Why aren't more people using Tor get deanonymized?

Marc · January 18, 2024, 9:43pm

Hello everyone,

I have only recently become more aware of the topic of privacy and anonymity in the last few months, and I have particularly researched a lot on this subject in recent weeks. Overall, I would still consider myself a beginner.

I quickly got the impression that Tor provides a very high level of anonymity. When people are reported on YouTube, for example, as being uncovered in the Tor network, it was usually due to extremely poor operational security, such as using their own Gmail accounts or disclosing other sensitive information.

However, I recently read something in the English Wikipedia article on Tor that made me pensive.

https://en.wikipedia.org/wiki/Tor_(network)

In the “Odds of Detection” section, it is explained that the probability of receiving a malicious circuit capable of compromising anonymity is 1 in 2 million. This sounds indeed low, but when you consider that we change the circuit every 10 minutes, it looks different.

A person using the Tor network for 10,000 hours in their entire life would use a total of 60,000 circuits.

Therefore, the probability of being uncovered is 3%. That’s not insignificant.

If we consider that there may be several malicious circuits, the probability increases accordingly.

My question now is:

Given the millions of people using Tor, why aren’t significantly more people being deanonymized?

Don’t get me wrong; I appreciate that the Tor network is strong. I just want to understand how this contradiction arises.

Thank you very much.

Best regards

Marc

FranklyFlawless · January 19, 2024, 1:11pm

The “Odds of Detection” section is referencing a probability from 2016. In 2024, the total number of relays is now about 8,000: 4,344 are guard relays; while 2,459 are exit relays; with the rest being middle and bridge relays.

https://metrics.torproject.org/rs.html#aggregate/all

So, looking more closely at the “Odds of Detection” section, it assumes that an attacker only controls one “poisoned” Guard and Exit relay. Assuming that consensus weight has no bearing on the probability, and that the attacker is not providing a bridge relay instead, that means 1⁄4344 x 1⁄2459 = 1 in 10,681,896.

Assuming that Tor circuits are always forcefully updated every 10 minutes, plus the amount of guard and exit relays remaining exactly the same as it is now for 10,000 hours, along with all prior assumptions, that leaves us with 60,000 ÷ 10,681,896 = 0.0056169804; approximately half of one percent.

Multiple reasons, but it comes down to cost: an attacker would need to deploy and contribute relays to the Tor network for an extended period of time, with a greatly delayed payoff of at least 60 days due to how non-exit relays are ramped up to guard. Due to consensus weight, certain relays are favoured over others for Tor circuit building, so attackers would need to compete with them in order to attract more network traffic for easier end-to-end correlation.

Not_Ambrose · January 19, 2024, 1:11pm

Guard relays (mostly) prevent this attack from happening.

When you first start Tor, 2 guard relays are chosen. Those 2 guards will stay as your “entry points” for around 6-8 weeks.
That way, even if the circuit is malicious or compromised, worst case is that they trace it back to your guard relay - not to you.

Marc · January 19, 2024, 7:58pm

First, I would like to thank all of you for the explanations. Your descriptions show me how much I can still learn about the Tor network.

Regarding the topic of costs, I have another question.

Frankly, you mentioned that costs could potentially deter an attacker. I have no idea what operating a real high-end Tor node would cost. I have often read that governments and their organizations spend enormous sums on surveillance.

Would it be absurdly expensive to operate a sufficient number of Tor nodes over an extended period?

Thanks again.

Best regards,

Marc

Not_Ambrose · January 21, 2024, 1:53am

Tor has some defenses against sybil attacks.

Tor has a monitoring system to try and prevent sybil attacks.

There have also been some discussion on how to prevent such attacks on the Tor network.

Tor has in fact defended itself against sybil attacks before, such as this incident where they removed over 600 relays. There’s also this list which shows all the fingerprints of relays that have been suspected of being in an attack (and removed).

abc · January 24, 2024, 10:39am

Hi Marc, to me, IMO, the answer is a large grab-bag of reasons. The first and biggest reason is:

The overwhelming majority of people using tor aren’t doing anything worth spending time or money trying to de-anonymize them.

That doesn’t stop those who tinker, malevolent hackers, misguided do-gooders, and tax-payer funded state entities.

Depending on the country doing the spying:

They will just make people disappear (Davy Jone’s Locker, ). They’re not interested in grabbing headlines; they want their detractors gone. (Dictatorships, authoritarian regimes, other non “free” countries.)
They have to follow various laws and build a case that will stand up in court. This takes time and depending on how big a splash in the headlines versus how many zero-days they have to use (thus reveal or imply), they weigh the costs. In fact the U.S. is known to jerry-rig investigations/arrests to hide how they actually got their information to make it seem innocent and lawful.

Other entities, like the ogling advertising company and other advertisers wishing they had Google’s (Chrome/advertising) monopoly, are mostly satisfied with the “speak to the hand” approach. They try to frustrate you out of using tor, a less costly approach.

In other words, Google, whose crawling robots scrape as much of the Internet as possible using their robots, which supposedly read the robots.txt file at the root of your website(s) and supposedly honor it, give you the middle finger if you use tor (like Tor Browser) to browse most Google websites. They present you with a barren page, a picture of a broken robot, and claim you are indistinguishable from a robot, therefore you should be denied from reading the webpage. (Ahem, unlike their robots? )

Other websites just give you a sparse, boilerplate page saying you should report the “problem” to them. I say you should de-anonymize yourself to them (case-by-case basis) to let them know they are blocking real people trying to benefit from their website, especially if they are a commercial outfit. “You are blocking me from learning your hours of operation… From the making informed product decisions… From me buying your products online… From leaving a positive review of your company… and you should learn about having an onion address to protect against (D)DOS, besides the other benefits of an onion address.”

Lastly, before I write a novel, I would add:

it seems tor actually lives up to a bunch of its claims. It does provide protections to users. And that’s why “more people using Tor aren’t getting deanonymized.”

Would it be absurdly expensive to operate a sufficient number of Tor nodes over an extended period?

Your former questions were very numbers-based. This last question is subjective. What is “absurdly expensive” and how long is an “extended period?”

It depends on who you are working for and how they are funded. AND how many bogus leads they are willing to waste time tracking down (see my first bullet point).

The U.S. ignored warnings about the 9/11 hijackers taking flight classes. The U.S. ignored the father of the underwear bomber who reported his own son!

One doesn’t need to gulp down GiB, TiB, of data and do all sorts of fancy math to locate problems. In fact, people who are supposed to be protecting the “free” world seem to be forcing themselves to drown in TMI (too much information).

FranklyFlawless · January 24, 2024, 12:13pm

No, but a “sufficient number” of Tor nodes does not correlate to consensus weight.

Marc · January 26, 2024, 9:22pm

First of all, thank you very much again for your feedback.

@abc, you are absolutely right; “absurdly costly” is a very subjective perspective. Now that I think about it, I realize that I should specify my thoughts.

I recently watched a documentary about how many ultra-rich individuals are buying football clubs for billions of dollars. Some of the people shown could be safely labeled as despots.

So, I wondered what would happen if such a despot were to invest one billion dollars to undermine the Tor network. Do you think the Tor network would survive this?

I hope I have made my thoughts somewhat clearer

Best regards,

Marc

FranklyFlawless · January 27, 2024, 11:01am

Absolutely.

Not_Ambrose · January 28, 2024, 1:54pm

Survive it? Probably.

Realistically, it would be far more effective to just tap/monitor off the already existing nodes.

Taking a look at Tor relay search and sorting by flag:exit, we can see that the top 5 AS (autonomous systems) make up 56% of all tor exits.

This is calculated by the “exit probability” figure.

Not_Ambrose · January 28, 2024, 1:54pm

Addendum: The same is true for guards, 49.6% of guard probability is from just 5 different AS(s)

abc · January 31, 2024, 9:36pm

Hi @Marc, you touch on a number of points. I’m glad @FranklyFlawless & @Not_Ambrose are able to talk numbers with you.

I wondered what would happen if such a despot were to invest one billion dollars to undermine the Tor network. Do you think the Tor network would survive this?

Of course the despot would try to sell it to the public as an “investment” and try to be reimbursed for it, or pay for it directly from the citizens. My guess is there will be little to show for the it.

Would ‘the Tor network would survive this?’ I agree with both @FranklyFlawless & @Not_Ambrose.

However your use of despot* is vague, so I’d say if you’re talking about countries, the smaller the country, the more easily those who use the tor network could be found. Determining what they were doing is another matter.

If the despot owns a sports team, the despot could (for $1B) probably forcibly control (contractual or technological) the player’s devices to connect to the club’s wifi, then figure out which team member was connecting to the tor network.

Figuring out who in the stadium of hundreds of thousands would be harder. (Even if offered free Wi-Fi, some percent will just keep using their cell service.) Some people will connect to a VPN first, then connect to tor, thus putting themselves outside of the despot stadium owner’s reach (we hope).

If you want to get into the specific costs and probabilities, I’m not the person to say.

But none of this would ‘undermine the Tor network’ or cause any damage to its existence.

Depending on the place the despot spends $1 Billion USD, and how much corruption exists among those in charge of spending it—and those hired, it could last a very long time, or it could be gone quicker than the despot expects.

Technological attacks and social engineering attacks are the two main, and even overlapping, attacks the Tor Project, tor network operators, and tor users face.

Perhaps the despot tries to infiltrate/inveigle tor’s code by getting a ringer hired or submitting patches. We can hope the Tor Project, and supporters, can catch it ASAP. Because even though it’s open source, my guess is most people understand computer languages about as much as they understand the legalese in contracts and legislation.

There’s an analysis/paper/blog post with numbers predicting the costs of attacking the tor network and naming general tiers of attackers. From individuals to nation states. Search the Tor Project blog. (Maybe someone can provide a link.)

The tor network is constantly in flux since anyone can join to be a relay, this is shown through the hourly consensus vote. (IIRC) So percentages of risk(s) are always going to fluctuate.

Here are two resources to learn about tor network health:

True despots care little about proof, and I would say often create evidence out of thin air.

If they hold any sway over the court system, facts get in the way, they don’t need to spend a billion dollars to create baffle-them-with-BS evidence to convict someone.

So they will have two projects. One that creates bogus data to remove their detractors, and one that really does try to undermine tor’s protections. But the latter project will be secret.

Since past is often prologue, the despot will spend more resources spying on underlings, associates, and educational institutions than on the general population. But since the general population is considered more easily expendable, some will be punished harshly to “send a message” to the former.

I’ve seen a number of “how to connect” to the tor network documents, but none recently.

I’ve seen over time the Tor Project change the language (advice/instructions) shown upon opening Tor Browser for the first time. I’m guessing this is due to it not being safe in some places to start out trying to make a direct connection using a publicly listed relay, but to offer users a chance to connect using a bridge.

Perhaps there should be an update somewhere on approaching using Tor Browser from the most paranoid perspective possible**, then document progressively less troublesome/paranoid/careful methods.

** I don’t doubt this is subjective.

I’m glad there are protections for onion services to protect them against DOS attacks.

For a long time I’ve wished that despots like you describe, who add relays to the network for the purpose of spying/undermining it, could somehow be used and not 100% rejected. As I understand it, they shouldn’t be allowed to relay traffic but perhaps they can still be used to bear some of the costs.

Perhaps they could be made to only answer directory requests, or some other slice of the network where they’re mostly blind but provide a useful service. Of course there would still need to be checks in the tor code since malevolent despots may compile their own modified version of tor…