Avoiding The Man on the Wire: Improving Tor's Security with Trust-Aware Path Selection

TL;DR

This paper introduces a trust-aware path selection algorithm for Tor that reduces vulnerability to deanonymization by modeling adversary locations probabilistically and evaluating against global and country-specific adversaries.

Contribution

It proposes a novel trust-aware path selection method for Tor that improves security by avoiding likely adversary-controlled relays based on probabilistic trust models.

Findings

Reduces risk of deanonymization from global adversaries.

Effective in avoiding country-based surveillance.

Performs well in simulated network environments.

Abstract

Tor users are vulnerable to deanonymization by an adversary that can observe some Tor relays or some parts of the network. We demonstrate that previous network-aware path-selection algorithms that propose to solve this problem are vulnerable to attacks across multiple Tor connections. We suggest that users use trust to choose the paths through Tor that are less likely to be observed, where trust is flexibly modeled as a probability distribution on the location of the user's adversaries, and we present the Trust-Aware Path Selection algorithm for Tor that helps users avoid traffic-analysis attacks while still choosing paths that could have been selected by many other users. We evaluate this algorithm in two settings using a high-level map of Internet routing: (i) users try to avoid a single global adversary that has an independent chance to control each Autonomous System organization, Internet Exchange Point organization, and Tor relay family, and (ii) users try to avoid deanonymization by any single country. We also examine the performance of Trust-Aware Path selection using the Shadow network simulator.