I have been reading the paper "Tor Traffic Correlation by Adversaries" by Aaron Johnson et al. (Paper / Slides) ... which talks about how certain adversaries can de-anonymize Tor traffic:

... Yet, almost none of the Tor documentation (or documentation for security distros like Tails) seem to mention that Tor circuits can be easily de-anonymized by adversaries like the NSA. They briefly mention in some documents that Tor does not protect against a global passive adversary, but rarely explain the meaning of this term, or the implications of this to new users who might be coming to Tor specifically because of the recent leaks regarding the NSA.

Am I misunderstanding what this paper is saying? Is it not suggesting that the NSA could easily de-anonymize a very large portion of Tor traffic? If this is the case, it would seem extremely irresponsible to not go out of one's way to make this crystal clear to all Tor users.

Welcome to LQ-Security!

One of the frequent memes here is that you need to determine what you are trying to secure against. The same thing applies to Tor. If, for example, you run a website and I connect to it via Tor, it is highly unlikely that you will be able to determine my real IP address. Assuming of course that I haven't screwed up and allowed an application to leak this information to you. It is also unlikely that any law enforcement agency will be able to easily obtain that information either, at least without additional information and effort. The problem is simply one of scope. Consider the case several months ago when several prominent members of Anonymous were unmasked. The (US) FBI first required a few pieces of personal information that allowed them to narrow the list of potential suspects. Having done this, they obtained warrants to monitor the "envelope" information of the suspects Internet traffic and then correlated this information with visual surveillance (comings and goings) against Tor and chat room activity.

Now consider what you are facing with an organization like the NSA, which we've learned in recent months has plugged into the very core of the networks at the ISP levels. They are able to see the traffic flowing across multiple autonomous systems. This is information that service providers and even organizations like the FBI do not have. Consequently, they are able to correlate traffic patterns across multiple systems and build a high probability guess of the originating end point. To put it simply, nothing, will hide you from this level of access.

Fundamentally, the whole concept of what the NSA and by extension the US govt has done is beyond reprehensible. It is a violation of the core principles upon which the nation was founded and supposedly stood for. It is a problem that will ultimately be dealt with on many different fronts and levels and will undoubtedly get worse before it gets better. The saving grace of it, for now, is that No Such Agency keeps it's mouth shut and does not act as a secret police with enforcement powers. Unless your business is such that it involves national security (e.g. terrorism or insurrection) they probably aren't going to give a rat's hat about your doings.

3 members found this post helpful.

To put it another way ... Tor might make it well-nigh impossible for you, "at one end," to figure out where Iam, "at the other end." But the same does not hold true for someone who has the ability to piece-together a complete map even of the message sizes of things that are passing through the various points of the Tor network. Simple traffic-analysis will enable such a party to construct a high-probability mapping of where the traffic is coming and going, even without being able to (or, not specifically bothering to) crack the message content. Traffic analysis is an extremely powerful technique (also useful for predicting whether a high-reliability secure system, such as Tor, actually is [probably ...] working as intended.

Tor, therefore, is quite good at doing what it is intended to do ... and not good at all at enabling people to break the laws, which by-the-way suits me just fine.

Thanks folks.

Yeah, this is kind of what I was getting at, and it seems that the researchers in the paper I cited believe to be the case (unless I am misunderstanding something). Knowing this to be the case, I would think that the developers of Tor would mention this to their users in the documentation. A lot of people started using Tor in response to the NSA leaks, and I doubt that many of them realized that Tor wouldn't do much to protect them from an adversary like the NSA. It seems like not saying something about this might be giving people a false sense of security

Am I understanding this correctly? Is there any serious research that would indicate that the NSA can't actually de-anonymize most/all Tor circuits, in spite of their surveillance capabilities and relation with ISPs? I've been met with a lot of defensiveness from Tor advocates claiming that the NSA can't break Tor easily/quickly, but I've seen very little evidence to verify this ...

Without getting too much into philosophical ideas regarding law/criminality, I'll just point out a few things:

(a) At one point, it was illegal in the U.S. for slaves to escape from plantations. It was illegal for the protesters in Egypt to occupy Tahrir Square and denounce the military dictatorship. It was illegal for Snowden/Manning to release evidence of the crimes of the U.S. government. Does that make breaking these laws wrong? My point is that legality says nothing other than "this action is/isn't approved of by those in power".

(b) Sometimes, acts of illegal civil disobedience and resistance are necessary to address injustice, especially in a society where money has so corrupted politics that criminals are making the laws. Certain types of crime (rape, murder, child pornographers, etc.) certainly don't need protection. But other types of lawbreakers (political dissidents, whistleblowers, etc.) do need protection, and allowing an agency like the NSA to deny the ability for these people to have ANY privacy whatsoever on the Internet is fundamentally oppressive and anti-democratic.

(c) Some of the things you are doing, ideas you are expressing, people you are interacting with, might not technically be illegal right now. But the NSA is storing information in massive databases that will be available years down the road. Are you sure that whoever is in power 10, 20, 50 years from now will not use this information against you?

is a rather loose term
yes with about 80% of the tor exit nodes ( and a lot of the internal nodes) .
A STATE !!!! RAN !!!! ( three letter ORG) can statistically link connections through tor
BUT and this is the main point .
NOT ALWAYS and NEVER ON DEMAND

yes with enough information it IS possible to link a real person with the node hopping
BUT
unless you ARE "The Dread Pirate Roberts"
( even then good old police work busted it )
it is a HECK of a lot of work , so much work that basically ONLY a STAT RAN org can do it

now for something VERY IMPORTANT
say for the hypothetical scenario of a "stat leader assassination "
then the resources WILL be used

There are some really good points mentioned here. One that I think is worth emphasizing is that in the short run, one of the best things "we the people" can do to improve things is migrate towards the more secure methods of communication by encrypting our data and transmissions and using systems like Tor. This has two effects. One, if any 3rd party wishes to engage in spying, it increases the costs and complexity. Two, it increases the overall level of both types of traffic making it harder to distinguish stuff of interest.
followed by
This raises a subject that we as supporters of the Linux community need to be cognizant of: how much privacy are we willing to give up in the name of security and or law enforcement. Eventually, technical solutions will emerge solving this problem; Internet 2.0 as it is sometimes referred to as. As potential and future designers and contributors to such a system, do we allow 'backdoor' and 'logging' in a manner that can be abused? Do we inherently make traffic such that it is untraceable knowing that it will allow bad actors to communicate as freely as well?

@sundialsvcs, you may not have a problem with law enforcement or the state monitoring you, or at least having the ability to do so, but I do and not because I am doing anything wrong or to the best of my knowledge illegal which is not the same as wrong. Here is a more personal example from this morning. I was on my way to work, on the highway, in the middle lane, and a black car came up quickly from behind and sat to my back left corner. I was going slightly over the legal limit on par with the rest of the traffic. In general, I don't like having cars sit in this position as it both impedes my maneuverability and is in a difficult to see spot, which is why I think it was deliberately chosen. I sensed something "off" about the car and just at the same time I started paying it particular attention, it sped off, remaining on my left, and I noticed that it was an unmarked cop car of unknown jurisdiction. I can only guess as to what s/he was doing sitting at my back corner but I assume scanning and running my plates. From this they would have known, who I am, where I reside, and the fact that I was possibly armed, as well as other personal information. We can debate the legality of this activity on the basis of driving being a state granted privilege, being on public roads, or any number of other grounds, but this is an activity that I am opposed to. Not only that, but there is the apparently now the necessity for the police to go about covertly in our society. Even worse yet, in their apparent attempt to thwart illegal activity, they engaged in it themselves by driving aggressively and substantially exceeding the speed limit. Now, in certain circumstances they are permitted to exceed the speed limit without hazard notifications (responding to an emergency where announcement would be detrimental), but based upon his engagement with myself and other drivers (whom he proceeded to do the same thing to), it is obvious that this was not one of those times.

In terms of the Internet, the state, specifically the US govt, and it's supposed leaders in particular, have demonstrated that they will not abide by the highest laws of the land. The system is supposed to have a set of checks and balances, i.e. the three distinct branches of the govt that are supposed to prevent this type of malfeasance. Clearly it is not working and has become corrupted. One of my favorite TV shows is/was Babylon 5. One of the key races in the show, the Minbari, were led by the Grey Council which consisted of 3 representatives from each of the three castes in their society: worker, warrior, and religious and the parallels to our society should be fairly apparent. In the show, the warrior and religious colluded and acted poorly and in response the structure of the council was changed so that it contained 5 worker caste members and 2 from the other two castes such that never again could action be taken without the will and support of the "people".

The Western World, and the USA in particular are currently facing a crisis. One that the Linux community will undoubtedly play a part in resolving. For example, current encryption does not have direct back door access by design; this is something that I used to take great comfort in. Instead we've learned that the encryption standards have been deliberately weakened to facilitate pseudo back doors. We've learned that almost, if not every, commercial OS, including cell phones has spy technology built in and phones have been designed such that you can't readily turn them off. Our TV's have begun watching us without our permission and knowledge. We've learned that network security appliances have built in back doors in them to allow certain parties undetectable and unfettered access. And there is more. These are things must be corrected and never allowed to happen again and the community as a whole will be tasked with developing the solutions because, like the govt (warrior caste), corporate entities (religious caste) have demonstrated that they can't be trusted and control must be taken away from them.

2 members found this post helpful.

I think this is an issue of computing power. Current crypto relies on mathematically hard problems, a rather relative term as it depends on you believing the mathematicians and believing that there is no shortcut or perhaps a massive supercomputer specifically designed to break codes sitting at NSA HQ as has been suggested by some articles / revelations.

Can you create crypto that not even the NSA can break ? If you can, I'll bet you anything they will ban crypto export like they did in the past. Why ? Because it is their job, and you hired them.

I recommend not thinking about the NSA as an adversary, but more as a god of surveillance. NSA is never not watching. NSA created crypto, so do not ask if NSA can break it.

@Noway2 – what I have very serious "problems with" is the enormous waste inherent in such programs ... as well as the frank realization that millions of "government contractors," whose clearances are granted by another contractor(!), have access to the information, too. Anytime you pack lots of data in one place (especially if the encryption has been stripped-off, or can be stripped at will), you've created a vulnerability ... to everyone in your nation as well as others. Now, you're no longer "protecting" them. Quite the opposite.

There are two purely-social problems that scare me the most:

1. The "military mindset": Soldiers are trained to fight wars. Everyone is an enemy, everything is a threat, everywhere is a battlefield in need of a military "command." Everything is opposed with force.
2. The "military contractor mindset(!)": The US Government spends (at least) tens of Billions of U.S. Dollars a day on (see bullet-point #1), and there are vast networks of contractors who say, "We wants-s-s-s-ssss it, our precious-s-s-s-ssss!" What these people see in, for example, "global surveillance," are enormous contracts for everything from hard-disk drives to network cables, all constructed to preposterously meticulous specifications. (And what do they want after that? $$MORE$$. There's always one more "threat" to conjure-up, and one more too-eager legislator to pay off.

As we know, the greatest threat to actual security has arms and legs, and a white hat. Right now, the American people are being told that "we can't afford" to provide health care for everyone; we "can't afford" to support our elderly; hell, we can't even "afford" to maintain Interstate highway bridges so that they don't collapse into a river at rush hour (which barely made a "blip" on the 'news') ...

... b-u-t that we "by gawd, absolutely must" 'borrow' (sic ...) over $300 million USD an hour(!) to "keep America safe from ..." something or other. (Certainly not "the military" or "the military contractors," oh no-o-o... heh.)

... a-n-d the rest of the World community of humans is being oh-so confidently told that they must continue to have "a world reserve currency," and that of course it must be (tah-DAAAH) The Almighty American Dollar.™

Plenty of people, in every country including the US itself, are (finally!) asking direct questions about this state of affairs, which has never ended nor been seriously questioned since the close of World War II ... which is, for some of us, our great-great-grandparent's time. Perhaps this out-of-control juggernaut, itself(!), this "ultimate 'great sucking sound,'" is the greatest threat both to "world peace" and to "national stability." Perhaps it is finally outgrowing its welcome. I earnestly hope so.

Here's the rub: NSA does have a legitimate mission. But, with this much $$money$$ in play, there are plenty of people inside and outside such agencies who want ... of course. And there are also plenty of Senators and Congressmen who collect "briefcases" for a living. All of this is human nature. And, as we all humans all know, "human nature" is the greatest threat of all. "The Love of Money is the Root of all Evil."