Analysis of Client Anonymity in the Tor Network
MetadataVis full innførsel
The Tor Network has emerged as the most popular service providing sender anonymity on the Internet. It is a community-driven network with most of the infrastructure operated by volunteers. Peer-to-Peer (P2P) file sharing applications, such as BitTorrent, take up a large portion of the available resources in Tor, which reduce the quality of service for those browsing the web through Tor. In this thesis, experiences from operating a Tor exit relay with a reduced exit policy are recounted. Additionally, the lifecycle of the exit relay is presented and an analysis of the application distribution of exit traffic is done. This analysis uncovers that the reduced exit policy may reduce the BitTorrent traffic share as the total, byte-wise traffic share constituted by BitTorrent was 25.4%, which is lower than in similar analyses done earlier. Tor is a low latency service, thus it is possible that packet latency can leak information about either the source, the destination or both ends of the encrypted Tor traffic. There have been numerous proposals for side-channel attacks in the Tor Network, with one of the most interesting being the website fingerprinting attack. The website fingerprinting attack attempts to map encrypted client-side traffic with a web page by utilizing side-channel information from web page visits to train a machine learning classifier, which in turn is used to predict the web page corresponding to encrypted, client-side Tor traffic. This thesis aims to review existing website fingerprinting attacks as well as to propose a basic attack sorting under this category. The thesis argues that it is feasible that state of the art web site fingerprinting attacks can be applied in a real-world scenario under the assumption that certain Tor users visit censored web pages repeatedly. Website fingerprinting attacks proposed up until now attempt to identify individual web pages from an encrypted traffic stream. This thesis proposes a web site fingerprinting attack, an attack related to the general website fingerprinting attack, but instead of web pages, it attempts to identify web sites. The attack utilizes, among other things, the browsing pattern to attempt to map encrypted client-side traffic to a web site. The browsing pattern data is collected from a test group made up of volunteers who are asked to browse web sites as they feel natural. In one of the most successful experiments, the attack resulted in a True Positive Rate (TPR) of 91.7% and a corresponding False Positive Rate (FPR) of 0.95% from a total of 222 attempted web site predictions.