodes.
Hidden services require the use of HSDir (hidden service directory) nodes to operate, two sets of three apiece. These nodes manage connections to the hidden service, and it only takes four days of continuous operation for an HSDir node to be considered “trusted.”
The two suggest an attacker could identify users’ connections by running rogue HSDir nodes themselves, something that is relatively easy and computationally cheap to do. To demonstrate, they set up such nodes and then successfully convinced Facebook’s hidden service to accept most of them as its HSDir providers.
There are ways for site operators to protect against this, however. Hidden service providers are advised to be very wary of young HSDir nodes – or even better, to run their own HSDir nodes, which has the benefit of also providing a warning if other HSDir nodes try to attach themselves to the service.
The researchers have released software tools to help spot dodgy HSDir nodes and they say that aproposed change to the Tor software for hidden services could stop this kind of correlation attack. A spokesperson for the Tor Project could not be reached for comment.