Onions in the Crosshairs: When The Man really is out to get you

TL;DR

This paper models and analyzes targeted adversaries who selectively attack specific Tor users, revealing faster compromise and discussing potential countermeasures to enhance user privacy against such threats.

Contribution

It introduces a model for targeting adversaries in Tor, highlighting their capabilities and proposing countermeasures to defend against selective user attacks.

Findings

Targeted adversaries can compromise users faster than general adversaries.

Selective attacks provide more feedback, enabling better adaptation.

Countermeasures can mitigate risks from targeting adversaries.

Abstract

We introduce and investigate *targeting adversaries* who selectively attack users of Tor or other secure-communication networks. We argue that attacks by such adversaries are more realistic and more significant threats to those most relying on Tor's protection than are attacks in prior analyses of Tor security. Previous research and Tor design decisions have focused on protecting against adversaries who are equally interested in any user of the network. Our adversaries selectively target users---e.g., those who visit a particular website or chat on a particular private channel---and essentially disregard Tor users other than these. We present a model of such adversaries and investigate three example cases where particular users might be targeted: a cabal conducting meetings using MTor, a published Tor multicast protocol; a cabal meeting on a private IRC channel; and users visiting a particular .onion website. In general for our adversaries, compromise is much faster and provides more feedback and possibilities for adaptation than do attacks examined in prior work. We also discuss selection of websites for targeting of their users based on the distribution across users of site activity. We describe adversaries both attempting to learn the size of a cabal meeting online or of a set of sufficiently active visitors to a targeted site and attempting to identify guards of each targeted user. We compare the threat of targeting adversaries versus previously considered adversaries, and we briefly sketch possible countermeasures for resisting targeting adversaries.