Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Tor Users Should Be Cautious About P2P Privacy

Posted by timothy on from the but-this-computer's-in-a-safe-location dept.

An anonymous reader writes "I went across your post a few days ago saying that a machine connected to the Internet was all one needed to spy on most BitTorrent users of the Internet. I followed the link to find out that those researchers from INRIA claimed their attacks also worked for BitTorrent users on Tor. I didn't believe it at first, but then today I found this link on the Tor Project. It seems their attacks don't only link your real IP to your BitTorrent files on Tor but also to the web pages that you're browsing! Tell me it's a joke." No joke, but according to Jacob Appelbaum (a Tor developer), the security flaw is more nuanced — and the fault of software outside of Tor. Read on for his explanation of how the privacy benefits of Tor can be easily lost. Appelbaum writes "This isn't a failing of Tor, it's a failing of BitTorrent application designers and a privacy failure of their users too. The BitTorrent clients don't appear to double check the information that's ripe for tampering. When combined with common BitTorrent applications that aren't designed for privacy, it's possible to cause a BitTorrent client to leak information about their actual source IP. The BitTorrent protocol is difficult to anonymize with a simple proxy. Ironically, one of the best points of the paper is that those BitTorrent clients also harm the anonymity of the users' web browsing. The user's browsing will often leave the same Tor Exit Node as their BitTorrent traffic; the user is using the same circuit for browsing as they are for BitTorrent. If the user isn't practicing safe browsing techniques, they're probably going to reveal some more of their traffic to the authors of the paper. This is just like the normal internet too. If you browse unsafely, people can observe you or tamper with the data in transit. So in conclusion, this paper isn't about busting anonymity networks as much as it is about busting BitTorrent client privacy." Additionally, he says, "Tor can't keep you anonymous if you don't actually use Tor for your connections. ... The real key is that if they had done transparent proxying (that failed closed) and they had a privacy-aware BT client, the user would probably be fine. Please don't use BitTorrent and Tor together."

8 of 122 comments (clear)

  1. Pardon my ignorance... but tor for P2P? by Anonymous Coward · · Score: 5, Insightful

    Pardon my ignorance, but using Tor for P2P stuff is at best abusive, at worst highly destructive. Tor wasn't designed for high bandwidth applications. It was designed for Web browsing and ensuring that packets from an exit node would be very hard to trace back to the sender as the first priority.

    Of course, even with the best anonymization methods, if someone has cookies, Flash shared objects, or shared objects stored by add-ons that positively identifies their Web browser, their browsing history can be linked together, and some sort of profile be built.

    Tor is half the battle. The second half is making sure your Web browser is anonymous. I prefer running it in a VM which rolls itself back, and has as little customization as possible, so it fits in with the millions of other people running IE with standard XP installs.

    1. Re:Pardon my ignorance... but tor for P2P? by santax · · Score: 5, Insightful

      Not everyone uses torrents to download movies... I can even imagine someone trying to watch a recorded news-show or documentary that could get him in trouble... in that case I would say, use of TOR is fine. But in the case of just downloading your average movie, you are right, don't use TOR for that! But there are lots of cases where I feel the use of TOR for torrents is allowed.

    2. Re:Pardon my ignorance... but tor for P2P? by alen · · Score: 4, Funny

      so maybe Tor should upgrade their infrastructure like every other ISP has had to do to keep up with demand

    3. Re:Pardon my ignorance... but tor for P2P? by Anonymous Coward · · Score: 4, Informative

      That's easy enough to do with iptables or pf.

    4. Re:Pardon my ignorance... but tor for P2P? by Anonymous Coward · · Score: 4, Insightful

      FFS... use Freenet for that, not Tor!

      Tor is preferable if you need low latency; Freenet is preferable for transferring large amounts of data (due to its cache nature).

  2. Using Tor securely by Dr.+Sp0ng · · Score: 5, Insightful

    There's really only one way to do it - run it on a freshly-installed (probably virtual) machine (so there's no personal data on the system) with a non-public IP address, and then firewall it off so it cannot make any non-Tor network connections. Then apps can leak all the data they want, but they have no useful info to leak.

  3. a tor-friendly p2p alternative: http://anomos.info by keneng · · Score: 4, Interesting

    Anomos' Key Features:
    --------------------
    1)UNLIKE BITTORRENT, NO PEERS DIRECTLY UPLOAD/DOWNLOAD TO OTHER PEERS.
    Every peer relays to other peers just like Tor. This makes it more difficult for the prying eyes.
    2)The more peers connecting to the same tracker, the stronger the anonymity for everyone.
    3)runs on windows, mac os x, and linux
    4)Based on the original python-based bittorrent sources
    5)Tweaked to be tor-friendly

    For more information:
    http://anomos.info/

    Anomos torrent sites are on their way. Seek and you shall find.

  4. Re:Privacy to hide Piracy by Anonymous Coward · · Score: 4, Funny

    Just like thieves wear black mask so that they are not recognized when stealing.

    FYI, cartoons are not real life.