Research by American and Israeli academics has lead to the development of Astoria, a new Tor client specifically designed to spoil spooks' traffic analysis of the surveillance-dodging network.
Astoria all-but decimates the number of vulnerable connections on the Tor network, bringing the figure from 58 per cent of total users to 5.8 per cent, the researchers claim.
Astoria hopes to utilise a new relay-selection algorithm which would prevent the asymmetric connections which make traffic analysis possible.
Due to the large amounts of processing power needed to analyse the data passing through the Tor network, traffic analysis is only conceivable as a de-anonymising attack when it is launched by state actors, such as those in the Five Eyes surveillance alliance.
Steven J. Murdoch, who along with George Danezis published a paper on the Low-Cost Traffic Analysis of Tor [PDF] back in 2005, told The Register that "Traffic-analysis is quite a sophisticated surveillance technique, but one which intelligence agencies have extensive experience in."
"With enough computation power, access to communication links and expertise, traffic analysis will be able to de-anonymize the user of any low-latency anonymous communication system, including Tor," he added.
A GCHQ document [PDF] published by Der Spiegal late last year, its release timed with a pair of talks at 31c3, by Tor Project bods and journalists, revealed that the viability of traffic analysis was being discussed amongst the Five Eyes alliance in 2011.
Murdoch, who is a researcher at University College London said it "has always been assumed that the major intelligence agencies would be able to de-anonymize at least some Tor users, so if anything Tor has been shown to have stood up better than many people had expected. That said, the revelations that Tor has been targeted by GCHQ and the NSA has made many members of the development community uncomfortable".
The new work by the researchers' explains how the traffic-analysis attacks may be implemented by any autonomous system (AS) that lies on both the path from the Tor client to the entry relay and the path from the exit relay to the destination.
"Previous studies have demonstrated the potential for this type of attack and have proposed relay selection strategies to avoid common ASes (potential attackers) that may perform them. However, recent work has shown that these strategies perform poorly in practice," said the paper (PDF).
Studying the use of ASes, the boffins found:
- 58 per cent of circuits constructed by Tor are vulnerable to network-level attackers.
- 43 per cent of all sites in the local Alexa Top 500 of Brazil, China, Germany, Spain, France, England, Iran, Italy, Russia, and the United States had main content that was not reached via a safe path — a path that was free from network-level attackers.
- Connections from China were found to be most vulnerable to network-level attackers with 85.7 per cent of all Tor circuits and 78 per cent of all main content requests to sites in the local Alexa Top 500 being vulnerable to colluding network-level attackers.
- Reducing the number of entry guards results in an increase in vulnerability of Tor circuits in several countries. The most drastic loss of security was seen in Spain. In particular, Tor with three guards (default) had 34.8 per cent vulnerable circuits, Tor with two guards had 59.8 per cent vulnerable circuits, and Tor with a single guard had 75.7 per cent vulnerable circuits
When asked how relay selection would, ideally, defeat attempts at traffic analysis, Murdoch told us: "We would know where and by whom surveillance is being carried out then route communications to avoid these points. In reality, we don’t know where to avoid so can only make educated guesses at the safest routes and choose the best trade-off between performance and acceptable security against realistic threats."