Paul Syverson

Paul Syverson

We provide a rough sketch of a simple system design for exposure notification of COVID-19 infections based on copresence at cluster events -- locations and times where a threshold number of tested-positive (TP) individuals were present. Unlike other designs, such as DP3T or the Apple-Google exposure-notification system, this design does not track or notify based on detecting direct proximity to TP individuals. The design makes use of existing or in-development tests for COVID-19 that are relatively cheap and return results in less than an hour, and that have high specificity but may have lower sensitivity. It also uses readily available location tracking for mobile phones and similar devices. It reports events at which TP individuals were present but does not link events with individuals or with other events in an individual's history. Participating individuals are notified of detected cluster events. They can then compare these locally to their own location history. Detected cluster events can be publicized through public channels. Thus, individuals not participating in the reporting system can still be notified of exposure. A proper security analysis is beyond the scope of this design sketch. We do, however, discuss resistance to various adversaries and attacks on privacy as well as false-reporting attacks.

Paul Syverson, Matthew Finkel, Saba Eskandarian et al.

Onion addresses encode their own public key. They are thus self-authenticating, one of the security and privacy advantages of onion services, which are typically accessed via Tor Browser. Because of the mostly random-looking appearance of onion addresses, a number of onion discovery mechanisms have been created to permit routing to an onion address associated with a more meaningful URL, such as a registered domain name. We describe novel vulnerabilities engendered by onion discovery mechanisms recently introduced by Tor Browser that facilitate hijack and tracking of user connections. We also recall previously known hijack and tracking vulnerabilities engendered by use of alternative services that are facilitated and rendered harder to detect if the alternative service is at an onion address. Self-authenticating traditional addresses (SATAs) are valid DNS addresses or URLs that also contain a commitment to an onion public key. We describe how the use of SATAs in onion discovery counters these vulnerabilities. SATAs also expand the value of onion discovery by facilitating self-authenticated access from browsers that do not connect to services via the Tor network.

Aaron D. Jaggard, Paul Syverson

We introduce and investigate *targeting adversaries* who selectively attack users of Tor or other secure-communication networks. We argue that attacks by such adversaries are more realistic and more significant threats to those most relying on Tor's protection than are attacks in prior analyses of Tor security. Previous research and Tor design decisions have focused on protecting against adversaries who are equally interested in any user of the network. Our adversaries selectively target users---e.g., those who visit a particular website or chat on a particular private channel---and essentially disregard Tor users other than these. We present a model of such adversaries and investigate three example cases where particular users might be targeted: a cabal conducting meetings using MTor, a published Tor multicast protocol; a cabal meeting on a private IRC channel; and users visiting a particular .onion website. In general for our adversaries, compromise is much faster and provides more feedback and possibilities for adaptation than do attacks examined in prior work. We also discuss selection of websites for targeting of their users based on the distribution across users of site activity. We describe adversaries both attempting to learn the size of a cabal meeting online or of a set of sufficiently active visitors to a targeted site and attempting to identify guards of each targeted user. We compare the threat of targeting adversaries versus previously considered adversaries, and we briefly sketch possible countermeasures for resisting targeting adversaries.

Aaron Johnson, Rob Jansen, Aaron D. Jaggard et al.

Tor users are vulnerable to deanonymization by an adversary that can observe some Tor relays or some parts of the network. We demonstrate that previous network-aware path-selection algorithms that propose to solve this problem are vulnerable to attacks across multiple Tor connections. We suggest that users use trust to choose the paths through Tor that are less likely to be observed, where trust is flexibly modeled as a probability distribution on the location of the user's adversaries, and we present the Trust-Aware Path Selection algorithm for Tor that helps users avoid traffic-analysis attacks while still choosing paths that could have been selected by many other users. We evaluate this algorithm in two settings using a high-level map of Internet routing: (i) users try to avoid a single global adversary that has an independent chance to control each Autonomous System organization, Internet Exchange Point organization, and Tor relay family, and (ii) users try to avoid deanonymization by any single country. We also examine the performance of Trust-Aware Path selection using the Shadow network simulator.

Paul Syverson, Griffin Boyce

Tor is a communications infrastructure widely used for unfettered and anonymous access to Internet websites. Tor is also used to access sites on the .onion virtual domain. The focus of .onion use and discussion has traditionally been on the offering of hidden services, services that separate their reachability from the identification of their IP addresses. We argue that Tor's .onion system can be used to provide an entirely separate benefit: basic website authentication. We also argue that not only can onionsites provide website authentication, but doing so is easy, fast, cheap, flexible and secure when compared to alternatives such as the standard use of TLS with certificates.

Aaron D. Jaggard, Aaron Johnson, Paul Syverson et al.

Motivated by the effectiveness of correlation attacks against Tor, the censorship arms race, and observations of malicious relays in Tor, we propose that Tor users capture their trust in network elements using probability distributions over the sets of elements observed by network adversaries. We present a modular system that allows users to efficiently and conveniently create such distributions and use them to improve their security. The major components of this system are (i) an ontology of network-element types that represents the main threats to and vulnerabilities of anonymous communication over Tor, (ii) a formal language that allows users to naturally express trust beliefs about network elements, and (iii) a conversion procedure that takes the ontology, public information about the network, and user beliefs written in the trust language and produce a Bayesian Belief Network that represents the probability distribution in a way that is concise and easily sampleable. We also present preliminary experimental results that show the distribution produced by our system can improve security when employed by users; further improvement is seen when the system is employed by both users and services.