Threat Model Documentation
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 69 KiB |
1
assets/static/images/home/png/threat-model.png
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
surveillance.png
|
1
assets/static/images/home/svg/threat-model.svg
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
surveillance.svg
|
BIN
assets/static/images/threat-model/client-side.png
Normal file
After Width: | Height: | Size: 108 KiB |
BIN
assets/static/images/threat-model/ddos.png
Normal file
After Width: | Height: | Size: 99 KiB |
BIN
assets/static/images/threat-model/local.png
Normal file
After Width: | Height: | Size: 126 KiB |
BIN
assets/static/images/threat-model/network.png
Normal file
After Width: | Height: | Size: 124 KiB |
BIN
assets/static/images/threat-model/project.png
Normal file
After Width: | Height: | Size: 162 KiB |
BIN
assets/static/images/threat-model/threat-position.png
Normal file
After Width: | Height: | Size: 135 KiB |
30
content/threat-model/contents.lr
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
section: Threat Model
|
||||||
|
---
|
||||||
|
section_id: threat-model
|
||||||
|
---
|
||||||
|
color: primary
|
||||||
|
---
|
||||||
|
_template: layout.html
|
||||||
|
---
|
||||||
|
_discoverable: no
|
||||||
|
---
|
||||||
|
title: Threat Model
|
||||||
|
---
|
||||||
|
subtitle: How we mitigate threats to Tor
|
||||||
|
---
|
||||||
|
cta: Learn about threats
|
||||||
|
---
|
||||||
|
key: 7
|
||||||
|
---
|
||||||
|
html: threat-model.html
|
||||||
|
---
|
||||||
|
body:
|
||||||
|
|
||||||
|
The Tor network, designed to safeguard privacy and enable anonymous communication, is constantly under threat from adversaries who seek to exploit its vulnerabilities.
|
||||||
|
As an open and decentralized system, Tor relies on a global network of volunteer-operated relays, making it both resilient and a target for various forms of attacks.
|
||||||
|
These threats range from malicious relays attempting to disrupt traffic or compromise user anonymity, to sophisticated surveillance tactics aimed at deanonymizing users or undermining the network’s integrity.
|
||||||
|
|
||||||
|
To defend against these threats, it is important to understand the types of attackers the network faces, their capabilities, and their objectives.
|
||||||
|
A comprehensive threat model helps to identify potential vulnerabilities, assess the risks, and design appropriate mitigation strategies to protect both users and the network itself.
|
||||||
|
|
||||||
|
In this section, we provide a detailed overview of the adversaries targeting Tor, their methods of attack, and the systems in place to counter them, helping Tor continue to serve as a secure platform for privacy-conscious users.
|
34
content/threat-model/mitigation/bad-relays/contents.lr
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
_model: page
|
||||||
|
---
|
||||||
|
color: primary
|
||||||
|
---
|
||||||
|
title: Mitigating Malicious Relays
|
||||||
|
---
|
||||||
|
html: two-columns-page.html
|
||||||
|
---
|
||||||
|
_template: layout.html
|
||||||
|
---
|
||||||
|
key: 1
|
||||||
|
---
|
||||||
|
section: Threat Model
|
||||||
|
---
|
||||||
|
section_id: threat-model
|
||||||
|
---
|
||||||
|
body:
|
||||||
|
|
||||||
|
# Mitigating Malicious Relays
|
||||||
|
|
||||||
|
The open nature of the Tor network means that preventing malicious or misconfigured relays from joining is nearly impossible.
|
||||||
|
To address this, we take a multi-faceted approach to detect and mitigate these threats.
|
||||||
|
|
||||||
|
We’ve set up systems to constantly perform automatic network scans to detect any signs of malicious activity.
|
||||||
|
This helps identify relays that may be intentionally tampering with traffic or undermining the network’s security.
|
||||||
|
Additionally, our network health team carries out investigations to discover new or unknown attacks that might bypass automated systems.
|
||||||
|
|
||||||
|
Beyond technical measures, Tor emphasizes community-building. A trusted and tight-knit community can make it more difficult for attackers to operate.
|
||||||
|
Community members can help identify malicious relays by reporting suspicious behavior through channels such as emails or other reporting systems.
|
||||||
|
Building trust within the relay operator community is a long-term effort, that is supported by regular meet-ups, open discussions, and transparent processes aimed at improving the network’s health.
|
||||||
|
|
||||||
|
We also stay engaged with third-party applications and tools that can aid in the fight against malicious relays.
|
||||||
|
For example, implementing features like HTTPS-only mode in Tor Browser strengthens overall security and helps reduce the risks posed by malicious exit relays.
|
||||||
|
This combination of technical, social, and external improvements forms Tor’s strategy for mitigating threats stemming from malicious relays and keeping the network safe.
|
25
content/threat-model/mitigation/contents.lr
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
_model: page
|
||||||
|
---
|
||||||
|
color: primary
|
||||||
|
---
|
||||||
|
title: Network Threats Mitigation
|
||||||
|
---
|
||||||
|
html: two-columns-page.html
|
||||||
|
---
|
||||||
|
_template: layout.html
|
||||||
|
---
|
||||||
|
key: 4
|
||||||
|
---
|
||||||
|
section: Threat Model
|
||||||
|
---
|
||||||
|
section_id: threat-model
|
||||||
|
---
|
||||||
|
body:
|
||||||
|
|
||||||
|
# Network threat mitigation systems
|
||||||
|
|
||||||
|
As a privacy-focused network, Tor is constantly exposed to a wide range of threats that aim to undermine its security and functionality.
|
||||||
|
To fight against these threats, Tor employs a variety of threat mitigation systems designed to protect the network from malicious activity, both technical and social in nature.
|
||||||
|
|
||||||
|
These systems are crucial in preserving the safety and reliability of the Tor network, allowing it to continue operating as a secure tool for users around the world.
|
||||||
|
By combining technical safeguards, community collaboration, and continuous innovation, Tor actively works to detect and address threats before they can cause harm.
|
30
content/threat-model/mitigation/dos-threats/contents.lr
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
_model: page
|
||||||
|
---
|
||||||
|
color: primary
|
||||||
|
---
|
||||||
|
title: Addressing Denial of Service (DoS) Threats
|
||||||
|
---
|
||||||
|
html: two-columns-page.html
|
||||||
|
---
|
||||||
|
_template: layout.html
|
||||||
|
---
|
||||||
|
key: 3
|
||||||
|
---
|
||||||
|
section: Threat Model
|
||||||
|
---
|
||||||
|
section_id: threat-model
|
||||||
|
---
|
||||||
|
body:
|
||||||
|
|
||||||
|
# Addressing Denial of Service (DoS) Threats
|
||||||
|
|
||||||
|
Mitigating all possible **Denial of Service (DoS)** attacks in the Tor network is a complex task.
|
||||||
|
The current C-Tor implementation includes an anti-DoS system that defends against the most critical vulnerabilities.
|
||||||
|
However, this system can't handle all the types of DoS attacks the network faces, and redesigning it is beyond the scope of C-Tor.
|
||||||
|
To fill these gaps, the remaining DoS vulnerabilities are addressed in the new Rust-based implementation, [Arti](https://gitlab.torproject.org/tpo/core/arti).
|
||||||
|
|
||||||
|
A key part of defending against DoS threats involves collaboration with the [relay operator community](https://community.torproject.org/relay/governance/relay-operators/) and [Directory Authorities](https://community.torproject.org/relay/governance/policies-and-proposals/directory-authority/).
|
||||||
|
These groups have played a crucial role in identifying and understanding DoS attacks in the real world.
|
||||||
|
Their input has been proved essential in testing potential fixes and workarounds, especially in cases where the current anti-DoS system has limitations that prevent direct solutions.
|
||||||
|
|
||||||
|
We hope that by working together, we can reduce both the short- and long-term impacts of these attacks.
|
@ -0,0 +1,36 @@
|
|||||||
|
_model: page
|
||||||
|
---
|
||||||
|
color: primary
|
||||||
|
---
|
||||||
|
title: Resolving Information Leaks
|
||||||
|
---
|
||||||
|
html: two-columns-page.html
|
||||||
|
---
|
||||||
|
_template: layout.html
|
||||||
|
---
|
||||||
|
key: 2
|
||||||
|
---
|
||||||
|
section: Threat Model
|
||||||
|
---
|
||||||
|
section_id: threat-model
|
||||||
|
---
|
||||||
|
body:
|
||||||
|
|
||||||
|
# Resolving Information Leaks
|
||||||
|
|
||||||
|
Tor’s protocol has various information leaks, and while not all have been addressed yet, we focus on mitigating the most severe threats.
|
||||||
|
These include cryptographic tagging, manipulation of cell headers, and dropped cells. Tor’s new project, the [Arti](https://gitlab.torproject.org/tpo/core/arti) client, resolves these critical vulnerabilities.
|
||||||
|
|
||||||
|
We also take action against bandwidth inflation attacks by detecting and removing the malicious relays responsible.
|
||||||
|
A **bandwidth inflation attack** happens when a malicious relay in the Tor network falsely reports a higher bandwidth capacity than it actually has.
|
||||||
|
Tor relays are ranked based on their reported and measured bandwidth, and relays with higher bandwidth are more likely to be chosen by users to route their traffic.
|
||||||
|
|
||||||
|
In a bandwidth inflation attack, the attacker manipulates the system by making their relay appear faster or more capable than it really is.
|
||||||
|
This gives the malicious relay a greater chance of being used in the network.
|
||||||
|
To counter this, Tor detects and removes relays that falsely inflate their bandwidth, protecting users from these harmful relays.
|
||||||
|
|
||||||
|
Another emerging threat comes from passive application-layer traffic patterns.
|
||||||
|
This means that an attacker could monitor traffic and, based on the size, timing, or frequency of data packets, make educated guesses about the content or nature of the user's activity without directly interacting with or altering the data.
|
||||||
|
|
||||||
|
To tackle this, we port a traffic analysis framework and simulator to Arti, which will help in identifying and reducing these risks.
|
||||||
|
By focusing on the most serious issues, Tor continues to enhance the security and reliability of the network.
|
39
content/threat-model/mitigation/project/contents.lr
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
_model: page
|
||||||
|
---
|
||||||
|
color: primary
|
||||||
|
---
|
||||||
|
title: Mitigating Attacks on the Tor Project
|
||||||
|
---
|
||||||
|
html: two-columns-page.html
|
||||||
|
---
|
||||||
|
_template: layout.html
|
||||||
|
---
|
||||||
|
key: 4
|
||||||
|
---
|
||||||
|
section: Threat Model
|
||||||
|
---
|
||||||
|
section_id: threat-model
|
||||||
|
---
|
||||||
|
body:
|
||||||
|
|
||||||
|
# Mitigating Attacks on the Tor Project
|
||||||
|
|
||||||
|
Tor’s open environment allows anyone to contribute by writing code or engaging in discussions.
|
||||||
|
While this openness makes participation easy, it also presents opportunities for adversaries to disrupt the project.
|
||||||
|
To address these threats, we do a few key things.
|
||||||
|
|
||||||
|
First, we keep discussions public and transparent. This openness helps to build trust within the community and between contributors and the Tor Project itself.
|
||||||
|
By having important conversations in the open, any attempts to harm the project are more easily noticed and stopped.
|
||||||
|
Regular communication and clear policies also help to prevent confusion and keep everyone aligned toward the same goals.
|
||||||
|
Transparency is key, as it makes it harder for adversaries to exploit gaps in communication or processes.
|
||||||
|
|
||||||
|
When it comes to defending against attacks on staff or specific systems, we rely on teamwork, among other things.
|
||||||
|
Handling malicious relays, for example, is a group effort.
|
||||||
|
This means that targeting or intimidating one person won’t stop the work from getting done.
|
||||||
|
The community and staff work together to identify and remove bad relays, so the network stays secure.
|
||||||
|
|
||||||
|
To protect our infrastructure, Tor takes extra precautions. Databases are only accessible internally, and the information is shared through secure systems designed to prevent disruption.
|
||||||
|
In addition, Tor plans to share database dumps publicly so researchers can help verify the data and its integrity, adding an extra layer of protection against manipulation.
|
||||||
|
|
||||||
|
Though defending against targeted attacks is challenging, our approach—combining transparency, teamwork,
|
||||||
|
and secure infrastructure—helps the project remain strong and resilient in the face of threats.
|
70
content/threat-model/network-attackers/contents.lr
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
_model: page
|
||||||
|
---
|
||||||
|
color: primary
|
||||||
|
---
|
||||||
|
title: Who is an attacker?
|
||||||
|
---
|
||||||
|
html: two-columns-page.html
|
||||||
|
---
|
||||||
|
_template: layout.html
|
||||||
|
---
|
||||||
|
key: 1
|
||||||
|
---
|
||||||
|
section: Threat Model
|
||||||
|
---
|
||||||
|
section_id: threat-model
|
||||||
|
---
|
||||||
|
body:
|
||||||
|
|
||||||
|
The Tor network is designed to provide anonymity and privacy for its users.
|
||||||
|
However, various entities, with different motivations and capabilities, pose threats to this system.
|
||||||
|
|
||||||
|
Our threat model identifies these entities and provides a foundational understanding of the possible threats faced by the Tor network.
|
||||||
|
By identifying these attackers, we can better develop strategies to protect the network and its users.
|
||||||
|
|
||||||
|
## Who is an attacker?
|
||||||
|
|
||||||
|
An attacker is any individual, group, or organization that aims to compromise the security, anonymity, or integrity of the Tor network or the Tor Project itself.
|
||||||
|
These attackers may have various motivations, ranging from surveillance and data theft to disrupting the network’s functionality.
|
||||||
|
The attackers we are primarily focused on include:
|
||||||
|
|
||||||
|
- **Client-side attackers:**
|
||||||
|
Using a Tor client, these attackers might aim to degrade the network's performance by jamming it with traffic.
|
||||||
|
|
||||||
|
- **Local attackers:**
|
||||||
|
Local attackers, like ISPs or compromised Wi-Fi networks, can monitor and manipulate a user’s traffic,
|
||||||
|
or disrupt their connection to the Tor network.
|
||||||
|
|
||||||
|
- **Network attackers:**
|
||||||
|
Operating within the Tor Network, they can influence the network by injecting or
|
||||||
|
manipulating traffic through the relays they run, potentially compromising the anonymity of users.
|
||||||
|
|
||||||
|
- **Project attackers:**
|
||||||
|
Project attackers focus on The Tor Project itself, trying to introduce vulnerabilities or
|
||||||
|
disrupt operations by targeting Tor software, infrastructure, or key personnel.
|
||||||
|
|
||||||
|
## Goals of attackers
|
||||||
|
|
||||||
|
Understanding what attackers aim to achieve can help users and developers better defend against these threats.
|
||||||
|
Some of these goals include:
|
||||||
|
|
||||||
|
### 1. Revealing User Identities
|
||||||
|
One of the main goals of attackers may be to uncover the identities of Tor users.
|
||||||
|
Tor’s strength lies in providing privacy to its users.
|
||||||
|
If attackers succeed in deanonymizing users, they can strip away this protection, expose sensitive activities, compromise privacy, and potentially link users to their real-world identities.
|
||||||
|
|
||||||
|
### 2. Exploiting Tor Users
|
||||||
|
Attackers may seek to exploit Tor users by stealing assets like cryptocurrencies (e.g., Bitcoin) or siphoning off private and confidential information.
|
||||||
|
By watching and intercepting traffic, these attackers can aim to profit financially or gather sensitive data that can be used for malicious purposes.
|
||||||
|
|
||||||
|
### 3. Disrupting the Network
|
||||||
|
Another goal may be to disrupt the Tor network, making it unreliable or slowing it down.
|
||||||
|
Attackers might flood the network with traffic to that slow down the network or reduce the overall reliability of Tor services, making it less effective and accessible for users.
|
||||||
|
|
||||||
|
This prevents users from securely accessing the internet, and persistent disruptions can undermine trust in Tor and their privacy protection.
|
||||||
|
|
||||||
|
### 4. Weakening the Tor Project
|
||||||
|
Attackers may also target the Tor project directly, attempting to undermine its development, credibility, or organizational structure.
|
||||||
|
|
||||||
|
This could include introducing vulnerabilities into the software, discrediting the project, or creating conflicts within the community.
|
||||||
|
By weakening the project, attackers aim to diminish the effectiveness of Tor as a tool for privacy and freedom online.
|
@ -0,0 +1,77 @@
|
|||||||
|
_model: page
|
||||||
|
---
|
||||||
|
color: primary
|
||||||
|
---
|
||||||
|
title: How Attackers Work
|
||||||
|
---
|
||||||
|
html: two-columns-page.html
|
||||||
|
---
|
||||||
|
_template: layout.html
|
||||||
|
---
|
||||||
|
key: 1
|
||||||
|
---
|
||||||
|
section: Threat Model
|
||||||
|
---
|
||||||
|
section_id: threat-model
|
||||||
|
---
|
||||||
|
body:
|
||||||
|
|
||||||
|
As Tor offers protection, it also faces numerous threats from attackers who aim to undermine its security.
|
||||||
|
These attackers can attempt to breach Tor users' privacy through a range of tactics, ranging from complex technical trickery to simple lies.
|
||||||
|
Whether you're a regular Tor user or just interested in online privacy, understanding these concerns is critical to your online safety.
|
||||||
|
|
||||||
|
### 1. Traffic Analysis: Watching how data moves
|
||||||
|
Imagine you’re sending a secret letter through a series of friends.
|
||||||
|
Each friend passes the letter to the next, and the final friend delivers it to the recipient.
|
||||||
|
Even though the letter is sealed, someone watching can guess who you’re writing to by seeing who you gave the letter to and who received it at the other end.
|
||||||
|
|
||||||
|
Attackers use a similar method called **traffic analysis**.
|
||||||
|
They don’t need to read your messages—they can try to figure out who’s talking to whom just by watching how data moves through the Tor network.
|
||||||
|
If an attacker sees data going into the Tor network from your computer and sees similar data coming out on the other side, they might guess that the data is connected, even though it’s encrypted.
|
||||||
|
|
||||||
|
For instance, an attacker might keep watch of your internet connection (perhaps through your Internet Service Provider).
|
||||||
|
Through this, they can notice that you send a specific amount of data into the Tor network at a certain time, or the data exiting the Tor network with similar timing and size.
|
||||||
|
By comparing these patterns, they can guess which Tor user is connected to which website or service, even if the data itself is encrypted.
|
||||||
|
|
||||||
|
### 2. Malicious Relays: Bad friends in the chain
|
||||||
|
|
||||||
|
![An image showing positions of bad relays on the Tor network](/static/images/threat-model/network.png "title='Bad Relays on the Tor Network' class='img-fluid'")
|
||||||
|
|
||||||
|
The Tor network relies on volunteers to run [relays](/content/relay/) (like the friends in our secret letter example).
|
||||||
|
Some relays receive data, some pass it along, and others send it out of the network.
|
||||||
|
But what if one of these relays is operated by someone with bad intentions?
|
||||||
|
|
||||||
|
A [**malicious relay**](/content/relay/governance/handling-bad-relays/) is like a friend in the chain who secretly opens the letter and reads it or even changes it before passing it on.
|
||||||
|
|
||||||
|
If an attacker runs an exit relay (the last relay before your data leaves the Tor network), they could try to spy on your data if it’s not properly encrypted.
|
||||||
|
To prevent this from happening, always use HTTPS websites, which encrypt your traffic end-to-end, and avoid transmitting sensitive information over unencrypted connections while using Tor.
|
||||||
|
|
||||||
|
### 3. Deanonymization: Revealing your identity
|
||||||
|
Deanonymization is when someone figures out who you really are, even though you’re trying to stay anonymous.
|
||||||
|
Attackers can use different tricks to do this.
|
||||||
|
|
||||||
|
Imagine someone knocks on your door, and as soon as you open it, they quickly take a picture of you.
|
||||||
|
They didn’t need to follow you around all day to figure out where you live—they just needed to catch you at the right moment.
|
||||||
|
Attackers might do something similar by observing patterns in your online activity by running [bad relays](/content/relay/governance/handling-bad-relays/) and deploying DDoS attacks to get more traffic routed over their own relays.
|
||||||
|
|
||||||
|
### 4. DDoS Attacks: Overloading the network
|
||||||
|
A Distributed Denial of Service (DDoS) attack is when an attacker sends so much traffic to a website or network that it gets overwhelmed and stops working.
|
||||||
|
It’s like flooding a store with so many customers that no one can get through the door.
|
||||||
|
|
||||||
|
![An image showing a sample of how DDoS is carried out](/static/images/threat-model/client-side.png "title='DDoS attack on Tor' class='img-fluid'")
|
||||||
|
|
||||||
|
If an attacker doesn’t want people to use Tor, they might send a huge amount of traffic to Tor’s relays, making it hard or impossible for real users to connect.
|
||||||
|
|
||||||
|
### 5. Working with ISPs: Spying through your internet provider
|
||||||
|
Internet Service Providers (ISPs) are the companies that connect you to the internet.
|
||||||
|
In some cases, attackers might work with ISPs to monitor or control what you do online.
|
||||||
|
Imagine your mail carrier (ISP) could choose specific sorting facilities they control, not to open your letters, but to monitor where they go and when.
|
||||||
|
Similarly, local adversaries can manipulate your Tor traffic to ensure it passes through their controlled Guards or Bridges (the first connection points in the Tor network).
|
||||||
|
While they can't read your traffic, this increases their chances of tracking your activity and potentially identifying you through traffic patterns.
|
||||||
|
In some countries, ISPs might be forced to monitor or block Tor traffic, making it harder for you to use the network.
|
||||||
|
|
||||||
|
|
||||||
|
Tor offers a powerful tool for online privacy, but it's important to understand that it's not invincible.
|
||||||
|
People who want to break Tor's protections use many different methods.
|
||||||
|
To stay safe online, it's essential to be aware of these threats.
|
||||||
|
By understanding how Tor works and the risks involved, you can make informed choices to protect your privacy.
|
@ -0,0 +1,44 @@
|
|||||||
|
_model: page
|
||||||
|
---
|
||||||
|
color: primary
|
||||||
|
---
|
||||||
|
title: Client-side Attackers on the Tor Network
|
||||||
|
---
|
||||||
|
html: two-columns-page.html
|
||||||
|
---
|
||||||
|
_template: layout.html
|
||||||
|
---
|
||||||
|
key: 1
|
||||||
|
---
|
||||||
|
section: Threat Model
|
||||||
|
---
|
||||||
|
section_id: threat-model
|
||||||
|
---
|
||||||
|
body:
|
||||||
|
|
||||||
|
The Tor network is designed to protect users' privacy by routing their internet traffic through a series of relays, making it difficult to trace their online activities.
|
||||||
|
However, the network faces various threats, even from people who just use a Tor client.
|
||||||
|
These client-side attackers, while limited in their capabilities compared to more sophisticated attackers, can still pose significant risks to the network's performance and reliability.
|
||||||
|
|
||||||
|
A Tor client is software that lets you use the Tor network.
|
||||||
|
The most common Tor client is the Tor Browser, which is similar to a regular web browser but with built-in privacy protections.
|
||||||
|
|
||||||
|
## Understanding Client-side Adversaries
|
||||||
|
|
||||||
|
Client-side attackers are individuals or entities that use a Tor client to carry out attacks on the network.
|
||||||
|
Unlike more advanced attackers, they do not control any relays or infrastructure within the Tor network.
|
||||||
|
Instead, they rely on their access to the internet and a Tor client to execute their attacks.
|
||||||
|
|
||||||
|
### Denial of Service (DoS) attacks
|
||||||
|
|
||||||
|
One of the primary threats posed by client-side attackers is the ability to perform a Denial of Service (DoS) attack.
|
||||||
|
|
||||||
|
A Denial of Service (DoS) attack is a tactic where an attacker attempts to make a service, in this case, the Tor network, hard to use for its intended users.
|
||||||
|
Client-side attackers can execute DoS attacks to degrade the performance of the Tor network, causing disruptions that impact all users.
|
||||||
|
|
||||||
|
![An image showing positions of client-side threats on the Tor network](/static/images/threat-model/client-side.png "title='Client Threats' class='img-fluid'")
|
||||||
|
|
||||||
|
They could flood the network with an overwhelming amount of traffic using external services, or exploiting the Tor protocol itself.
|
||||||
|
This traffic might not necessarily come from a single client but could be distributed across many clients in a coordinated attack.
|
||||||
|
The result is a significantly slowed network, making it difficult for legitimate users to connect or use Tor effectively.
|
||||||
|
This disruption can also frustrate relay operators, sometimes leading them to shut down their relays, which inadvertently weakens the network—a potential goal of the attacker.
|
29
content/threat-model/threat-positioning/contents.lr
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
_model: page
|
||||||
|
---
|
||||||
|
color: primary
|
||||||
|
---
|
||||||
|
title: Threat Positioning on the Tor Network
|
||||||
|
---
|
||||||
|
html: two-columns-page.html
|
||||||
|
---
|
||||||
|
_template: layout.html
|
||||||
|
---
|
||||||
|
key: 2
|
||||||
|
---
|
||||||
|
section: Threat Model
|
||||||
|
---
|
||||||
|
section_id: threat-model
|
||||||
|
---
|
||||||
|
body:
|
||||||
|
|
||||||
|
The Tor network helps maintain online privacy and anonymity, but it is not immune to attacks.
|
||||||
|
Understanding how attackers can position themselves as local clients or within the Tor network is crucial to safeguarding its users and ensuring the network remains secure.
|
||||||
|
|
||||||
|
![An image showing positions of bad actors on the Tor network](/static/images/threat-model/threat-position.png "title='Threats to Tor' class='img-fluid'")
|
||||||
|
|
||||||
|
Attackers can just use a Tor client or be an ISP/WiFi operator.
|
||||||
|
They might also be part of the Network, or our community and engage in mailing list discussions, proposal work etc.
|
||||||
|
|
||||||
|
This section explores the different ways attackers might position themselves on or around the Tor network.
|
||||||
|
We will examine the strategies they use, the risks they pose, and how these threats can be mitigated.
|
||||||
|
By understanding these tactics, we can better protect the Tor network and its users from potential attacks.
|
45
content/threat-model/threat-positioning/local/contents.lr
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
_model: page
|
||||||
|
---
|
||||||
|
color: primary
|
||||||
|
---
|
||||||
|
title: Local Attackers on the Tor Network
|
||||||
|
---
|
||||||
|
html: two-columns-page.html
|
||||||
|
---
|
||||||
|
_template: layout.html
|
||||||
|
---
|
||||||
|
key: 2
|
||||||
|
---
|
||||||
|
section: Threat Model
|
||||||
|
---
|
||||||
|
section_id: threat-model
|
||||||
|
---
|
||||||
|
body:
|
||||||
|
|
||||||
|
These attackers include entities like your WiFi router administrator, Internet Service Provider (ISP), hosting provider, or Virtual Private Network (VPN) service.
|
||||||
|
Their proximity to your connection path gives them unique opportunities to gather information or manipulate your traffic in ways that more distant adversaries cannot.
|
||||||
|
Although, the ISPs or hosting providers that manage the Tor relays you use to connect to the Tor network, as well as any other ISPs and routers along your path to the network, are also considered local adversaries.
|
||||||
|
|
||||||
|
## How Local Adversaries attack the network
|
||||||
|
|
||||||
|
![An image showing positions of local threats on the Tor network](/static/images/threat-model/local.png "title='Local Threats' class='img-fluid'")
|
||||||
|
|
||||||
|
Local adversaries may not have the broad capabilities of those who control or monitor different relays in the network, but they are still dangerous because they can focus on the specific connections that pass through their systems.
|
||||||
|
Some of the key ways they can attack the Tor users include:
|
||||||
|
|
||||||
|
1. **Controlling Traffic Routes:**
|
||||||
|
Local adversaries can manipulate the routing of your Tor traffic to ensure it only passes through Guards or Bridges (the first point of connection in the Tor network) that they control.
|
||||||
|
By doing this, they increase their chances of monitoring your traffic and potentially deanonymizing you. This manipulation can be subtle and difficult for users to detect, making it a potent threat.
|
||||||
|
2. **Exploiting Information Leaks:**
|
||||||
|
Your Tor usage can leak data that local adversaries might want to exploit.
|
||||||
|
For example, these leaks might reveal patterns in your traffic that could make it easier for an attacker to deanonymize you or link your activities back to you.
|
||||||
|
Local adversaries are in a unique position to take advantage of these leaks because they can closely monitor your connection to the Tor network.
|
||||||
|
|
||||||
|
## Examples of Local Adversary Attacks
|
||||||
|
These local adversaries can execute a variety of attacks, including:
|
||||||
|
|
||||||
|
- **NetFlow Analysis:** An ISP or hosting provider could perform [NetFlow analysis](https://gitlab.torproject.org/tpo/network-health/team/-/issues/42), a technique that monitors traffic flows in a network.
|
||||||
|
By analyzing these flows, they might identify patterns that confirm whether specific traffic belongs to a particular user, thus aiding in deanonymization attempts.
|
||||||
|
- **Covert Channel Exploits:** If a local adversary additionally operates an exit relay (the final node in the Tor circuit before traffic exits to the internet), they could exploit certain vulnerabilities, such as dropped cells, to leak your information or deanonymize you secretly.
|
||||||
|
A dropped cell refers to a piece of data (called a cell) that is intentionally discarded or ignored by a node in the network, and when a cell is dropped, it means the data doesn't move forward in the network.
|
||||||
|
This method, known as a dropped cells covert channel vector, could allow the attacker to deanonymize you, or gather information about your activities on the Tor network.
|
79
content/threat-model/threat-positioning/network/contents.lr
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
_model: page
|
||||||
|
---
|
||||||
|
color: primary
|
||||||
|
---
|
||||||
|
title: Network Attackers on the Tor Network
|
||||||
|
---
|
||||||
|
html: two-columns-page.html
|
||||||
|
---
|
||||||
|
_template: layout.html
|
||||||
|
---
|
||||||
|
key: 3
|
||||||
|
---
|
||||||
|
section: Threat Model
|
||||||
|
---
|
||||||
|
section_id: threat-model
|
||||||
|
---
|
||||||
|
body:
|
||||||
|
|
||||||
|
Network attackers pose a significant threat to the security and reliability of the network.
|
||||||
|
These attackers are those who run or compromise relays within the network, or manipulate traffic to exploit weaknesses in the Tor protocol.
|
||||||
|
Their goal may be to deanonymize users, degrade network performance, or damage Tor’s reputation.
|
||||||
|
|
||||||
|
## How Network Adversaries attack Tor
|
||||||
|
|
||||||
|
![An image showing positions of bad relays on the Tor network](/static/images/threat-model/network.png "title='Bad Relays on the Tor Network' class='img-fluid'")
|
||||||
|
|
||||||
|
Network adversaries can carry out a variety of attacks, which can generally fall into three broad categories:
|
||||||
|
running malicious relays that risks user safety and security, manipulating Tor’s protocol to leak information, and performing denial of service (DoS) attacks.
|
||||||
|
|
||||||
|
### 1. Running Malicious Relays
|
||||||
|
|
||||||
|
Network attackers often run relays that are configured to harm the network or users in some way.
|
||||||
|
[Malicious relays](/relay/governance/handling-bad-relays/) can be designed to:
|
||||||
|
|
||||||
|
- Spy on traffic passing through them.
|
||||||
|
- Disrupt communication between Tor users and the network.
|
||||||
|
- Collect data that can be used to deanonymize users.
|
||||||
|
|
||||||
|
Malicious relays may also be purposefully misconfigured to introduce vulnerabilities into the network.
|
||||||
|
These relays might not follow proper protocol, resulting in traffic that leaks information, making it easier to track users.
|
||||||
|
|
||||||
|
An attacker could operate a malicious exit relay—the final node where traffic exits the Tor network and reaches the open internet—
|
||||||
|
intentionally designed to steal sensitive data like cryptocurrencies, hijack online accounts, log user activity, or exploit vulnerabilities in Tor's protocol.
|
||||||
|
This allows the attacker to intercept and manipulate traffic, posing significant risks to users relying on Tor for secure, anonymous browsing.
|
||||||
|
|
||||||
|
Tor actively works to detect and remove these relays, but attackers often attempt to bypass detection
|
||||||
|
by concealing the true nature of their relays, such as lying about key relay properties or frustrating Tor’s scanning efforts.
|
||||||
|
|
||||||
|
### 2. Exploiting Information Leaks
|
||||||
|
|
||||||
|
Tor’s protocol, while designed to protect user anonymity, has known information leaks or "[side channels](https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/proposals/344-protocol-info-leaks.txt)" that attackers can exploit.
|
||||||
|
A network adversary running relays can take advantage of these leaks to:
|
||||||
|
|
||||||
|
- Deanonymize users directly by correlating traffic patterns between the entry and exit points of the Tor network.
|
||||||
|
- Assist other deanonymization attempts by providing additional data that makes it easier to confirm which traffic belongs to a specific user.
|
||||||
|
|
||||||
|
These information leaks are detailed in [*Proposal 344*](https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/proposals/344-protocol-info-leaks.txt), which highlights the severity of each one.
|
||||||
|
While not all require running relays to exploit, network adversaries who operate relays are in a better position to see more traffic and perform traffic analysis, making their attacks more effective.
|
||||||
|
|
||||||
|
### 3. Denial of Service (DoS) Attacks
|
||||||
|
|
||||||
|
Network adversaries can also use DoS attacks to degrade the performance of the Tor network, making it slow or unreliable.
|
||||||
|
These attacks might:
|
||||||
|
|
||||||
|
- Exploit vulnerabilities in the Tor protocol to generate large amounts of traffic, overwhelming the network.
|
||||||
|
- Use external services to flood the network with traffic, causing congestion.
|
||||||
|
|
||||||
|
The goal of a DoS attack is often to discourage users from using Tor by making it so slow or unusable that they switch to less secure alternatives.
|
||||||
|
A DoS attack can also frustrate volunteers running relays, potentially leading them to shut down their relays, which weakens the network and makes it more vulnerable to further attacks.
|
||||||
|
|
||||||
|
|
||||||
|
The presence of malicious or misconfigured relays, along with the potential for DoS attacks, can severely undermine Tor’s security, reliability, and reputation.
|
||||||
|
If users perceive the network as unsafe or slow, they may stop using it, reducing the overall anonymity of the network (since more users make it harder to track individual traffic).
|
||||||
|
|
||||||
|
As the Tor project relies on volunteers for relays and external funding,
|
||||||
|
frequent attacks could discourage operators and impact funding, both critical for keeping the network operational.
|
||||||
|
|
||||||
|
While Tor has systems in place to detect and remove these threats, attackers are constantly evolving their tactics to avoid detection and weaken the network.
|
||||||
|
A deeper understanding of these threats and continuous vigilance are essential to maintaining the security and usability of the Tor network.
|
39
content/threat-model/threat-positioning/project/contents.lr
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
_model: page
|
||||||
|
---
|
||||||
|
color: primary
|
||||||
|
---
|
||||||
|
title: Threats to The Tor Project
|
||||||
|
---
|
||||||
|
html: two-columns-page.html
|
||||||
|
---
|
||||||
|
_template: layout.html
|
||||||
|
---
|
||||||
|
key: 4
|
||||||
|
---
|
||||||
|
section: Threat Model
|
||||||
|
---
|
||||||
|
section_id: threat-model
|
||||||
|
---
|
||||||
|
body:
|
||||||
|
|
||||||
|
In any open-source project like Tor, it's essential to be aware of potential adversaries who exploit the transparency and openness of our workflows and communication channels.
|
||||||
|
These adversaries may aim to weaken our network and disrupt our community by infiltrating discussions, shaping decisions, or attacking the infrastructure that supports our project.
|
||||||
|
|
||||||
|
## How project adversaries can attack Tor
|
||||||
|
|
||||||
|
![An image showing positions of bad actors in the Tor community](/static/images/threat-model/project.png "title='Tor Community with bad actors' class='img-fluid'")
|
||||||
|
|
||||||
|
Project adversaries are individuals or groups who take advantage of our open system to disrupt or manipulate the Tor network and its community.
|
||||||
|
Their tactics may include:
|
||||||
|
|
||||||
|
1. **Infiltrating communication channels**:
|
||||||
|
These attackers may join mailing lists, forums, or other community spaces to influence discussions, steer proposals, and create division.
|
||||||
|
2. **Spreading fear, uncertainty, and doubt**:
|
||||||
|
They may attempt to erode trust in Tor by sharing misleading or harmful information on both internal and external platforms.
|
||||||
|
3. **Interfering with governance**:
|
||||||
|
They may also attempt to disrupt proposal processes, particularly those related to community governance and the Tor development roadmap, to weaken the project's direction.
|
||||||
|
4. **Targeting key staff**:
|
||||||
|
Individuals working on attack detection or mitigation may face direct intimidation, bribery attempts, or indirect attacks on the infrastructure they rely on.
|
||||||
|
5. **Attacking infrastructure related to bad-relay work:**
|
||||||
|
The infrastructure supporting the detection and mitigation of malicious relays is a key target for adversaries.
|
||||||
|
By attacking this infrastructure, they might aim to undermine the detection systems and allow their malicious relays to operate undetected, ultimately weakening the network's defenses.
|
26
templates/threat-model.html
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
<div class="container py-5">
|
||||||
|
<div class="row py-5">
|
||||||
|
<div class="col-lg-7">
|
||||||
|
{{ this.body }}
|
||||||
|
</div>
|
||||||
|
<div class="col-lg-5">
|
||||||
|
<img src="{{ ('/static/images/home/png/'+ this.path + '.png')|url }}" class="img-fluid" alt="{{ this.title }}" />
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
<div class="row">
|
||||||
|
{% for child in this.children|sort(attribute='key') %}
|
||||||
|
<div class="col-sm-6 col-md-6 col-sm-12 col-xl-6 py-3">
|
||||||
|
<div class="card h-100">
|
||||||
|
<div class="card-body">
|
||||||
|
<div class="card-body">
|
||||||
|
<h4 class="card-title text-primary">
|
||||||
|
<a href="{{ child.path|url(alt=this.alt) }}">{{ child.title }}</a>
|
||||||
|
</h4>
|
||||||
|
<p class="card-text">{{ child.subtitle }}</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
{% endfor %}
|
||||||
|
</div>
|
||||||
|
</div>
|