Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tor Open To Attack

Posted by kdawson on from the peeling-the-onion dept.

An anonymous reader writes "A group of researchers have written a paper that lays out an attack against Tor (PDF) in enough detail to cause Roger Dingledine a fair amount of heartburn. The essential avenue of attack is that Tor doesn't verify claims of uptime or bandwidth, allowing an attacker to advertise more than it need deliver, and thus draw traffic. If the attacker controls the entry and exit node and has decent clocks, then the attacker can link these together and trace someone through the network."

2 of 109 comments (clear)

  1. How Many Nodes Do You Need to Own? by quanticle · · Score: 4, Insightful

    "We show that even if an adversary can control a few malicious nodes -- 3 to 6 with a PlanetLab network of 60 honest servers -- the adversary can still compromise the identity of a significant fraction of the connections from new clients."

    3 to 6 servers out of 60 is still 5 to 10 percent. That's fine for small networks, but for a network with hundreds or thousands of nodes, controlling 5 to 10 percent may become infeasible. Does this attack require the number of nodes to scale with network size?

    --
    We all know what to do, but we don't know how to get re-elected once we have done it
  2. Re:WTFITOREH? by Ephemeriis · · Score: 3, Insightful

    I hate to point this out but to anyone not in the know. the Acronym TOR means absolutely NOTHING. why post a warning about something if you do not explain the acronym. WHAT THE HELL IS WITH THE EXCESSIVE ACRONYMS? You all afraid to speak a fully qualified language or are you all afraid someone might notice you have no idea what the hell you're talking about? How about expanding on the acronyms a bit eh?
    Thanks.

    To anyone not in the know, the fact that the TOR protocol has a weakness means absolutely NOTHING regardless of whether they know what TOR stands for or not.

    Granted, there is such a thing as TLA-overload...but I don't think this is it. If you don't know that TOR stands for The Onion Router, then why the hell do you care whether it is vulnerable to attack or not? You obviously aren't using it... You don't care about the technology or implementation... You are apparently not even curious enough to Google it... So why bother clicking through to post such a rant?
    --
    "Work is the curse of the drinking classes." -Oscar Wilde