How Do Tor Users Interact With Onion Services?

Onion services are anonymous network services that are exposed over the Tor network. In contrast to conventional Internet services, onion services are private, generally not indexed by search engines, and use self-certifying domain names that are long and difficult for humans to read. In this paper, we study how people perceive, understand, and use onion services based on data from 17 semi-structured interviews and an online survey of 517 users. We find that users have an incomplete mental model of onion services, use these services for anonymity and have varying trust in onion services in general. Users also have difficulty discovering and tracking onion sites and authenticating them. Finally, users want technical improvements to onion services and better information on how to use them. Our findings suggest various improvements for the security and usability of Tor onion services, including ways to automatically detect phishing of onion services, more clear security indicators, and ways to manage onion domain names that are difficult to remember.Comment: Appeared in USENIX Security Symposium 201

RAPTOR: Routing Attacks on Privacy in Tor

The Tor network is a widely used system for anonymous communication. However, Tor is known to be vulnerable to attackers who can observe traffic at both ends of the communication path. In this paper, we show that prior attacks are just the tip of the iceberg. We present a suite of new attacks, called Raptor, that can be launched by Autonomous Systems (ASes) to compromise user anonymity. First, AS-level adversaries can exploit the asymmetric nature of Internet routing to increase the chance of observing at least one direction of user traffic at both ends of the communication. Second, AS-level adversaries can exploit natural churn in Internet routing to lie on the BGP paths for more users over time. Third, strategic adversaries can manipulate Internet routing via BGP hijacks (to discover the users using specific Tor guard nodes) and interceptions (to perform traffic analysis). We demonstrate the feasibility of Raptor attacks by analyzing historical BGP data and Traceroute data as well as performing real-world attacks on the live Tor network, while ensuring that we do not harm real users. In addition, we outline the design of two monitoring frameworks to counter these attacks: BGP monitoring to detect control-plane attacks, and Traceroute monitoring to detect data-plane anomalies. Overall, our work motivates the design of anonymity systems that are aware of the dynamics of Internet routing

Privacy Infrastructure for Content and Communications

Citizens' privacy is coming under greater threat as an increasing number of entities can access user data. A powerful adversary, such as a nation-state, can gain access to user data using a broad range of techniques, from privately tapping wires and collecting traffic to serving warrants or subpoenas for user data. Protecting user privacy in the face of these types of activities is challenging. Existing protocol encryption such as TLS is not sufficient, since a wide range of data, from DNS lookups to server access logs, may be visible to eavesdroppers or subject to data requests. In this dissertation, I develop new techniques that demonstrate that three aspects of the existing Internet infrastructure, specifically routing, hosting, and naming, can be used to counter surveillance. First, I study the current state of routing by measuring which countries are on the paths between users and popular websites. I then evaluate different methods for routing Internet traffic around unfavorable countries, and based on these findings, I design and implement RAN, a lightweight system that routes a client's web traffic around specified countries with no modifications to client software. Second, I describe modifications to content hosting that prevent a powerful adversary such as a nation-state from gaining access to a user's requests for certain Web content. In today's Internet, Content Distribution Networks (CDNs) have rich information both about the content they are serving and the users who are requesting that content. Access to this type of information makes CDNs a target for requests for data about users' browsing activities. To counter this threat, I developed Oblivious CDN (OCDN), which hides from the CDN both the content it is serving and the users who are requesting that content. In the last part of this dissertation, I explore how the naming infrastructure currently compromises client privacy by looking at conventional DNS as well as onion services. I highlight fundamental issues with both types of domain lookups, and present Oblivious DNS (ODNS) as a new approach to protecting privacy by decoupling client identities from the domains they are looking up

Oblivious DNS: Practical Privacy for DNS Queries

Virtually every Internet communication typically involves a Domain Name System (DNS) lookup for the destination server that the client wants to communicate with. Operators of DNS recursive resolvers—the machines that receive a client’s query for a domain name and resolve it to a corresponding IP address—can learn significant information about client activity. Past work, for example, indicates that DNS queries reveal information ranging from web browsing activity to the types of devices that a user has in their home. Recognizing the privacy vulnerabilities associated with DNS queries, various third parties have created alternate DNS services that obscure a user’s DNS queries from his or her Internet service provider. Yet, these systems merely transfer trust to a different third party. We argue that no single party ought to be able to associate DNS queries with a client IP address that issues those queries. To this end, we present Oblivious DNS (ODNS), which introduces an additional layer of obfuscation between clients and their queries. To do so, ODNS uses its own authoritative namespace; the authoritative servers for the ODNS namespace act as recursive resolvers for the DNS queries that they receive, but they never see the IP addresses for the clients that initiated these queries. We present an initial deployment of ODNS; our experiments show that ODNS introduces minimal performance overhead, both for individual queries and for web page loads. We design ODNS to be compatible with existing DNS protocols and infrastructure, and we are actively working on an open standard with the IETF

Profiling text comprehension impairments in aphasia

Background: Research in aphasia has focused on acquired dyslexias at the single word level, with a paucity of assessment techniques and rehabilitation approaches for individuals with difficulty at the text level. A rich literature from research with paediatric populations and healthy non-brain damaged, skilled adult readers allows the component processes that are important for text reading to be defined and more appropriate assessments to be devised. Aims: To assess the component processes of text reading in a small group of individuals with aphasia who report difficulties in reading at the text level. Do assessments of component processes in reading comprehension reveal distinct profiles of text comprehension? To what extent are text comprehension difficulties caused by underlying linguistic and/or cognitive deficits? Methods & Procedures: Four individuals with mild aphasia who reported difficulties in reading at the text level took part in a case-series study. Published assessments were used to confirm the presence of text comprehension impairment. Participants completed a range of assessments to provide a profile of their linguistic and cognitive skills, focusing on processes known to be important for text comprehension. We identified the following areas for assessment: reading speed, language skills (single word and sentence), inferencing, working memory and metacognitive skills (monitoring and strategy use). Outcomes & Results: Performance was compared against age-matched adult control data. One participant presented with a trend for impaired abilities in inferencing, with all other assessed skills being within normal limits. The other three had identified linguistic and working memory difficulties. One presented with a residual deficit in accessing single word meaning that affected text comprehension. The other two showed no clear link between sentence processing difficulties and text comprehension impairments. Across these three, data suggested a link between verbal working memory (VWM) capacity and specific inferencing skills. Conclusions: Successful text reading relies on a number of component processes. In this paper we have made a start in defining those component processes and devising tasks suitable to assess them. From our results, assessment of VWM and inferencing appears to be critical for understanding text comprehension impairments in aphasia. It is possible that rehabilitation input can capitalise on key meta-cognitive skills (monitoring, strategy use) to support functional reading in the face of existing linguistic, text comprehension and memory impairments

Counter-RAPTOR: Safeguarding Tor Against Active Routing Attacks

Tor is vulnerable to network-level adversaries who can observe both ends of the communication to deanonymize users. Recent work has shown that Tor is susceptible to the previously unknown active BGP routing attacks, called RAPTOR attacks, which expose Tor users to more network-level adversaries. In this paper, we aim to mitigate and detect such active routing attacks against Tor. First, we present a new measurement study on the resilience of the Tor network to active BGP prefix attacks. We show that ASes with high Tor bandwidth can be less resilient to attacks than other ASes. Second, we present a new Tor guard relay selection algorithm that incorporates resilience of relays into consideration to proactively mitigate such attacks. We show that the algorithm successfully improves the security for Tor clients by up to 36% on average (up to 166% for certain clients). Finally, we build a live BGP monitoring system that can detect routing anomalies on the Tor network in real time by performing an AS origin check and novel detection analytics. Our monitoring system successfully detects simulated attacks that are modeled after multiple known attack types as well as a real-world hijack attack (performed by us), while having low false positive rates.Comment: Appearing at IEEE S&P 201

Bamboozling Certificate Authorities with BGP

The Public Key Infrastructure (PKI) protects users from malicious man-in-the-middle attacks by having trusted Certificate Authorities (CAs) vouch for the domain names of servers on the Internet through digitally signed certificates. Ironically, the mechanism CAs use to issue certificates is itself vulnerable to man-in-the-middle attacks by network-level adversaries. Autonomous Systems (ASes) can exploit vulnerabilities in the Border Gateway Protocol (BGP) to hijack traffic destined to a victim's domain. In this paper, we rigorously analyze attacks that an adversary can use to obtain a bogus certificate. We perform the first real-world demonstration of BGP attacks to obtain bogus certificates from top CAs in an ethical manner. To assess the vulnerability of the PKI, we collect a dataset of 1.8 million certificates and find that an adversary would be capable of gaining a bogus certificate for the vast majority of domains. Finally, we propose and evaluate two countermeasures to secure the PKI: 1) CAs verifying domains from multiple vantage points to make it harder to launch a successful attack, and 2) a BGP monitoring system for CAs to detect suspicious BGP routes and delay certificate issuance to give network operators time to react to BGP attacks