Security Audit of Safeplug "Tor in a Box"

We present the first public third-party security audit of Pogoplug’s Safeplug device, which markets “complete security and anonymity online” by using Tor technology to protect users’ IP addresses. We examine the hardware, software, and network behavior of the Safeplug device, as well as the user experience in comparison to other forms of web browsing. Although the Safeplug appears to use Tor as advertised, users may still be identified in ways they may not expect. Furthermore, an engineering vulnerability in how the Safeplug accepts settings changes would allow an adversary internal or external to a user’s home network to silently disable Tor or modify other Safeplug settings, which completely invalidates the security claims of the device. Beyond this problem, the user experience challenges of this type of device make it inferior to the existing gold standard for anonymous browsing: the Tor Browser Bundle

Improving security and efficiency of mix-based anonymous communication systems

The communication layer leaks important private information even in the presence of encryption, which makes anonymous communication a fundamental element of systems that protect the privacy of users. Traffic mixers have long been used to achieve communication anonymity, but the security challenges and the resulted inefficiencies hinder the path to a wide adoption of these systems. In this thesis, we take a step towards improving the security of traffic mixers and building a platform for efficient anonymous communication. We begin by revisiting Binomial Mix, which is one of the most effective designs for traffic mixing proposed to date, and the one that introduced randomness to the behaviour of traffic mixers. When thoroughly examined in different traffic conditions, Binomial Mix proved to be significantly more resilient against attacks than previously believed. We then build on the design of Binomial Mix and propose two new designs for traffic mixers. The first design, Multi-Binomial Shared-Pool Mix (MBSP Mix), employs multiple sources of randomness which results in a behaviour less predictable by the attacker and thus provides a higher degree of anonymity. The second design, Multi-Binomial Independent-Pool Mix (MBIP Mix), enables a single traffic mixer to anonymise multiple communication channels with potentially differing latencies. This additional property significantly improves the security and efficiency of the mix. Moving beyond the design of traffic mixers in isolation, we propose the architecture and details of a generic framework for anonymous communication. The proposed framework consists of various parts designed to enable the integration of various Anonymous Communication Systems as plug-in components into a shared and unified system. In addition to achieving a larger user-base and enjoying its associated security benefits, this approach enables the reusability of components across multiple communication systems. Finally, we also present techniques to make the circuit establishment facility of the framework resistant towards Denial-of-Service attacks. We believe that our work is one step towards building a fully developed generic framework for anonymous communication and our results can inspire and be used for the design of a robust generic framework