Hi Tor,
I am reaching out to inform you of an upcoming news story concerning a potential deanonymization attack on Onion Services.
What is happening?
On September 9, 2024, The Tor Project received a press inquiry from Norddeutscher Rundfunk (NDR, part of ARD, a German public broadcaster) with a request for comment to their upcoming reporting of "investigative measures by German and international law enforcement agencies in the Tor network, in particular the localisation and deanonymisation of onion services." We complied with the outlet's deadline of September 12th and answered a series of questions.
The reporter claims to have "evidence that shows that in several cases German law enforcement authorities were able to locate the Tor entry node of onion services and thus successfully deanonymise Tor users. V2 and V3 onion addresses were affected at least between Q3/2019 and Q2/2021." The reporter further claims that "law enforcement agencies used so-called timing analyses and broad and long-term monitoring of Tor nodes in data centres."
As of today, The Tor Project has not been granted access to supporting documents, and has not been able to independently verify if this claim is true, if the attack took place, how it was carried out, and who was involved.
In the absence of facts, it is hard for us to issue any official guidance or responsible disclosures to the Tor community, relay operators, and users at this time.
We are calling for more information from you.
If you have any information that can help us learn more about this alleged attack, please email security@torproject.org.
If you want to encrypt your mail, you can get the OpenPGP public key for this address from keys.openpgp.org. Fingerprint: 835B 4E04 F6F7 4211 04C4 751A 3EF9 EF99 6604 DE41
Your assistance will help all of us take the necessary steps and precautions to keep Onion Services safe for the millions of users that rely on the protections Tor provides.
Are Tor users safe?
Tor users can continue to use Tor Browser to access the web securely and anonymously. Nothing that the Tor Project has learned about this incident suggests that Tor Browser was attacked or exploited. We encourage Tor Browser users and relay operators to keep software versions up to date.
The reporter's questions focus on the use of onion services and .onion addresses. Which leads us to assume that the alleged attack was targeting a specific .onion site.
We will continue to share updates on this email as this situation evolves.
Thank you!
Isabela
The reporter claims to have "evidence that shows that in several cases German law enforcement authorities were able to locate the Tor entry node of onion services and thus successfully deanonymise Tor users. V2 and V3 onion addresses were affected at least between Q3/2019 and Q2/2021."
this timeframe sounds familiar. https://nusenu.medium.com/is-kax17-performing-de-anonymization-attacks-again... maybe, maybe not.
Looking forward to their publication.
kind regards, nusenu
On Montag, 16. September 2024 12:31:24 CEST isabela fernandes wrote:
On September 9, 2024, The Tor Project received a press inquiry from Norddeutscher Rundfunk (NDR, part of ARD, a German public broadcaster) with The reporter claims to have "evidence that shows that in several cases German law enforcement authorities were able to locate the Tor entry node of onion services and thus successfully deanonymise Tor users. V2 and V3 onion addresses were affected at least between Q3/2019 and Q2/2021." The reporter further claims that "law enforcement agencies used so-called timing analyses and broad and long-term monitoring of Tor nodes in data centres."
:-) I will definitely watch that. NDR is known for high-quality investigative journalism.
As of today, The Tor Project has not been granted access to supporting documents, and has not been able to independently verify if this claim is true, if the attack took place, how it was carried out, and who was involved.
It will probably be about Operation Liberty Lane. (United States, Brazil, Germany, and the United Kingdom)
Some court documents are linked here, in the google sheets: https://safereddit.com/r/TOR/comments/19benkx/operation_liberty_lane_le_runn... Gus may have gotten some more documents.
We already had this on the agenda at 2 Relay meetups.
In the absence of facts, it is hard for us to issue any official guidance or responsible disclosures to the Tor community, relay operators, and users at this time.
We are calling for more information from you.
If you have any information that can help us learn more about this alleged attack, please email security@torproject.org.
Your assistance will help all of us take the necessary steps and precautions to keep Onion Services safe for the millions of users that rely on the protections Tor provides.
For my Onion Services I use Vanguards with a list of over 1000 trusted nodes in EntryNodes, HSLayer2Nodes and HSLayer3Nodes.
https://github.com/mikeperry-tor/vanguards
On 9/16/24 21:13, boldsuck via tor-relays wrote:
Some court documents are linked here, in the google sheets: https://safereddit.com/r/TOR/comments/19benkx/operation_liberty_lane_le_runn... Gus may have gotten some more documents.
returns: "Failed to parse page JSON data"
-- Toralf
On Montag, 16. September 2024 22:03:02 CEST Toralf Förster via tor-relays wrote:
On 9/16/24 21:13, boldsuck via tor-relays wrote:
Some court documents are linked here, in the google sheets: https://safereddit.com/r/TOR/comments/19benkx/operation_liberty_lane_le_ru nning_gaurd_and/?rdt=40060 Gus may have gotten some more documents.
returns: "Failed to parse page JSON data"
Link works here in Firefox and TorBrowser (/?rdt=40060 can probably be omitted)
reddit.com https://www.reddit.com/r/TOR/comments/19benkx/operation_liberty_lane_le_runn...
safereddit.com https://safereddit.com/r/TOR/comments/19benkx/operation_liberty_lane_le_runn...
Federal cases linked by a common operation https://docs.google.com/spreadsheets/d/1uTVQgK2zo-O_WbmNM54Xh3rr_Ber8zDx/edi... https://docs.google.com/spreadsheets/d/1uTVQgK2zo-O_WbmNM54Xh3rr_Ber8zDx
Time line of alleged access of Hidden Services associated with Operation.pdf https://drive.google.com/file/d/1BW7HlE8BnECzSn2TuEkxjEc8XHyqsjvR/view?usp=d... https://drive.google.com/file/d/1BW7HlE8BnECzSn2TuEkxjEc8XHyqsjvR/view
I just looked in briefly, it's all about child porn. And to be honest, I think it's good that they caught these people. Many of the house raids on Tor exit operators are because of these assholes.
Greetings Marco,
Something I always found confusing is what the difference is between the Vanguards Github project, and the version of Vanguards that Tor has implemented. I thought Vanguards was added into Tor no? Is the Vanguards project still useful despite this?
I'm not sure if this spec is the exact implementation or a recommendation for an external plugin. https://spec.torproject.org/vanguards-spec/full-vanguards.html I have also seen other mentions of an implementation elsewhere.
Thank you
On Monday, September 16th, 2024 at 3:13 PM, boldsuck via tor-relays - tor-relays at lists.torproject.org tor-relays@lists.torproject.org wrote:
For my Onion Services I use Vanguards with a list of over 1000 trusted nodes in EntryNodes, HSLayer2Nodes and HSLayer3Nodes.
https://github.com/mikeperry-tor/vanguards
-- ╰_╯ Ciao Marco!
Debian GNU/Linux
It's free software and it gives you freedom!_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Mon, Sep 16, 2024 at 08:17:25PM +0000, pasture_clubbed242--- via tor-relays wrote:
Something I always found confusing is what the difference is between the Vanguards Github project, and the version of Vanguards that Tor has implemented. I thought Vanguards was added into Tor no? Is the Vanguards project still useful despite this?
I'm not sure if this spec is the exact implementation or a recommendation for an external plugin. https://spec.torproject.org/vanguards-spec/full-vanguards.html I have also seen other mentions of an implementation elsewhere.
The "full" vanguards design includes other changes to how Tor handles edge cases and unexpected circuit/stream behavior which might be able to be used as a side channel, but the main tradeoff is that it slows down your circuits. You have to run it alongside your Tor, as a controller, which means it is not for "end" users. You can read about it on this blog post: https://blog.torproject.org/announcing-vanguards-add-onion-services/
Whereas the "lite" design is a subset of the full design, which we built into C-Tor back in 2021-2022 when it became clear that some of these guard discovery attacks we worried about might actually be more practical than first thought. You can read about vanguards-lite in Proposal 333: https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/proposals/333-van... and you can read one of the motivations for it in this research paper: https://petsymposium.org/popets/2022/popets-2022-0026.pdf
And lastly, there is a great explanation of both variations of vanguards in this blog post talking about adding them to Arti: https://blog.torproject.org/announcing-vanguards-for-arti/
--Roger
isabela fernandes isabela@torproject.org wrote on 2024-09-16:
I am reaching out to inform you of an upcoming news story concerning a potential deanonymization attack on Onion Services.
These are the articles, in German language:
Ermittlungen im Darknet: Strafverfolger hebeln Tor-Anonymisierung aus https://www.tagesschau.de/investigativ/panorama/tor-netzwerk-100.html 2024-09-18
Das Tor-Netzwerk gilt als wichtigstes Werkzeug, um sich anonym im Internet zu bewegen. Behörden haben begonnen, es zu unterwandern, um Kriminelle zu enttarnen. In mindestens einem Verfahren waren sie erfolgreich.
Ermittlungen gegen Pädokriminelle: o2-Kunden zeitweise überwacht https://www.tagesschau.de/investigativ/panorama/telefonueberwachung-telefonica--bka-ermittlungen-paedokriminelle-100.html 2024-09-12
Damit das BKA den Betreiber des pädokriminellen Forums "Boystown" enttarnen konnte, führte der Telefónica-Konzern 2020 eine großflächige Überwachung durch. Die Rechtsgrundlage dafür ist umstritten.
Hi all,
Today, NDR issued a press release with more details on the subject:
https://www.ndr.de/der_ndr/presse/mitteilungen/Ermittlungen-im-sogenannten-D...
It mentions that the (German) Federal Criminal Police Office identified twice the respective node that connected a suspect to Tor, and twice the entry node used by the Ricochet messenger.
It cites multiple sources who claim to know about broad surveillance measures against Tor servers. Matthias Marx, spokesperson of the Chaos Computer Club, is quoted that together with the documents obtained by the journalists this suggests that timing attacks were indeed successfully committed.
There is also a front page article on Tagesschau.de with largely the same information:
https://www.tagesschau.de/investigativ/panorama/tor-netzwerk-100.html
Later today, further reports are to be expected by Panorama and STRG_F, which should become available here:
https://www.ndr.de/fernsehen/sendungen/panorama/
https://play.funk.net/channel/strgf-11384
-- Florian
On Mittwoch, 18. September 2024 09:10:31 CEST Florian Kohrt via tor-relays wrote:
A few facts from these German films and notes:
- "Boystown" was one of the largest pedophile darknet forums of all time. 400.000 User - The administrator's chats played a crucial role in tracking him down. - It finally takes a year and a half until they identify the node (Guard) that Admin uses to connect to the Tor network. - The timing analysis included complete surveillance of the mobile operator Telefónica (o2). We have four mobile phone networks in Germany. Telefónica Group o2 has almost 43 million mobile phone customers. - When he was arrested, Admin confessed everything and gave out all passwords. - Police did not have the victims' pictures deleted. wtf!
In recent years, STRG_F has researched and reported a _lot_ about paedocriminal matters. The German police arrest some masterminds to make headlines. They don't care about the victims. Although it would have been very easy to have the pictures deleted, they did nothing. :-( All material was still available on the servers. I also accused the officers of this during the search of my house.
The journalists from STRG_F were able to have material they found during research deleted very easily by the providers. This happened within a few hours or 1-2 days.
Today, NDR issued a press release with more details on the subject:
https://www.ndr.de/der_ndr/presse/mitteilungen/Ermittlungen-im-sogenannten-D arknet-Strafverfolger-hebeln-Tor-Anonymisierung-aus,pressemeldungndr24724.ht ml
It mentions that the (German) Federal Criminal Police Office identified twice the respective node that connected a suspect to Tor, and twice the entry node used by the Ricochet messenger.
It cites multiple sources who claim to know about broad surveillance measures against Tor servers. Matthias Marx, spokesperson of the Chaos Computer Club, is quoted that together with the documents obtained by the journalists this suggests that timing attacks were indeed successfully committed.
There is also a front page article on Tagesschau.de with largely the same information:
https://www.tagesschau.de/investigativ/panorama/tor-netzwerk-100.html
Later today, further reports are to be expected by Panorama and STRG_F, which should become available here:
Hello, we just published more information on our blog: https://blog.torproject.org/tor-is-still-safe/
On Mon, Sep 16, 2024 at 7:31 AM isabela fernandes isabela@torproject.org wrote:
Hi Tor,
I am reaching out to inform you of an upcoming news story concerning a potential deanonymization attack on Onion Services.
What is happening?
On September 9, 2024, The Tor Project received a press inquiry from Norddeutscher Rundfunk (NDR, part of ARD, a German public broadcaster) with a request for comment to their upcoming reporting of "investigative measures by German and international law enforcement agencies in the Tor network, in particular the localisation and deanonymisation of onion services." We complied with the outlet's deadline of September 12th and answered a series of questions.
The reporter claims to have "evidence that shows that in several cases German law enforcement authorities were able to locate the Tor entry node of onion services and thus successfully deanonymise Tor users. V2 and V3 onion addresses were affected at least between Q3/2019 and Q2/2021." The reporter further claims that "law enforcement agencies used so-called timing analyses and broad and long-term monitoring of Tor nodes in data centres."
As of today, The Tor Project has not been granted access to supporting documents, and has not been able to independently verify if this claim is true, if the attack took place, how it was carried out, and who was involved.
In the absence of facts, it is hard for us to issue any official guidance or responsible disclosures to the Tor community, relay operators, and users at this time.
We are calling for more information from you.
If you have any information that can help us learn more about this alleged attack, please email security@torproject.org.
If you want to encrypt your mail, you can get the OpenPGP public key for this address from keys.openpgp.org. Fingerprint: 835B 4E04 F6F7 4211 04C4 751A 3EF9 EF99 6604 DE41
Your assistance will help all of us take the necessary steps and precautions to keep Onion Services safe for the millions of users that rely on the protections Tor provides.
Are Tor users safe?
Tor users can continue to use Tor Browser to access the web securely and anonymously. Nothing that the Tor Project has learned about this incident suggests that Tor Browser was attacked or exploited. We encourage Tor Browser users and relay operators to keep software versions up to date.
The reporter's questions focus on the use of onion services and .onion addresses. Which leads us to assume that the alleged attack was targeting a specific .onion site.
We will continue to share updates on this email as this situation evolves.
Thank you!
Isabela
tor-relays@lists.torproject.org
-
boldsuck -
Florian Kohrt -
isabela fernandes -
Lars -
lists@for-privacy.net
-
nusenu -
pasture_clubbed242@simplelogin.com -
Roger Dingledine -
Toralf Förster